On 1/25/18 5:03 PM, Fen Labalme wrote: > Question on Ansible fixes: Might it be possible (and preferable per > the DRY principle) to have Ansible fixes invoke the Bash fixes which > tend to be more complete? > > Simple case in point: there are 6 bash/aide* fixes and only 2 > ansible/aide* fixes. Not to mention it's easier (at least for me) to > build and test a bash "fix" script than an Ansible one. > > Related: When you provision a new instance, to harden do you run the > bash fixes (more complete) or the Ansible ones? I'm provisioning with > Ansible so guidance as to how best to harden it would be helpful. > > Bonus question: How best to generate fixes? Should I run them all on a > new server, or can I run just those that match failing tests?
Hey Fen! ::waves:: You're totally correct: bash currently has more comprehensive remediation. If you're provisioning a net new image, you can use the integrated OpenSCAP+Anaconda plugin during the kickstart process. Here's a sample kickstart with the remediation stanza. Swap out line 128 to the profile of your choice: https://github.com/OpenSCAP/scap-security-guide/blob/master/rhel7/kickstart/ssg-rhel7-ospp-ks.cfg#L126#L128 If you're provisioning through Ansible, you could use the shell extension to call openscap to run the remediation: oscap xccdf eval --profile $profileName --remediate ssg-rhel7-ds.xml _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
