On 2/12/19 11:49 AM, Marek Haicman wrote:
Hello everyone,
we have currently stumbled upon situation, where Ansible remediation
snippet can either fix 3 different rules at once, or be very
convoluted. Technical details aside [1] - what is your view of such
approach?
* Is it ok when remediation does change more than the rule that
triggered it checks?
Current methodology ensures higher-level technologies can compose custom
security baselines (incl SCAP and remediation). Kind of like what SCAP
Workbench does.
If we can't track one configuration item to specific
XCCDF/OVAL/remediation, all that falls apart.
* Do you prefer to have no remediation at all, to the remediation that
does too much?
Would have to understand what "too much" means. Very surprised Ansible
wouldn't be able to remediate single configuration checks. Worst case
use the shell capabilities and run whatever the bash snippet would be.
* Does answer to the questions above change between (--remediate)
which is applied automatically, and bash roles or ansible playbooks,
where you can check insides of the scripts and alter them before
application?
If running --remediate, multiple CCEs are somehow grouped into a single
ansible action, how do I troubleshoot that?
_______________________________________________
scap-security-guide mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
