Ok. For about a week, ComplianceAsCode project had a bug that made this an issue :) You might have cloned the repo at that time? This PR from Monday last week fixes it, so try to rebase your work and try again: https://github.com/ComplianceAsCode/content/pull/5061
It's probably that, because on the released packages in RHEL7, I cannot reproduce what you observe: [dahaic@psyduck bla]$ rpm -qa openscap scap-security-guide openscap-1.2.17-4.el7.x86_64 scap-security-guide-0.1.43-13.el7.noarch [dahaic@psyduck bla]$ oscap xccdf generate fix --fix-type bash --profile ospp --fetch-remote-resources --output remediation.sh /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml [dahaic@psyduck bla]$ grep populate remediation.sh Regards, Marek On Mon, Dec 16, 2019 at 3:02 PM Kuko Armas <[email protected]> wrote: > > Hello Miguel, > remediations, as they are stored in the DataStream are prepared to be used > within the environment provided by the `oscap` utility. (I.e. so > `--remediate` works). So no, it's not supposed to be self contained in that > particular form. > > What you are looking for is probably `oscap xccdf generate fix`. That one > will process the snippets and produces self-contained bash script. > > So no issue - works as intended. ;) > > > I also tried that, and at least in my box it's not working. It's one of > the things I tried when I said "I have been playing with remediation > code"... > > I generate the fix code with (ens is a profile I'm creating, but also > fails with other profiles) > oscap xccdf generate fix --fix-type bash --profile ens > --fetch-remote-resources --output remediation.sh ssg-centos7-ds.xml > > This creates the remediation,sh, but it does not eem to contain the > remediation functions defined in group > xccdf_org.ssgproject.content_group_remediation_functions > > If I search for one of the functions that fail (populate), I see it > "tries" to use the function, but it's not defined in the generated > remedaite script: > > [root@test ~]# grep populate remediation.sh > populate login_banner_text > populate var_accounts_max_concurrent_login_sessions > populate var_accounts_user_umask > populate var_auditd_action_mail_acct > populate var_auditd_admin_space_left_action > populate var_auditd_max_log_file > populate var_auditd_max_log_file_action > populate var_auditd_num_logs > populate var_auditd_space_left_action > populate sysctl_net_ipv4_conf_all_accept_redirects_value > populate sysctl_net_ipv4_conf_all_accept_source_route_value > populate sysctl_net_ipv4_conf_all_log_martians_value > populate sysctl_net_ipv4_conf_all_rp_filter_value > populate sysctl_net_ipv4_conf_all_secure_redirects_value > populate sysctl_net_ipv4_conf_default_accept_redirects_value > populate sysctl_net_ipv4_conf_default_accept_source_route_value > populate sysctl_net_ipv4_conf_default_log_martians_value > populate sysctl_net_ipv4_conf_default_rp_filter_value > populate sysctl_net_ipv4_conf_default_secure_redirects_value > populate sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value > populate sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value > populate sysctl_net_ipv4_tcp_syncookies_value > populate var_auditadm_exec_content > > And of course if I run it, I get errors for each invocation of that > function (and any other that is supposed to be defined) > > root@test ~]# sh remediation.sh > Remediating rule 1/105: > 'xccdf_org.ssgproject.content_rule_banner_etc_issue' > remediation.sh: line 34: populate: command not found > Remediating rule 2/105: > 'xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions' > remediation.sh: line 52: populate: command not found > Remediating rule 3/105: > 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs' > remediation.sh: line 68: populate: command not found > remediation.sh: line 70: replace_or_append: command not found > Remediating rule 4/105: > 'xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users' > FIX FOR THIS RULE > 'xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users' IS > MISSING! > Remediating rule 5/105: > 'xccdf_org.ssgproject.content_rule_audit_rules_immutable' > Remediating rule 6/105: > 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification' > remediation.sh: line 115: fix_audit_watch_rule: command not found > > Until, I understand why it fails, I'm also trying the ansible remediation, > which seems to be working better, but I won't be able to use ansible in all > my clients. And anyway, I would like to learm how bash remediation code > works (or should work), and help if I can 😉 > > Salu2! > -- > Miguel Armas > CanaryTek Consultoria y Sistemas SL > http://www.canarytek.com/ > > ------------------------------ > *De:* Marek Haicman <[email protected]> > *Enviado:* lunes, 16 de diciembre de 2019 12:15 > *Para:* SCAP Security Guide <[email protected]> > *Asunto:* Re: Bash remediations failing due to missing functions > > Hello Miguel, > remediations, as they are stored in the DataStream are prepared to be used > within the environment provided by the `oscap` utility. (I.e. so > `--remediate` works). So no, it's not supposed to be self contained in that > particular form. > > What you are looking for is probably `oscap xccdf generate fix`. That one > will process the snippets and produces self-contained bash script. > > So no issue - works as intended. ;) > > Regards, > Marek > > On Mon, Dec 16, 2019 at 11:44 AM Kuko Armas <[email protected]> wrote: > > > I've been playing with remediation code, and I've seen that remediation > code for many checks fails due to undefined functions as "populate" (to > populate defined variables) and "fix_audit_syscall_rule" (for audit checks) > > I've seen that both functions (and many more) are defined inside the > datasource, in group > xccdf_org.ssgproject.content_group_remediation_functions > > Since I'm a complete newbie in openSCAP, I'm not sure how it should work: > > > - Is remediation code supposed to be selt-contained in the data > source? Or does it depend on the host having the security-guide package > installed ir order to have that functions code? > - If it's self contained, how and where are the functions code file > extracted and read by remediation code? > - If it's extracted, is there an option to keep the temp files > around to take a look? > - Maybe I need a more recent openscap version? (I'm using > 1.2.17-4.el7 in centos7) > - Should I file an issue on ComplianceAsCode GitHub repo? or am I > doing something wrong? > > > Thanks a lot! > -- > Miguel Armas > CanaryTek Consultoria y Sistemas SL > http://www.canarytek.com/ > > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > >
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
