On 02/22/2013 09:42 PM, Brian Millett wrote: > (sorry, this might be a resend, but used the wrong email to send the original) > > I've got a spacewalk server running and it is really nice. Good job on the > system. > > One question about the Audit. I've been doing a lot of work with openSCAP and > generating a custom XCCDF.xml file that also incorporates 400 fixes. > > I've been able to schedule an Audit for a system, providing the correct > profile and the location of my XCCDF file. I can get a nice result of the > Audit, which rules pass, which fails. One of the features of openscap is the > ability to generate a remediation script based on the results of the audit, so > my question is where do I start looking, to add the ability to supply the > remediation script for the server to download? I can get a CSV of the > results, look at the result of the Audit, but I also would like to down load > the remediation script for that server. > > Thanks. >
Brian, these are very good questions! Thank You! Just a few days ago, I have implemented remediation script processing in the OpenSCAP project. So, with the upcomming release of oscap, you are able to remediate your machine at the very same time as the scan proceeds. # oscap xccdf eval --remediate (...) In the resulting XCCDF file, You will find the output of remediation scripts, return values and info messages about the xccdf:fix processing. I am thinking about allowing this procedure also through Spacewalk, but we cannot easily allow this "arbitrary" script execution. Perhaps, the --remediate option can be allowed only for client machines which has the 'rhn-actions-control --enable-run'. And regarding your question about remediation *after* the scan, using the results from Spacewalk: This might be also possible, just not right now. We still need to figure out, how to allow remediation of existing xccdf:TestResult files. That will be probably possible through # oscap xccdf remediate (...) module. Maybe some intermediate (XCCDF:TestResult-based) format will be needed to allow user to select rule-results which shall be remediated and select rule-resuts which shall not. Do You think, that You can use online remediation (without user interactions) in your organization? As usual, we welcome any ideas and comments! Best regards, -- Simon Lukasik Security Technologies _______________________________________________ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel
