On 2/12/19 11:49 AM, Marek Haicman wrote:
Hello everyone, we have currently stumbled upon situation, where Ansible remediation snippet can either fix 3 different rules at once, or be very convoluted. Technical details aside [1] - what is your view of such approach?
- Is it ok when remediation does change more than the rule that
triggered it checks?
Current methodology ensures higher-level technologies can compose custom security baselines (incl SCAP and remediation). Kind of like what SCAP Workbench does.
If we can't track one configuration item to specific XCCDF/OVAL/remediation, all that falls apart.
- Do you prefer to have no remediation at all, to the remediation that
does too much?
Would have to understand what "too much" means. Very surprised Ansible wouldn't be able to remediate single configuration checks. Worst case use the shell capabilities and run whatever the bash snippet would be.
- Does answer to the questions above change between (--remediate)
which is applied automatically, and bash roles or ansible playbooks, where you can check insides of the scripts and alter them before application?
If running --remediate, multiple CCEs are somehow grouped into a single ansible action, how do I troubleshoot that?