Some awk-ing in the ssg-rhel7-xccdf.xml from 1.36 showed the following
rules with only ansible fixes:
accounts_root_path_dirs_no_write
audit_rules_dac_modification_fchmod
audit_rules_dac_modification_fchown
audit_rules_privileged_commands
audit_rules_privileged_commands_su
audit_rules_privileged_commands_sudo
audit_rules_unsuccessful_file_modification_open
dconf_gnome_banner_enabled
dconf_gnome_disable_automount
dconf_gnome_disable_ctrlaltdel_reboot
dconf_gnome_disable_geolocation
dconf_gnome_disable_restart_shutdown
dconf_gnome_disable_thumbnailers
dconf_gnome_disable_user_admin
dconf_gnome_disable_user_list
dconf_gnome_disable_wifi_create
dconf_gnome_disable_wifi_notification
dconf_gnome_screensaver_lock_delay
dconf_gnome_screensaver_user_info
firewalld_sshd_port_enabled
gnome_gdm_disable_automatic_login
gnome_gdm_disable_guest_login
mount_option_dev_shm_nodev
mount_option_dev_shm_noexec
mount_option_dev_shm_nosuid
mount_option_home_nodev
mount_option_home_nosuid
mount_option_var_tmp_nodev
mount_option_var_tmp_noexec
mount_option_var_tmp_nosuid
rpm_verify_hashes
sebool_httpd_can_network_connect
sebool_secure_mode
set_password_hashing_algorithm_libuserconf
sshd_disable_rhosts
sshd_enable_x11_forwarding
sssd_memcache_timeout
sssd_offline_cred_expiration
sssd_ssh_known_hosts_timeout
----------
Chuck Atkins
Staff R&D Engineer, Scientific Computing
Kitware, Inc.
(518) 881-1183
On Tue, Dec 12, 2017 at 2:17 PM, Marek Haicman <mhaicman(a)redhat.com> wrote:
On 12/12/2017 07:31 PM, Chuck Atkins wrote:
> Hi Marek,
>
> My apologies for the ranting tone, that was not my intent; it's just been
> a very frustrating transition with the SSG from RHEL6 + STIG -> RHEL7 +
> OSPP since what would easily be a well-documented single-command process to
> bring the first into compliance is not so clear-cut for the second.
>
> Basically - it's more about resources available, and not much about
> our agenda. And with Ansible remediations on par with bash, we
> should be able to fix both.
>
>
> I'm all about having better, more easily maintained content. So, given
> the current state of things, what is the right way to use the SSG and it's
> combined ansible and bash fix content to being a RHEL7 machine into
> compliance with the OSPP profile?
>
> Thanks.
>
> It was not intention to force (or lead) users to combine those two ways,
so I would suggest to stick to what is more convenient for you - probably
bash.
And you can try to use newest upstream release [1]. It has more stuff
fixed than what was shipped in RHEL7.4. (It looks like there are ~20
failing rules, and at least 3 of them left failing by design, RHEL7.4 had
~30 rules failing).
Hope it helps,
Marek
[1]
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.36
_______________________________________________
scap-security-guide mailing list -- scap-security-guide(a)lists.fedo
rahosted.org
To unsubscribe send an email to scap-security-guide-leave@list
s.fedorahosted.org