Is there a repo already set up for this that we could use?
- Isaac
-----Original Message-----
From: Shawn Wells [mailto:shawn@redhat.com]
Sent: Monday, March 25, 2013 10:15 PM
To: scap-security-guide(a)lists.fedorahosted.org
Subject: Remediation Scripts
I've been taking a few off-list questions around remediation lately, namely from
interested parties asking "where do we start?" Wanted to move those
conversations to on-list. Here's a few of the common questions and my thoughts to get
us started.
(1) What language(s) should be used?
IMO, bash. I'm leaning this way because it's included in *every* RHEL release,
whereas puppet modules would require the installation of 3rd party software. I'd like
to see as much done through 'native' tools as possible. There's certainly
advantages to Perl (e.g., potential speed) however I don't think we want to assume
Perl is installed on all RHEL machines.
(2) Do we perform checking in the scripts?
Defined further, should the scripts contain conditional checks to see if they should be
ran?
IMO, no. That's what OVAL is for.
(3) Where do we begin?
- Name remediation scripts after corresponding XCCDF rule
- Build process includes them into final ssg-rhel6-xccdf.xml
Known challenge on passing XCCDF variables through to the scripts,
however I wouldn't let this hold us up. Still *tons* of work to be done
while this gets sorted.
There's a good bit of RHEL6 content in the Aqueduct project that (I
believe) Tresys committed. Perhaps we could reuse those scripts?