I've got a small air-gapped network of only 2 machines that I'm setting up. As such, centralized management and deployment configurations for larger or even moderate sized networks are really way overkill. In the past with RHEL6 I could easily do it all manually, i.e. install, apply updates, run the STIG workstation profile with --remediate, and that would get me 95% of the way there. The remainder was usually just manually editing a few config files and that was it. So now that I'm trying to use the OSPP profile with RHEL7 I'm finding it incredibly frustrating how much just doesn't work out of the box now that much of the remediation content is in ansible only. The mass of GDM configuration parameters can't even be set by "remediate" anymore because so much of the fix content is now ansible only.
Given the mix of ansible and bash content, what's the right now to use this now? Should I evaluate once and generate the ansible remediation playbook, apply it, then evaluate again with --remediate to apply the remaining bash fixes? I've read a lot of "you can do these things with the ansible content now" but nothing that's really along the lines of how to actually generate and use it. Earlier versions of the SSG were very easy to get a system up and running and almost in complete compliance with the government profiles, right out of the box with a single command. The path to do this seems to have greatly increased in complexity, or at the very least, is no longer documented how to do so easily.