Re: Remediation Scripts

I've been taking a few off-list questions around remediation lately, namely from interested parties asking "where do we start?" Wanted to move those conversations to on-list. Here's a few of the common questions and my thoughts to get us started. (1) What language(s) should be used? IMO, bash. I'm leaning this way because it's included in *every* RHEL release, whereas puppet modules would require the installation of 3rd party software. I'd like to see as much done through 'native' tools as possible. There's certainly advantages to Perl (e.g., potential speed) however I don't think we want to assume Perl is installed on all RHEL machines. (2) Do we perform checking in the scripts? Defined further, should the scripts contain conditional checks to see if they should be ran? IMO, no. That's what OVAL is for. (3) Where do we begin? - Name remediation scripts after corresponding XCCDF rule - Build process includes them into final ssg-rhel6-xccdf.xml Known challenge on passing XCCDF variables through to the scripts, however I wouldn't let this hold us up. Still *tons* of work to be done while this gets sorted. There's a good bit of RHEL6 content in the Aqueduct project that (I believe) Tresys committed. Perhaps we could reuse those scripts?