On 3/14/12 9:33 PM, "Steve Grubb" <sgrubb(a)redhat.com> wrote:
On Wednesday, March 14, 2012 01:43:05 PM Spencer R. Shimko wrote:
> >> There are hard fixes and there are easy fixes. Let's look at one
> >> publicly
> >> available validated solution:
> >>
> >>
http://people.redhat.com/sgrubb/files/usgcb/rhel5/workstation-ks.cfg
> >>
> >> NIST published an exact copy of that file. Look at what is being done
> >> to configure
> >> the system. The vast majority break down to this:
> >>
> >> chkconfig
> >> chmod
> >> echo
> >> gconftool-2
> >> mkdir
> >> rpm --import
> >> sed
> >> touch
> >> useradd
> >>
> >> They are all one liners. Now if a package was required and it needing
> >> to be in a
> >> specific configuration and it drags in dependencies and they also
> >> have changes to
> >> their configs or perhaps have multilpe daemons which may or may not
> >> need to be
> >> enabled or disabled...we have a hard problem. In which case, maybe
> >> the solution
> >> is:
> >>
> >> echo "Requirement xyz cannot be met by this script, please solve it
> >> manually. Do
> >> you understand? [y/n]"
> >> read ANS
> >
> >That's a great idea. It would also be good to have a yum-like
"-y"
> >option for automation. One wouldn't want to run the remediation on
>1000
> >systems interactively by hand.
>
> Are you thinking of something significantly different from the secstate
> effort?
There is a lot of overlap between what is shipped with RHEL and secstate.
We
have had teleconferences on combining codebases somewhat, but that was a
long
time ago. We can restart that discussion if you want, but not on this
mail list.
Sounds good. We'll sync up separately.
I think the topic at-hand focuses on requirement content and remediation
content - not the tools. As of right now I think this list is the best
place to have those conversations. However if the general sentiment of
the list is that remediation needs to be discussed elsewhere (since it
won't be SCAP) I'll happily move it to the CLIP mailing list.
Thanks,
--Spencer
-Steve