On 3/14/12 9:33 PM, "Steve Grubb" sgrubb@redhat.com wrote:
On Wednesday, March 14, 2012 01:43:05 PM Spencer R. Shimko wrote:
There are hard fixes and there are easy fixes. Let's look at one publicly available validated solution:
http://people.redhat.com/sgrubb/files/usgcb/rhel5/workstation-ks.cfg
NIST published an exact copy of that file. Look at what is being done to configure the system. The vast majority break down to this:
chkconfig chmod echo gconftool-2 mkdir rpm --import sed touch useradd
They are all one liners. Now if a package was required and it needing to be in a specific configuration and it drags in dependencies and they also have changes to their configs or perhaps have multilpe daemons which may or may not need to be enabled or disabled...we have a hard problem. In which case, maybe the solution is:
echo "Requirement xyz cannot be met by this script, please solve it manually. Do you understand? [y/n]" read ANS
That's a great idea. It would also be good to have a yum-like "-y" option for automation. One wouldn't want to run the remediation on
1000
systems interactively by hand.
Are you thinking of something significantly different from the secstate effort?
There is a lot of overlap between what is shipped with RHEL and secstate. We have had teleconferences on combining codebases somewhat, but that was a long time ago. We can restart that discussion if you want, but not on this mail list.
Sounds good. We'll sync up separately.
I think the topic at-hand focuses on requirement content and remediation content - not the tools. As of right now I think this list is the best place to have those conversations. However if the general sentiment of the list is that remediation needs to be discussed elsewhere (since it won't be SCAP) I'll happily move it to the CLIP mailing list.
Thanks, --Spencer
-Steve