On Wednesday, March 14, 2012 01:43:05 PM Spencer R. Shimko wrote:
>> There are hard fixes and there are easy fixes. Let's
look at one
>> publicly
>> available validated solution:
>>
>>
http://people.redhat.com/sgrubb/files/usgcb/rhel5/workstation-ks.cfg
>>
>> NIST published an exact copy of that file. Look at what is being done
>> to configure
>> the system. The vast majority break down to this:
>>
>> chkconfig
>> chmod
>> echo
>> gconftool-2
>> mkdir
>> rpm --import
>> sed
>> touch
>> useradd
>>
>> They are all one liners. Now if a package was required and it needing
>> to be in a
>> specific configuration and it drags in dependencies and they also
>> have changes to
>> their configs or perhaps have multilpe daemons which may or may not
>> need to be
>> enabled or disabled...we have a hard problem. In which case, maybe
>> the solution
>> is:
>>
>> echo "Requirement xyz cannot be met by this script, please solve it
>> manually. Do
>> you understand? [y/n]"
>> read ANS
>
>That's a great idea. It would also be good to have a yum-like "-y"
>option for automation. One wouldn't want to run the remediation on 1000
>systems interactively by hand.
Are you thinking of something significantly different from the secstate
effort?
There is a lot of overlap between what is shipped with RHEL and secstate. We
have had teleconferences on combining codebases somewhat, but that was a long
time ago. We can restart that discussion if you want, but not on this mail list.
-Steve