On 1/25/18 5:03 PM, Fen Labalme wrote:

Question on Ansible fixes: Might it be possible (and preferable per the DRY principle) to have Ansible fixes invoke the Bash fixes which tend to be more complete?

Simple case in point: there are 6 bash/aide* fixes and only 2 ansible/aide* fixes. Not to mention it's easier (at least for me) to build and test a bash "fix" script than an Ansible one.

Related: When you provision a new instance, to harden do you run the bash fixes (more complete) or the Ansible ones? I'm provisioning with Ansible so guidance as to how best to harden it would be helpful.

Bonus question: How best to generate fixes? Should I run them all on a new server, or can I run just those that match failing tests?

Hey Fen! ::waves::

You're totally correct: bash currently has more comprehensive remediation.

If you're provisioning a net new image, you can use the integrated OpenSCAP+Anaconda plugin during the kickstart process. Here's a sample kickstart with the remediation stanza. Swap out line 128 to the profile of your choice: https://github.com/OpenSCAP/scap-security-guide/blob/master/rhel7/kickstart/...

If you're provisioning through Ansible, you could use the shell extension to call openscap to run the remediation:

oscap xccdf eval --profile $profileName --remediate ssg-rhel7-ds.xml