On 1/25/18 5:03 PM, Fen Labalme wrote:
Question on Ansible fixes: Might it be possible (and preferable per
the DRY principle) to have Ansible fixes invoke the Bash fixes which
tend to be more complete?
Simple case in point: there are 6 bash/aide* fixes and only 2
ansible/aide* fixes. Not to mention it's easier (at least for me) to
build and test a bash "fix" script than an Ansible one.
Related: When you provision a new instance, to harden do you run the
bash fixes (more complete) or the Ansible ones? I'm provisioning with
Ansible so guidance as to how best to harden it would be helpful.
Bonus question: How best to generate fixes? Should I run them all on a
new server, or can I run just those that match failing tests?
Hey Fen! ::waves::
You're totally correct: bash currently has more comprehensive remediation.
If you're provisioning a net new image, you can use the integrated
OpenSCAP+Anaconda plugin during the kickstart process. Here's a sample
kickstart with the remediation stanza. Swap out line 128 to the profile
of your choice:
https://github.com/OpenSCAP/scap-security-guide/blob/master/rhel7/kicksta...
If you're provisioning through Ansible, you could use the shell
extension to call openscap to run the remediation:
oscap xccdf eval --profile $profileName --remediate ssg-rhel7-ds.xml