[Open-scap] Small CLI improvement for remediation

Simon Lukasik slukasik at redhat.com
Fri Feb 15 14:37:30 UTC 2013 

On 02/15/2013 02:39 PM, Viktor Hercinger wrote:
>> Note that if there is a fix assigned to the rule_result, then there is
>> never result = XCCDF_RESULT_PASS.
> I'm counting on this fact. If it's XCCDF_RESULT_PASS, then we know that
> re-mediation has not been run, so we can ignore that result completely.
> 
>> I am in doubt here. In near future, there will be possibility to run
>> remediation for a single xccdf_policy multiple times. --> leaving the
>> function with such prototype useless. Another risk is that
>> xccdf_policy_rule_result_remediate will need to become public API.
>>
>> Which leads me to conclusion that statistics shall be calculated during
>> the remediation process.
>>
>> Note that we don't need to be afraid to change function prototype of
>> xccdf_policy_remediate, as it was not released yet.
> I didn't want to do that because it would increase the number of
> arguments too much. Is there a structure that we could maybe extend with
> this statistics?

Probably some of the xccdf_policy_model callbacks could be used I suppose.

> 
>> This would need to use xccdf_rule_result_get_fixes() as these two have
>> slightly different semantics.
> 
> Will fix this.
> 
>> No, the result could be for instance NOTAPPLICABLE or even NOTSELECTED.
>> In that case the remediation would not occur, but it would get counted
>> as it had failed.
> 
> So this means that this should only check for  XCCDF_RESULT_ERROR and
> XCCDF_RESULT_FAILED?

I don't know.

OpenSCAP alway indicate failed remediation by result=ERROR. However,
this is not explicitly defined by any standard. Thus, there might be
other scanners using FAIL or even NOTCHECKED in some rare cases.

> 
> Viktor

Bottom line, I understand frustrations with spartan output of
--remediate. I am just not sure how the output shall look like until
wethe oscap-xccdf-remediate is implemented and integrated with other
applications (i.e. scap-workbench).

I would like to have output of

    xccdf eval --remediate

and

    xccdf remediate

somewhat consistent.

Thanks a push though!

-- 
Simon Lukasik
Security Technologies

More information about the Open-scap-list mailing list