[Open-scap] support for remediation (parameters for fixes?)
Simon Lukasik
slukasik at redhat.com
Mon Jun 3 09:19:55 UTC 2013
On 06/01/2013 08:26 PM, Jeffrey Blank wrote:
> Ah, I see Simon already answered this, a while back:
> https://www.redhat.com/archives/open-scap-list/2013-April/msg00007.html
>
> We will give this a spin. Any other suggestions are also most welcome.
> OpenSCAP remains a key element for security automation -- thanks again.
>
>
>
Regarding remediation, there is also a blog post at
http://isimluk.livejournal.com/3573.html
Other than that, there has been a vibrant thread at scap-security-guide
mailing list during March/April.
Noteworthy, the XSL Transformations (you are referring to) are the most
visible in OpenSCAP, but I consider them kinda legacy thing (see section
`Shortcomings of That Approach' from the blog).
For example, the XSL Transformation neither can evaluate CPE assigned to
a <fix> elements, nor they can resolve text substitution correctly.
The XSL Transformation are invoked by
oscap xccdf generate fix --result-id
while more comprehensive and evolved processing is invoked by
oscap xccdf remediate
oscap xccdf eval --remediate
oscap xccdf generate fix (without the --result-id)
Feel free to share your thoughts, If You conclude that another method
would suit you more.
Regards,
--
Simon Lukasik
Security Technologies
More information about the Open-scap-list
mailing list