[Open-scap] oscap-ssh based remediation killing remote server

[Fen Labalme]

Hi,

I'm running oscap-ssh on CentOS 7 using oscap-user and the `sudo` option.
Running a scan on a remote server works great (thank you!):

oscap-ssh sudo oscap-user at 192.168.56.102 22 xccdf eval --profile
> xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream
> --results-arf scans/results-arf.xml --results scans/results.xml --report
> scans/results.html scap/ssg-centos7-ds.xml


Then I run a remediation with the line:

oscap-ssh sudo oscap-user at 192.168.56.102 22 xccdf eval --remediate
> --profile xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream
> --results scans/remediation-results.xml --fetch-remote-resources
> scap/ssg-centos7-ds.xml


This completely kills access to the server at 192.168.56.102 (via host or
dashboard).

Am I calling remediation incorrectly? Has anyone else seen anything like
this? No obvious errors are reported.

Suggestions on how to debug what step might be killing the server are
welcome. Note that it doesn't die until the SSJ connection is closed, e.g.
after:

Shared connection to 192.168.56.102 closed.
> oscap exit code: 2
> Copying back requested files...
> results.xml                                                           100%
> 1889KB   1.9MB/s   00:00
> Removing remote temporary directory...
> Disconnecting ssh and removing master ssh socket directory...
> Exit request sent.


The exact steps I'm using are captured in a completely self-contained
ansible role test setup (that uses vagrant) documented - shpuld you want to
recreate my process - at
https://github.com/openprivacy/ansible-role-govready/blob/master/tests/README.md

Thanks,
=Fen

-- 
Fen Labalme, CISO at CivicActions.com
Security | Quality | DevOps
mobile: 412-996-4113
github/skype/twitter: openprivacy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20160421/df8331a3/attachment.htm>