[Open-scap] oscap xccdf generate fix --template urn:xccdf:fix:script:ansible working?
Jan Cerny
jcerny at redhat.com
Wed Jan 25 09:18:00 UTC 2017
Hi,
thank you very much for reaching us.
Your problem can have multiple reasons:
1. Ansible playbooks are a new feature in SCAP Security Guide 0.1.31, released recently.
If you use older version, you can download the latest release on
https://github.com/OpenSCAP/scap-security-guide/releases/download/v0.1.31/scap-security-guide-0.1.31.zip
2. OpenSCAP older than 1.2.13 used to filter out the playbooks that are not applicable on the system where
OpenSCAP runs. If you run OpenSCAP to generate playbook on a different system than RHEL7,
the playbooks got filtered out because they are not applicable.
You can solve this by upgrading to 1.2.13, where this "feature" (bug) was removed.
You can also bypass this problem by removing the following lines from the ssg-rhel7-ds.xml
manually using a text editor:
<platform idref="cpe:/o:redhat:enterprise_linux:7"/>
<platform idref="cpe:/o:redhat:enterprise_linux:7::client"/>
<platform idref="cpe:/o:redhat:enterprise_linux:7::computenode"/>
3. OpenSCAP older than 1.2.11 generated incorrect playbooks.
I suggest using all the software in the latest versions. This command is working
for me with SCAP Security guide 0.1.31 and OpenSCAP 1.2.13 :
oscap xccdf generate fix --template urn:xccdf:fix:script:ansible --profile xccdf_org.ssgproject.content_profile_C2S --output playbook.yml ssg-rhel7-ds.xml
Also please note that playbooks in SCAP Security Guide are not complete, it's mostly a technical preview.
Contributions are welcome!
Best regards
Jan Černý
Security Technologies | Red Hat, Inc.
----- Original Message -----
> From: "Eric Martin" <eric.martin at itmartin.com>
> To: open-scap-list at redhat.com
> Sent: Monday, January 23, 2017 4:57:03 PM
> Subject: [Open-scap] oscap xccdf generate fix --template urn:xccdf:fix:script:ansible working?
>
>
>
> Hello,
>
>
>
> I’m new to OpenSCAP and I’m using ansible so I’m trying to generate an
> ansible playbook using:
>
>
>
> # oscap xccdf generate fix --template urn:xccdf:fix:script:ansible --profile
> xccdf_org.ssgproject.content_profile_C2S --output ./playbook.yml
> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
>
> # ll playbook.yml*
>
> -rwx------. 1 root root 0 Jan 23 16:38 playbook.yml
>
> #
>
> The generated file is empty.
>
>
>
> If I’m trying:
>
> # oscap xccdf generate fix --template urn:xccdf:fix:script:sh --profile
> xccdf_org.ssgproject.content_profile_C2S --output ./playbook.sh
> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
>
> # ll playbook.sh*
>
> -rwx------. 1 root root 426157 Jan 23 16:38 playbook.sh
>
> #
>
> Then the shell script is generated.
>
>
>
> My question is:
>
> Does the urn:xccdf:fix:script:ansible option working?
>
> I did see that someone managed to get it working:
> https://blog-zbynek.rhcloud.com/2016/09/12/ssg-openscap-and-ansible/
>
>
>
> Thanks,
>
>
>
> Eric Martin
>
>
>
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list
More information about the Open-scap-list
mailing list