[Open-scap] customizing generation of mediation scripts

[Jan Cerny]

Hi,

The bash code is taken from the input SCAP content,
eg. from /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
there is no magic behind that, basically oscap simply extracts
snippets from XML.

If you want to amend the script that is generated by oscap, unfortunately
that is not possible, we don't have any option to customize the
"oscap xccdf generate fix" command. Only way is to edit the generated
script manually. 

The best thing that you could do is to share your bash code
with others, that means to propose a pull request on SCAP Security
Guide project. The source code repository can be found on
https://github.com/OpenSCAP/scap-security-guide
We can help you with that and we will be happy if you contribute.

I recommend exploring /shared/templates/static/bash
and /shared/templates directories in the SCAP Security Guide
source code repository.


Regards


Jan Černý
Security Technologies | Red Hat, Inc.

----- Original Message -----
> From: "Greg Silverman (CS)" <Greg.Silverman at veritas.com>
> To: open-scap-list at redhat.com
> Cc: "DL-VTAS-AS-Team-Sangria" <DL-VTAS-AS-Team-Sangria at veritas.com>
> Sent: Tuesday, March 21, 2017 7:17:36 PM
> Subject: [Open-scap] customizing generation of mediation scripts
> 
> 
> 
> I would like to modify the fixes that oscap will generate and add some
> automatic fixes. For example
> 
> 
> 
> 1. The firewall fix bash code does not add the ssh service to the drop zone.
> Which file can I modify so that the “add-services ssh” is included in the
> generated remediation script.
> 
> 2. Where can I add bash code to fix items that are not currently fixed? (I
> realize that some future release may replace changes I make now.)
> 
> 
> 
> 
> 
> Greg Silverman
> 
> Veritas Technologies
> 
> Mountain View, CA
> 
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list