<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> <br> <br> <div class="moz-cite-prefix">On 4/15/15 1:11 PM, Greg Elin wrote:<br> </div> <blockquote cite="mid:CACZRBDR=DhiKkadH3UkdFV7COEN8qyGm1YTKH3MG0y86wuLeNw@mail.gmail.com" type="cite"> <div class="gmail_default" style="font-size:small">Jacob,</div> <div class="gmail_default" style="font-size:small"><br> </div> <div class="gmail_default" style="font-size:small">Thanks for opening this topic. My question would be -- if OpenSCAP is open source, why aren't we publishing the remediation and remediation script section online? Why is only available in the report?</div> </blockquote> <br> Remediation is provided through content. In terms of what's shipping in RHEL (SCAP Security Guide), all the remediation scripts are on GitHub:<br> <a class="moz-txt-link-freetext" href="https://github.com/OpenSCAP/scap-security-guide/tree/master/RHEL/6/input/fixes/bash">https://github.com/OpenSCAP/scap-security-guide/tree/master/RHEL/6/input/fixes/bash</a><br> <br> The remediation is visible in the various prose guides and reports that OpenSCAP generates.<br> <br> <blockquote cite="mid:CACZRBDR=DhiKkadH3UkdFV7COEN8qyGm1YTKH3MG0y86wuLeNw@mail.gmail.com" type="cite"> <div class="gmail_default" style="font-size:small">If it does make sense to have the remediation information local, I think it might even be better in a separate document/report.</div> </blockquote> <br> Can you detail this out some more? The RHEL7 reports look like this:<br> <br> <img src="cid:part1.02060502.01090208@redhat.com" alt=""><br> <br> <br> The remediation content could either be copy/pasted, or you could use OpenSCAP to transform that into a shell script to be ran.<br> <br> Alternatively, you could tell OpenSCAP to perform the remediation during scanning, and generate a report after all remediation is applied.<br> <br> </body> </html>