Default to running scans as unprivileged oscap-user

[openprivacy]

Not sure why Travis looked at this, as there'sno local .travis.yml file...

[gregelin]

@openprivacy Need to figure out what is happening with Travis... Also, it seems to me that this modification for remote scanning forces/assumes the creation of a new user oscap-user on the target system?

[gregelin]

@openprivacy It seems this modification forces the creation of a new user on the remote system, e.g. oscap-user with sudo privileges, before a remote scan can be done?

[openprivacy]

No, it is not forced, just recommended. The govready script can use any user name or even root to run scans. Actually, previous to this release, I have been ssh-ing in and scanning as root which is an admitted security violation. But scanning should be accomplished by root process, so the best way is to have an unprivileged user that can only run oscap as root perform the scan. See the section "Running remotely as root " in http://fossies.org/linux/openscap/utils/oscap-ssh.8

My current code for this is at https://github.com/openprivacy/ansible-role-openscap/blob/master/tasks/main.yml#L18 -- this should be updated to accept a variable, as we'll be using a different user name on my current gov project.

[gregelin]

Closed via a PR #89