Closed jan-cerny closed 7 years ago
jan-cerny
commented
7 years ago I have improved the commit so that now:
oscapd-cli task 1 1 bash_fix etc. The script is unfortunately written to stdout, but that's consistent with other options like results, or report.
mpreisler
commented
7 years ago bash_fix etc. The script is unfortunately written to stdout, but that's consistent with other options like results, or report.
wait, what? it's expected to be written to stdout, right? why would it be written anywhere else?
jan-cerny
commented
7 years ago @mpreisler
wait, what? it's expected to be written to stdout, right? why would it be written anywhere else?
Yes, it's expected, because its the same way as we already do for HTML report or ARF files. However, eg. HTML report is very long, and I don't have a HTML parser in my brain, so its hard to read for me.
Especially for users that don't know they will get an HTML and expect something simple instead. On the other hand, it's very easy to use output redirection using >. Some tools provide --output or something like that.
mpreisler
commented
7 years ago Yes, it's expected, because its the same way as we already do for HTML report or ARF files. However, eg. HTML report is very long, and I don't have a HTML parser in my brain, so its hard to read for me. Especially for users that don't know they will get an HTML and expect something simple instead. On the other hand, it's very easy to use output redirection using >. Some tools provide --output or something like that.
stdout is meant to be piped around and piped into files, so I'd say this is expected and totally fine. I have no problem with this in this PR. We could add --output but piping the whole thing into a file achieves the same thing.
mpreisler
commented
7 years ago Could you please also add oscapd-cli task 1 bash_fix and variants for ansible and pupet? Should be trivial to add and would make this PR complete.
jan-cerny
commented
7 years ago Could you please also add oscapd-cli task 1 bash_fix and variants for ansible and pupet? Should be trivial to add and would make this PR complete.
@mpreisler It's already here, isn't it? Or do you mean something else?
jan-cerny
commented
7 years ago I have amended the commit to not generate a fix by default.
mpreisler
commented
7 years ago task not result. To generate fix from the profile.
On Jun 20, 2017 8:20 AM, "Jan Černý" notifications@github.com wrote:
Could you please also add oscapd-cli task 1 bash_fix and variants for ansible and pupet? Should be trivial to add and would make this PR complete.
@mpreisler https://github.com/mpreisler It's already here, isn't it? Or do you mean something else?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/OpenSCAP/openscap-daemon/pull/105#issuecomment-309735855, or mute the thread https://github.com/notifications/unsubscribe-auth/AAt-AVO1DA_dctr-C7dK1ZwfkDkJSqosks5sF7j2gaJpZM4N7RqU .
jan-cerny
commented
7 years ago Aha OK :D I will look into that.
jan-cerny
commented
7 years ago I have added generating fixes from tasks (from profile).
mpreisler
commented
7 years ago Great work, kudos!
ACK!
We need a remediation script to be able to build hardened images. Because we will need to use the script in Atomic, which is independent on scanner, we can't call "oscap xccdf generate fix" directly from Atomic. Instead, we have to generate the fix right after the scan by oscapd-evaluate.