search

OpenSCAP / openscap-daemon

Manages continuous scans of your infrastructure
https://www.open-scap.org/tools/openscap-daemon
GNU Lesser General Public License v2.1
106 stars 32 forks source link

Remediation of containers for configuration compliance has inconsistent output #121

Open matusmarhefka opened 6 years ago

matusmarhefka commented 6 years ago

When remediating containers for configuration compliance, the output of scan vs. remediation is inconsistent:

# atomic scan --remediate --scan_type configuration_compliance --scanner_args \
   profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa \
   registry.access.redhat.com/rhel7:latest

.............

     Configure Time Service Maxpoll Interval
     Severity: Low
       XCCDF result: fail

     Configure LDAP Client to Use TLS For All Transactions
     Severity: Moderate
       XCCDF result: fail

.............
Remediating rule 43/44: 'xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll'
Remediating rule 44/44: 'xccdf_org.ssgproject.content_rule_ldap_client_start_tls'

Scan results do not state the rule IDs only descriptions and on the other hand, remediations of rules are stating rule IDs which might be confusing for user to map to the original scan results.

I think we should either print rule descriptions in remediations (as for the scan) or add rule IDs to the scan output as proposed in the issue https://github.com/OpenSCAP/openscap-daemon/issues/108

jan-cerny commented 6 years ago

If you want to change the output of remediations you have to change it in OpenSCAP because the remeditatons headers are generated by OpenSCAP. But I think it would be a nice easy feature for OpenSCAP.