search

OpenSCAP / scap-workbench

SCAP Scanner And Tailoring Graphical User Interface
https://www.open-scap.org/tools/scap-workbench
GNU General Public License v3.0
226 stars 65 forks source link

[RFE] Please provide "Remediate Dry Run" button / checkbox #65

Open iankko opened 8 years ago

iankko commented 8 years ago

Upon a system's feature failure reported by scan SCAP Security Guide users are faced the need to perform the remediation. Since this might seem like risky operation on the production system (till the moment a trust into correctness of the remediation scripts provided by SSG is obtained), there's often a need / request to have an in advance ability to see, what (which actions / code) would be actually executed when performing online remediation of the system.

Though openscap provides xccdf generate fix option, this possibility requires the users to be more familiar with the underlying SCAP standards concept (read like there might be initial barrier the users to be able to generate the fixes at their own, prior performing the actual remediation itsefl). We should lower this entry barrier by introduction of a new button / checkbox to the SCAP Workbench GUI, namely Remediation Dry Run (or use alternative name. Will leave the final decision at your own consideration).

The purpose of the new `Remediation Dry Run`` button / checkbox would be to:

The expectation: The newly added Remediation Dry Run button / checkbox should be smart enough to be able to generate fixes in both cases:

Thank you, Jan

ybznek commented 8 years ago

Maybe I haven't understood well your idea.

Do you want to "only" show scripts?

I understand "Dry Run" rather like "run it on fake environment and show real changes."

You said that it is risky operation - it is easier to validate real changes than validate script - even for non programmer. I don't know possibilities, but we could run the scripts on some overlay FS over / - user will see real changes. - It isn't good for binary files, but for configuration it could be helpful.

What do you think?

iankko commented 8 years ago

Maybe I haven't understood well your idea. Do you want to "only" show scripts?

Yes, just show the corresponding script that would be actually executed for that rule.

I understand "Dry Run" rather like "run it on fake environment and show real changes."

Maybe "dry run" wasn't chosen well. Basically it should be "test" (like. e.g. authconfig's --test option:

--test                  do not update the configuration files, only print new settings

Applied to SCAP Workbench case, we wouldn't perform the remediation itself, just show the script)

You said that it is risky operation

It was rather meant it might be perceived like risky operation. Not like SSG remediation scripts aren't trustworthy :) (if there's some issue with them, we will fix that). But system administrators might want to have a look what would be executed, before they run the remediations.

  • it is easier to validate real changes than validate script - even for non programmer. I don't know possibilities, but we could run the scripts on some overlay FS over / - user will see real changes. - It isn't good for binary files, but for configuration it could be helpful.

The original idea was just to print out the scripts forms (basically supply some GUI for oscap xccdf generate fix). But I like the dry run idea too. Just would make it another step in handling this (like first implement the "Test" checkbox / button, then the "Dry Run" checkbox / button).

What do you think?

Thanks, Jan

What do you think?

ybznek commented 8 years ago

Yes, implementing this like two different features is a good solution, because we could have problem with not supported file systems in rhel6, etc.. So "Test" will be available everywhere and "Dry Run" only on supported platforms.

mpreisler commented 8 years ago

No way this is happening in 1.1.3...

BobBagwill commented 7 years ago

IMHO, remediation should be a second step anyway and each remediation should be individually selectable and editable.