Hi, one option is to use remediation roles instead of --remediate, generating them out of specific results or whole profile, and remove offending remediations out of the role (which is either bash script, or ansible role). It's a bit clunky, but it should work :)
Marek
On 03/02/2018 04:53 PM, Gabe Alford wrote:
Fen,
There is an RFE open in OpenSCAP for this very thing at https://github.com/OpenSCAP/openscap/issues/633
Outside of tailoring a profile, nothing super easy from the OpenSCAP side of the house.
Gabe
On Thu, Mar 1, 2018 at 8:59 PM, Fen Labalme <fen.labalme@civicactions.com mailto:fen.labalme@civicactions.com> wrote:
The goal is to create a hardened EC2 server on AWS from scratch. After provisioning a new RHEL/7 instance on AWS, we run `yum -y update` followed by the bash remediations from SSG using: command: 'oscap xccdf eval --profile {{ scapprofile }} --remediate \ --results-arf /tmp/results-arf.xml --report /tmp/report.html \ /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml' But there are some remediations I don't want to run for an EC2 server such as install_smartcard_packages.sh and dracut-fips. Is there a way to prevent certain remediations from running? Thanks, =Fen _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org <mailto:scap-security-guide-leave@lists.fedorahosted.org>
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org