8.4.6. Using OpenSCAP to Remediate the System
- OpenSCAP performs a regular XCCDF evaluation.
- An assessment of the results is performed by evaluating the OVAL definitions. Each rule that has failed is marked as a candidate for remediation.
- OpenSCAP searches for an appropriate fix element, resolves it, prepares the environment, and executes the fix script.
- Any output of the fix script is captured by OpenSCAP and stored within the
rule-resultelement. The return value of the fix script is stored as well.
- Whenever OpenSCAP executes a fix script, it immediatelly evaluates the OVAL definition again (to verify that the fix script has been applied correctly). During this second run, if the OVAL evaluation returns success, the result of the rule is
fixed, otherwise it is an
- Detailed results of the remediation are stored in an output XCCDF file. It contains two
TestResultelements. The first
TestResultelement represents the scan prior to the remediation. The second
TestResultis derived from the first one and contains remediation results.
220.127.116.11. OpenSCAP Online Remediation
--remediatecommand-line option. For example, to execute online remediation using the scap-security-guide package, run:
oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_rht-ccp --results scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
fixedresult indicates that the scan performed after the remediation passed. The
errorresult indicates that even after applying the remediation, the evaluation still does not pass.