8.4.6.2. OpenSCAP Offline Remediation

Offline remediation allows you to postpone fix execution. In first step, the system is only evaluated, and the results are stored in a TestResult element in an XCCDF file.

In the second step, oscap executes the fix scripts and verifies the result. It is safe to store the results into the input file, no data will be lost. During offline remediation, OpenSCAP creates a new TestResult element that is based on the input one and inherits all the data. The newly created TestResult differs only in the rule-result elements that have failed. For those, remediation is executed.

To perform offline remediation using the scap-security-guide package, run:

~]$ oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp --results scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml

~]$ oscap xccdf remediate --results scan-xccdf-results.xml scan-xccdf-results.xml