RFE: Add ability to skip specific remediations

[redhatrises]

Add an option to skip specific remediations when runnning oscap xccdf remediate or oscap xccdf eval --remediate. This is extremely helpful when certain checks may brick a system or using untailored XCCDF in kickstarts, etc. The option (--skip-remediation or --skip-fix) would need to handle multiple instances and/or shell expansion. For example:

oscap xccdf eval --remediate --skip-fix fix1 --skip-fix fix50 --skip-fix fix101
--profile stig-rhel7-server-upstream
ssg-rhel7-xccdf.xml

or

oscap xccdf eval --remediate --skip-remediation {fix1,fix50,fix101}
--profile stig-rhel7-server-upstream
ssg-rhel7-xccdf.xml

[redhatrises]

IMO this is a better way to solve ComplianceAsCode/content#1609 and ComplianceAsCode/content#1608.

[mpreisler]

I think the CLI you suggested is not a good user experience.

We were discussing some ideas internally about:

• structured remediations
• pick and choose remediations in SCAP Workbench
• pick and choose remediations via command-line

I can't promise anything but stay tuned! Of course as always any contributions are welcome.

[jan-cerny]

@matusmarhefka has implemented evaluating only a single rule in "oscap xccdf eval". Users can provide --rule.

@matusmarhefka Does --rule work together with --remediate? That would partially solve this issue.
Can we introduce --rule into xccdf generate fix as well?

@mpreisler Is the SCAP Workbench feature planned?

[matusmarhefka]

@jan-cerny Yes, --rule works with --remediate. To the second question, I think there should be no problem in implementing --rule feature into xccdf generate fix if needed.

[redhatrises]

It would be nice to handle this for more than just a singe rule as well.... Maybe something like a file with a listing of the rules to ignore the remediations on.

[admd]

@jan-cerny Yes, --rule works with --remediate. To the second question, I think there should be no problem in implementing --rule feature into xccdf generate fix if needed.

@jan-cerny @matusmarhefka

Would it also be possible to add this --rule as an option to remediate the command?

Something like oscap xccdf remediate --rule xccdf_org.ssgproject.content_rule_file_at_deny_not_exist --results scan-xccdf-results.xml scan-xccdf-results.xml

It would make sense where one doesn't want to evaluate and remediate in one go but rather would like to do it in 2 steps, more like offline remediation.

So remediation after scanning but only for particular rule

[modem7]

Skipping certain fixes would be infinitely useful in our environment where the generated level 1 server fix script removed a few packages that we require for our particular usecase.

A separate ignore file would certainly make it neater and trackable (e.g. in source control) with something like --skip-file skip.txt or similar, with one line per remediation one wishes to skip.

[evgenyz]

You can tailor-out any rule from a DS by deselecting it in a tailoring file. It would make more sense to get rid of both the check and the remediation at the same time.