Performing an OpenSCAP Remediation via a chroot session -- "Can't perform remediation in offline mode" Error

Question

I am attempting to perform an OpenSCAP remediation through a chroot session. My command is structured as follows:

  oscap-chroot /mnt/chroot_fs \
        xccdf eval \
        --remediate \
        --results results.xml \
        --report report.html \
        --profile xccdf_org.ssgproject.content_profile_cui \
        ssg-rhel7-ds-1.2.xml

When the command executes, it performs a scan successfully indicating a handful of pass and fail results. Then, when it moves on to the remediation phase, it says:

 --- Starting Remediation ---
OpenSCAP Error: Can't perform remediation in offline mode: not implemented [/builddir/build/BUILD/openscap-1.3.3/src/XCCDF/xccdf_session.c:1690]

Is remediation through a chroot session not possible at this time? If not, how can you perform a remediation against a remote target?

score 0 · Answer 1 · answered Sep 11 '20 at 22:48

The answer is that Openscap cannot perform remote remediations. oscap-chroot and oscap-ssh are meant for scans only. The recommended solution, from what I can tell, is to use oscap xccdf generate fix using the results.xml file generated by oscap-chroot. Then run this remediation script manually against the remote host.

Performing an OpenSCAP Remediation via a chroot session -- "Can't perform remediation in offline mode" Error

1 Answers1