Home / server / Questions / 1033583
In Process
TJ Zimmerman
Asked: 2020-09-12 12:20:58 +0800 CST

Performing an OpenSCAP Remediation via a chroot session -- "Can't perform remediation in offline mode" Error

  • 772

I am attempting to perform an OpenSCAP remediation through a chroot session. My command is structured as follows:

  oscap-chroot /mnt/chroot_fs \
        xccdf eval \
        --remediate \
        --results results.xml \
        --report report.html \
        --profile xccdf_org.ssgproject.content_profile_cui \
        ssg-rhel7-ds-1.2.xml

When the command executes, it performs a scan successfully indicating a handful of pass and fail results. Then, when it moves on to the remediation phase, it says:

 --- Starting Remediation ---
OpenSCAP Error: Can't perform remediation in offline mode: not implemented [/builddir/build/BUILD/openscap-1.3.3/src/XCCDF/xccdf_session.c:1690]

Is remediation through a chroot session not possible at this time? If not, how can you perform a remediation against a remote target?

linux redhat security chroot openscap

1 Answers

  1. The answer is that Openscap cannot perform remote remediations. oscap-chroot and oscap-ssh are meant for scans only. The recommended solution, from what I can tell, is to use oscap xccdf generate fix using the results.xml file generated by oscap-chroot. Then run this remediation script manually against the remote host.

    • 0