Remediation

Applying Remediations

A remediation script is produced upon successful execution of the rfcat command. The RapidFort remediation script contains bash remediations for each rule that failed during your CAT scan.

STIG Remediation

The remediations for each failed rule are compiled into the RapidFort remediation script and are separated by Rule ID and Title.

The remediation script can be written, read, and executed by the client at their discretion.

Using rfjobs, find the RapidFort ID of your STIG scanned NGINX image, and run another scan against it with the same benchmark, this time adding the remediation script as follows:

rfcat <RapidFort ID> --benchmark-id <xccdf_org.ssgproject.content_profile_stig> --remediate <remediation.sh>

Alternatively, if you want to STIG scan and remediate in one shot, use the autoremediate option:

rfcat <RapidFort ID> --benchmark-id <xccdf_org.ssgproject.content_profile_stig> --autoremediate

To generate a remediated Dockerfile in your current directory, run the STIG scan again with remediations.

Once completed, navigate back to the same job in the UI. You should notice a number of previously failing rules are now passing:

STIG NGINX After

Applying Remediations​

Applying Remediations