Remediation
Overview
Remediation generates Ansible scripts to fix specific compliance failures found during scanning. Unlike Hardening (which applies a full CIS profile), Remediation targets individual failed rules with approval workflow.
Remediation vs Quick Fix vs Hardening
| Feature | Remediation | Quick Fix | Hardening |
|---|---|---|---|
| Scope | Selected failed rules | Single rule | Full CIS profile |
| Approval | Required before execution | Immediate | Immediate |
| Script review | Yes (download/view before apply) | No | No |
| Blacklist support | Yes (exclude rules) | No | No |
| Best for | Production servers | Quick one-off fixes | Initial hardening |
Generating Remediation
- Run a compliance scan on a host
- Navigate to Remediation
- Select the scan result to remediate
- Review the list of failed rules
- Exclude rules using the blacklist if needed
- Click Generate Remediation
The system generates Ansible playbook scripts for each fixable rule.
Approval Workflow
Generated remediation scripts require approval before execution:
- Review - examine generated scripts (view or download YAML)
- Approve - mark the remediation for execution
- Execute - apply approved scripts to the target host
- Verify - re-scan to confirm fixes applied
To reject a remediation, click Cancel instead of Approve.
Blacklist Management
Blacklist rules you want to exclude from remediation:
- Navigate to Remediation or Settings > Known Issues
- Add rule IDs or patterns to the blacklist
- Blacklisted rules are skipped during remediation generation
Use blacklists for:
- Rules incompatible with your application (e.g., disabling USB on a desktop)
- Accepted risks documented in your security policy
- False positives specific to your environment
Downloading Scripts
Before approving, you can download the generated Ansible scripts:
- Click Download Script on any remediation job
- Review the YAML content
- Optionally run in check mode on a test server before approving
Remediation Statistics
The Remediation page displays:
- Total remediations generated
- Approval rate
- Success rate after execution
- Rules most frequently remediated
Best Practices
- Always review generated scripts before approving
- Test on a staging server first
- Use blacklists for rules that conflict with application requirements
- Re-scan after remediation to verify compliance improvement
- Document accepted risks in Known Issues
See Also
- CIS Benchmark security hardening - apply a full CIS profile when bulk hardening is needed instead of targeted fixes
- Vulnerability scanning for Linux servers - detect CVEs in packages to prioritize remediation efforts
- AI-powered Ansible task generator - automatically create Ansible playbooks from CIS rule descriptions
Last updated on