Satellite 6.1 Feature Overview: OpenSCAP

Updated

Overview

OpenSCAP Support in Red Hat Satellite 6.1 provides a means for an administrator to ensure that systems conform a baseline set of rules & policies, most often used for security and compliance auditing. OpenSCAP is supported in Satellite 6.1.1 as Technology Preview.

Example Use Cases

  • As an administrator of Red Hat Satellite, ensure that a system is compliant with a policy e.g. "Show the systems in the environment which do not have the '/tmp' partition as a separate filesystem"
  • As an administrator of Red Hat Satellite, identify which systems require remediation based upon Red Hat's publish Security Metrics

Requirements

  • Red Hat Satellite 6.1
  • Managed Systems running Red Hat Enterprise Linux.

Setting up OpenSCAP

SCAP Basic Scenario

The specifications that make up Content from www.open-scap.org is not included.OpenSCAP are:

  • XCCDF: The Extensible Configuration Checklist Description Format
  • OVAL®: Open Vulnerability and Assessment Language
  • Asset Identification
  • ARF: Asset Reporting Format
  • CCE™: Common Configuration Enumeration
  • CPE™: Common Platform Enumeration
  • CVE®: Common Vulnerabilities and Exposures
  • CVSS: Common Vulnerability Scoring System

The Compliance Policy is a high level concept of a baseline applied to the infrastructure. The Compliance Policy is defined by the user on the web interface. Users may assign the following information to the Policy:

SCAP Content
XCCDF Profile from particular SCAP Content
Host Groups that should comply with the policy
Schedule - the period in which the audit shall occur

The ARF (Asset Reporting File) Report is XML output of a single scan occurrence per single host. The ARF format is defined by the SCAP 1.2 standard. ARF Reports are stored in the database for later inspection.

User Interface

Most of the controls are located in the Compliance section under the Host menu. The section contains three items: SCAP Contents, Compliance Policies, ARF Reports.

What Satellite 6's OpenSCAP Feature provides:

With OpenSCAP in Satellite 6 you can:

  • Have centralized policy management
  • Collect and achieve OpenSCAP audit results from infrastructure
  • Display audit results
  • Search audit results
  • Search for non-compliant systems

Overview of the Installation

In the following sections we will install and configure the Satellite and (optionally) Satellite Capsules to be enabled for OpenSCAP. The steps will include, at a high-level.

  • On the Satellite, install a ruby193-rubygem-foreman_openscap package that adds openscap structure and webui components.
  • On the Satellite (and optionally Satellite Capsules), install the components (puppet module & SmartProxy component) required to enable the Satellite to configure clients for OpenSCAP and update reports.
  • Once all software is installed, import the OpenSCAP classes into satellite and associate to environments.
  • Upload SCAP content (or use the default content), create a policy and assign the policy to hosts and environments.

Installing OpenSCAP Items on Satellite 6.1

  1. Install the RPM package to access the functionality:
# yum install ruby193-rubygem-foreman_openscap -y
  1. Restart these services:

RHEL7

# systemctl restart httpd

RHEL6

 # service httpd restart

This action displays the following pages under Hosts -Compliance:

  • Policies page
  • SCAP Content page
  • Reports page

Installing OpenSCAP components on a Satellite or Capsules with the Puppet feature enabled.

Firstly, the puppet-foreman_scap_client package needs to be installed:

yum install puppet-foreman_scap_client -y

The puppet-foreman_scap_client package, when installed, adds the foreman_scap_client module under /usr/share/puppet/modules. This directory is the known as the basemodulepath. Modules placed in the basemodulepath are available in all Puppet environments

Notes:

  • Generally speaking, it is recommended practice to deploy puppet modules leveraging Custom Products and Content Views. However, in this usage, it is desirable to have the OpenSCAP puppet modules available in all Puppet environments & Content Views.
  • This RPM provides the puppet classes required to setup the client such that it can complete scans via OpenSCAP and does the following
    • Install the rubygem-foreman_scap_client package, which adds the openscap and openscap-scanner packages as dependencies.
    • Creates the cron job for periodic scanning as specified by the server side policy

Additionally, the rubygem-smart_proxy_openscap package needs to be installed on the Satellite/Capsule

# yum install rubygem-smart_proxy_openscap -y

You may have to restart the foreman-proxy service to see the changes to the Satellite 6.1 OpenSCAP features:

RHEL7

# systemctl restart foreman-proxy

RHEL6

# service foreman-proxy restart

Working with the OpenSCAP Feature

  1. Import the foreman_scap_client puppet class to your Satellite 6.1.

    • Go to the Configure -> Puppet classes page.
    • Click the Import button.
    • Select foreman_scap_client and associate it to the desired 'puppet-environment'.

  2. Create new SCAP Content.

    • Go to the Hosts -> Compliance -> SCAP contents page.
    • Upload the DataStream file if you are using custom content. Note: Red Hat preloads the content of the SCAP Security Guide as a courtesy, so you do not need to upload that.
    • If you do not see the preloaded SCAP content, you may need to change your Satellite organization to "Any Context".

  3. Create a new Policy.

    • Go to the Hosts -> Compliance -> Policies page.
    • Assign 'SCAP Content' to the Policy
    • Select 'XCCDF Profile' from your SCAP Content
    • Define a periodic scan schedule.
    • Assign Hostgroups to the policy (hosts you want to audit should be assigned with one of the hostgroups).

  4. Select particular hosts for the compliance audit.

    • Go to the Hosts -> All hosts page.
    • Select hosts.
    • Use the Select Action -> Assign Compliance Policy button.

The RPM puppet-foreman_scap_client brings in a puppet-module and helps in configuring the /etc/foreman_scap_client/config.yaml file brought in by rubygem-foreman_scap_client on the clients/hosts.

Important Notes:

  • You do not need to perform any tasks on clients/hosts. The hosts will configure themselves for OpenSCAP at their next puppet check-in (30 minutes by default).The puppet-module foreman_scap_client adds the crontab entry for the foreman_scap_client command, which actually runs the OSCAP scan on the clients/hosts and uploads the reports to the capsule. The Reports from various capsules is then sent to Satellite 6.1 so that we can inspect the compliance results. However, if you wish to immediately configure the client, login as the root user and run puppet agent --test and follow the steps below to manually run an OpenSCAP scan.

Running an OpenSCAP audit manually

  • To run an OpenSCAP Audit manually, complete the following steps.
  • Identify which policy you wish to audit the host against:
# cat /etc/foreman_scap_client/config.yaml 
# DO NOT EDIT THIS FILE MANUALLY
# IT IS MANAGED BY PUPPET

# Foreman proxy to which reports should be uploaded
:server: 'sat.example.com'
:port: 9090

## SSL specific options ##
# Client CA file.
# It could be Puppet CA certificate (e.g., '/var/lib/puppet/ssl/certs/ca.pem')
# Or (recommended for client reporting to Katello) subscription manager CA file, (e.g., '/etc/rhsm/ca/katello-server-ca.pem')
:ca_file: '/etc/rhsm/ca/katello-server-ca.pem'
# Client host certificate.
# It could be Puppet agent host certificate (e.g., '/var/lib/puppet/ssl/certs/myhost.example.com.pem')
# Or (recommended for client reporting to Katello) consumer certificate (e.g., '/etc/pki/consumer/cert.pem')
:host_certificate: '/etc/pki/consumer/cert.pem'
# Client private key
# It could be Puppet agent private key (e.g., '/var/lib/puppet/ssl/private_keys/myhost.example.com.pem')
# Or (recommended for client reporting to Katello) consumer private key (e.g., '/etc/pki/consumer/cert.pem')
:host_private_key: '/etc/pki/consumer/key.pem'

# policy (key is id as in Foreman)

1:
  :profile: 'xccdf_org.ssgproject.content_profile_rht-ccp'
  :content_path: '/var/lib/openscap/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d.xml'
  # Download path
  # A path to download SCAP content from proxy
  :download_path: '/compliance/policies/1/content'
  • Using the policy ID (the 1: from above), issue the foreman_scap_client command providing the policy ID
#foreman_scap_client 1
File /var/lib/openscap/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d.xml is missing. Downloading it from proxy
Download scap content xml from: https://sat.example.com:9090/compliance/policies/1/content
DEBUG: running: oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp --results-arf /tmp/d20150827-13369-1jpk8be/results.xml /var/lib/openscap/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d.xml
DEBUG: running: /usr/bin/bzip2 /tmp/d20150827-13369-1jpk8be/results.xml
Uploading results to https://sat.example.com:9090/compliance/arf/1

Inspecting the Compliance Results


To inspect the compliance results:
  • Go to the Hosts -> Compliance -> Reports page.
  • Wait for the ARF Reports to show-up.
  • Go to the Hosts -> Compliance -> Policies page.
  • Click the policy link to view the dashboard and trend.

Video

This content is not included.IMAGE ALT TEXT

Additional Reading

Product(s)
Category
Article Type