Installing and Configuring OpenScap on Red Hat Satellite 6.

Environment

• Red Hat Satellite 6.x

Issue

• Installing and Configuring OpenScap on Red Hat Satellite 6
• How to install and configure OpenScap on Red Hat Satellite 6 using Puppet and Ansible.?

Resolution

• Deploying OpenSCAP on Satellite using Ansible on Satellite 6.6+

• LEGACY: On Satellite Server using Puppet for client hosts:

    [root@satserver~]# satellite-installer --enable-foreman-plugin-openscap
    [root@satserver~]# foreman-maintain packages install puppet-foreman_scap_client
    [root@satserver~]# foreman-rake foreman_openscap:bulk_upload:default
  

• Enabling Scap security policies on the Satellite by installing the scap-security-guide package.

    [root@satserver~]# foreman-maintain packages install scap-security-guide
  

• Importing the scap Puppet environment On Satellite Web UI.

    1. Set the Organization/Location tab to Any Context
    2. Select Configure > Environments
    3. Click on Import from <satellite_server> button, "Select the Puppet Environment as per the Openscap modules" and click Update.
    4. Click to open newly imported Puppet Environments, then assign to your Locations and Organizations
  

• We can add the Scap puppet class parameter to the Hostgroup so any host added to it will get the defined policy.

  The Hostgroup part is optional and can be skipped if we need to directly assign the puppet class to the individual host itself, then follow the Create Compliance Policy Steps.

  >> Satellite Web UI: Configure > Host Groups > Click New Host Group.
  

• Host Group Tab (Optional).

  1. Name: OpenSCAP_Clients_Demo
  2. Lifecycle Environment: (leave blank or as per requirement).
  3. Content View: (leave blank or as per requirement).
  4. Puppet Environment: Select OpenSCAP_RHEL7
  5. Content Source: satellite.example.com
  6. Puppet CA: satellite.example.com
  7. Puppet Master: satellite.example.com
  8. Openscap Capsule: satellite.example.com
  9. Click Submit BEFORE advancing to the next tab. This takes you back to the Host Groups page.
  10. From the Host Groups page, select OpenSCAP_Clients_Demo to modify this Host Group
  11. Puppet Classes Tab:
  12. Click to expand foreman_scap_client and select both foreman_scap_client and foreman_scap_client::params
  13. Locations and Organizations tab, select to suit.
  14. Click Submit to complete the update
  

• Create Compliance Policy.

  1. On Satellite Web UI: Hosts > Compliance > Policies
  2. Click New Compliance Policy
  3. Enter a name (Description optional), then click Next to advance to next step
  4. SCAP Content tab:
  -  SCAP Content: ssg-rhel7 or ssg-rhel8                =====> Choose according to the RHEL version.
  -  XCCDF Profile: Common Profile for General-Purpose Systems
  -  Click Next to advance to next tab
  -  Schedule tab:
  -  Period: Set the scap frequency as per the requirement.
  -  Click Next, then select Locations and Organizations to suit
  -  Hostgroups tab:
  -  Use the newly created host group OpenSCAP_Clients_Demo
  5. Click Submit to complete.
  

• Assign Policy To Host(s).

  1. Satellite Web UI: Hosts > All Hosts > Select one or more hosts from the list of Hosts
  2. Once we have the host(s) selected, a Select Action button appears above the list of hosts.
  3. Select Change Group from the Select Action options
  4. Select OpenSCAP_Clients_Demo from the list of host groups, then Submit
  

• Prepare the RHEL Client.

     Install and Configure Puppet on Client
     [root@test02 ~]# yum install puppet
     [root@test02 ~]# echo "server = <your_satellite_server>" >> /etc/puppet/puppet.conf
     [root@test02 ~]# echo "environment = OpenSCAP_RHEL7" >> /etc/puppet/puppet.conf
  
     [root@test02 ~]# systemctl start puppet && systemctl enable puppet
     [root@test02 ~]# puppet agent -t
     Exiting; no certificate found and waitforcert is disabled
  

  Note: For puppet version 4 and above use this files instead.

  [root@test02 ~]# echo "server = <your_satellite_server>" >> /etc/puppetlabs/puppet/puppet.conf
  [root@test02 ~]# echo "environment = OpenSCAP_RHEL7" >> /etc/puppetlabs/puppet/puppet.conf
  

• Go to the next step to sign the puppet certificate for that particular Client.

  Sign Certificate on Capsule
  Satellite Web UI: Infrastructure > Capsule
  For this demo, we only have the all-in-one Satellite/Capsule/Puppet Master
  On the Actions column, click on the available actions and select Certificates
  Click Sign to sign the  certificate
  A scan will run base on the "Cron line:" setting in the earlier step. Monitor /var/log/messages on the client to see activities.
  Run "puppet agent -t" again on the client.
  

• View Scan Results

  1. Satellite Web UI: Hosts > Policies > (Select your policy)
  2. In the table "Latest reports for policy: ...", click on View Report button
  3. Latest_reports_for_policy
  

For more KB articles/solutions related to Red Hat Satellite 6.x OpenSCAP Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x OpenSCAP Issues

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.