How to use Ansible as a deployment option to create OpenSCAP compliance policy in Red Hat Satellite 6.

Environment

• Red Hat Satellite 6

Issue

• How to use Ansible as a deployment option to create OpenSCAP compliance policy in Red Hat Satellite 6.

Resolution

Video : Using Ansible as a deployment option to create OpenSCAP compliance policy in Red Hat Satellite 6

• Execute the command in the Red Hat Satellite Server to load the default OpenSCAP Content.

  [root@satellite ~]# hammer scap-content bulk-upload --type default
  

• Set the Correct Organization and Location in the Satellite GUI in which you want to create the Compliance policy.

• Import the Ansible Role

  • Go to Satellite Web UI-> Configure-> Ansible Roles-> Click on Import from <satellite_server> ->Select the role(theforeman.foreman_scap_client)-> Click Update

• Import the Ansible Variables

  • Go to Satellite Web UI-> Configure-> Variables-> Click on Import from <satellite_server> -> Select all the Variable associated with the role(theforeman.foreman_scap_client)-> Click Update

• We can add the Ansible Role to the Hostgroup so any hosts added to it will inherit the Role.

• The Hostgroup part can be skipped if we need to directly assign the Ansible Role to the host and follow the Create Compliance Policy Steps.

  Satellite Web UI: Configure-> Host Groups-> Click New Host Group
  

• Host Group Tab

  1.Name: OpenSCAP_Clients_Demo
  2.Lifecycle Environment: (leave blank or as per requirement).
  3.Content View: (leave blank or as per requirement).
  4.Content Source: satellite.example.com
  5.Openscap Capsule: satellite.example.com
  6.Click Submit BEFORE advancing to the next tab. This takes you back to the Host Groups page.
  7.From the Host Groups page, select OpenSCAP_Clients_Demo to modify this Host Group
  8.Ansible Roles Tab
  9.Click on the Role(theforeman.foreman_scap_client)
  10.Locations and Organizations tab, select to suit.
  11.Click Submit to complete the update
  

• Create a Compliance Policy

  In Satellite Web UI: Hosts-> Policies
  Select Ansible as a deployment option
  Enter a name (Description optional), then click Next to advance to next step
  SCAP Content tab:
  SCAP Content: ssg-rhel7
  XCCDF Profile: Common Profile for General-Purpose Systems
  Click Next to advance to next tab
  Schedule tab:
  Period: Custom
  Cron line: 0 1 * * 0 (this will allow the demo to run every Sunday for demonstration only. Change to appropriate 
  frequency once the demo is  completed)
  Click Next, then select Locations and Organizations to suit
  Hostgroups tab: (If Hostgroups already existed in the RedHat Satellite server, then add the Hostgroup to the policy, 
  so all hosts part of the Hostgroup will inherit the policy)    
  Click Submit to complete.
  

• Assign Policy To Host(s)

   1. Satellite Web UI: Hosts-> All Hosts-> Select one or more hosts from the list of Hosts
   2. Once we have the host(s) selected, a Select Action button appears above the list of hosts.
   3. Select Change Group from the Select Action options
   4. Select OpenSCAP_Clients_Demo from the list of host groups, then Submit
  

• The below steps can be ignored if Remote execution commands are executed successfully through the Satellite Web Interface on the client host.

  • Configure Remote execution through the Satellite Web Interface to apply the Ansible Role on the client host.
  • The steps to copy the Remote execution user's public ssh key from the Red Hat Satellite server to the Client host for authentication, are
    outlined in the article How to copy foreman-proxy user public ssh key to many client systems for Remote Execution?

• Run the Ansible Role(theforeman.foreman_scap_client) on the clients.

   1. In the Satellite web UI, navigate to Hosts-> All Hosts.
  2. Select the checkbox of the host that contains the Ansible role you want to run.
  3. From the Select Action list, select Play Ansible roles
  

• Run the scan manually on the client host to upload the report to the Satellite server.

# ssh client.example.com
# cat /etc/cron.d/foreman_scap_client_cron  (Verify the compliance policy id)
# /usr/bin/foreman_scap_client 1           (Execute the command to upload the report manullay, here 1 is the id of my compliance policy)

• View Scan Results

  1.In the Satellite Web UI: Hosts-> Compliance-> Reports
  2.In the table "Latest reports for policy: ...", click on Full Report button

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.