How to set up OpenSCAP policies using the Manual deployment option

Environment

• Red Hat Satellite 6.11 and newer

Issue

• Problem with "manual" setup of OpenSCAP policy on client systems

Resolution

Setting up OpenSCAP using the Manual deployment option requires configuration setup on both Red Hat Satellite Server and the client system that is registered to the Satellite/Capsule Server.

On Red Hat Satellite

1. Enable and sync the following repositories onto Red Hat Satellite:

   • For RHEL 9 hosts:
     • Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs)
     • Red Hat Enterprise Linux 9 for x86_64 - Appstream (RPMs)
     • Red Hat Satellite Client 6 for RHEL 9 x86_64 (RPMs)
   • For RHEL 8 hosts:
     • Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)
     • Red Hat Enterprise Linux 8 for x86_64 - Appstream (RPMs)
     • Red Hat Satellite Client 6 for RHEL 8 x86_64 (RPMs)
   • For RHEL 7 hosts:
     • Red Hat Enterprise Linux 7 Server (RPMs), x86_64 7Server
     • Red Hat Enterprise Linux 7 Server - Extras (RPMs)
     • Red Hat Satellite Client 6 (for RHEL 7 Server) (RPMs)

2. Load the default SCAP contents on the Satellite Server:

   # hammer scap-content bulk-upload --type default
   

3. Create a compliance policy with the Manual deployment option.

   In the Satellite Web UI, navigate to Hosts > Policies > Create a new Policy and select Manual. Complete creating your policy by following the wizard.

4. Assign the policy to the client system.

   In the Satellite Web UI, navigate to Hosts > All Hosts, select the hosts on which the policy needs to be applied, select Action > Assign Compliance Policy, and select your manual policy.

5. Add a “Content Source” and “OpenSCAP Capsule” for the client system.

   In the Satellite Web UI, navigate to Hosts > All Hosts, click on Edit in the host row, and select a Content Source and OpenSCAP Capsule.

6. Run the following hammer command on the satellite, replacing rhel9_host.redhat.com with the target client host FQDN to identify Policy ID, Profile ID, Content path, Content download path, Tailoring path, and Tailoring download path to be used in the client configuration.

Example:

# hammer host policies-enc --name rhel9_host.redhat.com
Id:                      1
Profile Id:              xccdf_org.ssgproject.content_profile_cis_server_l1
Content path:            /var/lib/openscap/content/cb65c6e341c995154be7302e812ccec1b789bde28ed3a152545f4290a86ad2e8.xml
Content download path:   /compliance/policies/1/content/cb65c6e341c995154be7302e812ccec1b789bde28ed3a152545f4290a86ad2e8
Tailoring path:
Tailoring download path:
... omit

On the client systems

1. Enable the operating system and Satellite Client 6 repositories on the client system according to the OS version of the client system.

   • On RHEL 9 hosts:

     # subscription-manager repos --enable=rhel-9-for-x86_64-baseos-rpms --enable=rhel-9-for-x86_64-appstream-rpms --enable=satellite-client-6-for-rhel-9-x86_64-rpms
     

   • On RHEL 8 hosts:

     # subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rpms --enable=rhel-8-for-x86_64-appstream-rpms --enable=satellite-client-6-for-rhel-8-x86_64-rpms
     

   • On RHEL 7 hosts:

     # subscription-manager repos --enable=rhel-7-server-rpms --enable=rhel-7-server-extras-rpms --enable=rhel-7-server-satellite-client-6-rpms
     

2. Install the foreman_scap_client package on the client system(s):

   # yum install rubygem-foreman_scap_client
   

3. Create a config file as /etc/foreman_scap_client/config.yaml on the client system and copy-paste below Example config file

   Example config file:

       # THIS FILE IS MANAGED MANUALLY
   
       # Foreman proxy to which reports should be uploaded
       :server: <SATELLITE/CAPSULE_FQDN>   
       :port: 9090
   
       # Timeout for sending reports to proxy
       :timeout: 60
   
       # Should --fetch-remote-resources be added to `oscap xccdf eval` command
       :fetch_remote_resources: false
   
       # HTTP proxy server for downloading remote resources
       :http_proxy_server: 
       :http_proxy_port: 
   
       ## SSL specific options ##
       # Client CA file.
       # It could be Puppet CA certificate (e.g., '/var/lib/puppet/ssl/certs/ca.pem')
       # Or (recommended for client reporting to Katello) subscription manager CA file, (e.g., '/etc/rhsm/ca/katello-server-ca.pem')
       :ca_file: /etc/rhsm/ca/katello-server-ca.pem
       # Client host certificate.
       # It could be Puppet agent host certificate (e.g., '/var/lib/puppet/ssl/certs/myhost.example.com.pem')
       # Or (recommended for client reporting to Katello) consumer certificate (e.g., '/etc/pki/consumer/cert.pem')
       :host_certificate: /etc/pki/consumer/cert.pem
       # Client private key
       # It could be Puppet agent private key (e.g., '/var/lib/puppet/ssl/private_keys/myhost.example.com.pem')
       # Or (recommended for client reporting to Katello) consumer private key (e.g., '/etc/pki/consumer/key.pem')
       :host_private_key: /etc/pki/consumer/key.pem
   
       # policy (key is id as in Foreman)
       <POLICY_ID>:
         :profile: <PROFILE_ID>
         :content_path: <CONTENT_PATH>
         # Download path
         # A path to download SCAP content from proxy
         :download_path: <DOWNLOAD_PATH>
         :tailoring_path: <TAILOR_PATH>
         :tailoring_download_path: <TAILOR_DOWNLOAD_PATH>
   

   Then, replace SATELLITE/CAPSULE_FQDN with your target satellite or capsule FQDN and the rest of the variables with the values from the output of the hammer command executed on Satellite previously.

   <SATELLITE/CAPSULE_FQDN>
   <POLICY_ID>
   <PROFILE_ID>
   <CONTENT_PATH>
   <DOWNLOAD_PATH>
   <TAILOR_PATH>
   <TAILOR_DOWNLOAD_PATH>
   

   Example by using the hammer command output:

   :server: satellite.redhat.com
   ...omit
   # policy (key is id as in Foreman)
   1:
     :profile: xccdf_org.ssgproject.content_profile_cis_server_l1
     :content_path: /var/lib/openscap/content/cb65c6e341c995154be7302e812ccec1b789bde28ed3a152545f4290a86ad2e8.xml
     # Download path
     # A path to download SCAP content from proxy
     :download_path: /compliance/policies/1/content/cb65c6e341c995154be7302e812ccec1b789bde28ed3a152545f4290a86ad2e8
     :tailoring_path:
     :tailoring_download_path:
   

   NOTE: The values of tailoring_path and tailoring_download_path can be left blank if the scap policy configured in the satellite sever has no tailoring file added to it.

4. Create a CRON file as /etc/cron.d/foreman_scap_client_cron for regular SCAP scans:

   Example CRON file [ Copy-Paste this file on the client system ]

   # foreman_scap_client cron job
   0 1 * * * root /bin/sleep 315; /usr/bin/foreman_scap_client ds <POLICY_ID> 2>&1 | logger -t foreman_scap_client
   

5. To run a SCAP scan manually, use the foreman_scap_client command:

   # foreman_scap_client ds <POLICY_ID>
   

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.