OpenSCAP Part 4: Integration with Red Hat Satellite 6.5

/ Christopher Paquin

openscap-base

Introduction

This is the 4th installment of a series of posts focusing on OpenSCAP.  Previous posts in this series can be found below.

OpenSCAP Part 1: Introduction and Basic Usage for RHEL 7/CentOS 7/Fedora
OpenSCAP Part 2: SCAP Content for RHEL 7
OpenSCAP Part 3: Running Scans from the Command Line in RHEL 7

This time around we are going to work on integrating OpenSCAP functionality into Red Hat Satellite 6.5

Installing SCAP Content on Satellite Server

SSH into your satellite server and run the command below as root.

# foreman-rake foreman_openscap:bulk_upload:default

Screenshot from 2019-07-26 17-02-22.png

By default only a few content files are added.

Installing Additional SCAP Content

This can be done via the UI (and possibly via the CLI, however I have not attempted this).

In this example I have already downloaded RHEL 8 content from here.

Log into the Satellite UI, and navigate to “Hosts” > “SCAP content”

Select “Upload New SCAP Content

Screenshot from 2019-07-26 17-09-14.png

And select Choose File to select a file from your local machine.

Screenshot from 2019-07-26 17-20-54.png

Create a Puppet Environment

First we need to create a puppet environment for our OpenSCAP scans.

Navigate to “Configure” > “Puppet” > “Environments

Then select “Create Puppet Environment

For this post I will create a new environment with the name “OpenSCAP_demo_env”. Select the appropriate Locations and Organizations where you want to make this Environment available.

Screenshot from 2019-07-30 19-12-59.png

Creating a Host Group

Now we need to create a Host Group. In the Satellite UI, navigate to “Configure” > “Host Groups” > “Create Host Group

Fill in the fields as shown below.

  • Name: The name for your host group
  • Puppet Environment: The Puppet Environment you created above
  • Puppet Master: Your Satellite Server
  • Puppet CA: Your Satellite Server
  • OpenSCAP Capsule: Your Satellite Server

Note: This is a very simple environment without any Satellite Capsule servers, your configuration may vary.

Once you have completed the fields below. Click submit. Do not explore the other tabs just yet.

Screenshot from 2019-07-30 19-16-00.png

Once you click submit, you will be sent back to the Host Groups page. Now click on your host group again.

Click on the “Puppet Classes” tab.

Select the foreman_scap_client classes and add them to the included classes. There should be two classes total to add.

Screenshot from 2019-07-30 19-36-40.png

Modify the Location and Classes if necessary.

Add a Host to the Host Group

Now we need to add a host to the host group that we just created. For this purpose we have created a test vm — rhel7-test2.lab.localdomain.

Let’s navigate to “Hosts” > “All Hosts” and select our host — rhel7-test2.lab.localdomain.

Then click on Edit.

Screenshot from 2019-07-30 19-46-27

Once in edit mode, choose your Host Group from the drop down menu. Then choose select.

Screenshot from 2019-07-30 19-47-22.png

Create a Compliance Policy

In the Satellite UI, navigate to “Hosts” > “Compliance” > “Policies“. Then select “New Compliance Policy“.

In this example I am going to create a policy for PCI-DSS compliance.

So let’s give our new policy a name. I christen thee PCI_DSS POLICY. Then click next.

Screenshot from 2019-07-30 19-56-35

Now we choose our SCAP content/profile.  Below I am choosing RHEL 7 default content, and then PCI-DSS as the profile.

Screenshot from 2019-07-30 19-57-01.png

Now we need to schedule the compliance scan. For testing purposes we are going to run this to run every 5 minutes. Note that you would probably run this weekly or daily in a real production environment.

Screenshot from 2019-07-30 20-00-28

Click Next and set the Location and Organization and then select the hostgroup that you want this compliance policy to apply to. In this case, our hostgroup is OpenSCAP Demo Host Group.

Screenshot from 2019-07-30 20-02-39.png

Prepare RHEL Clients

First off you need to have puppet installed on your clients. I am installing puppet directly from my satellite using the rhel-7-server-satellite-tools-6.5-rpms repo

# yum -y install puppet-agent

For puppet agents version 4 and greater you need to run the following commands as you need to add your satellite server and puppet environment to your puppet.conf

# echo “server = satellite.lab.localdomain” >> /etc/puppetlabs/puppet/puppet.conf
# echo “environment = OpenSCAP_demo_env” >> /etc/puppetlabs/puppet/puppet.conf

Now run the following command

# puppet agent -t
Info: Creating a new SSL key for rhel7-test2.lab.localdomain
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for rhel7-test2.lab.localdomain
Info: Certificate Request fingerprint (SHA256): 83:4C:61:E3:7A:58:F5:81:09:5D:D5:2A:6D:E0:67:C0:1C:DA:99:87:F5:DA:40:8E:FA:E4:5A:8E:7E:7A:9D:A3
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled

Start and Enable Puppet

# systemctl start puppet && systemctl enable puppet

Certificate Signing

Now we need to sign the cert we requested above.

In the Satellite UI, navigate to “Infrastructure” > “Capsules“.  Select your Satellite server then select the Puppet CA tab.

Screenshot from 2019-07-30 20-12-05.png

Find you host in the list. Under actions, select “Sign

Screenshot from 2019-07-31 11-23-47

Viewing Reports

To view a report, navigate to Hosts > Compliance > Reports

Screenshot from 2019-07-31 12-36-51

Under Actions, select View Report. Example report shown below.

Screenshot from 2019-07-31 12-38-10.png

Troubleshooting

When a scan is running on a remote host you should be able to see it if you run a ps. For example

[root@rhel7-test2 d20190731-14600-13rla95]# ps -aef | grep oscap
root 14602 14600 7 12:30 pts/1 00:00:05 oscap xccdf eval –profile xccdf_org.ssgproject.content_profile_pci-dss –results-arf /tmp/d20190731-14600-13rla95/results.xml /var/lib/openscap/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d.xml

You can also kick off the job manually via Jobs in the Satellite UI

# /usr/bin/foreman_scap_client 2
File /var/lib/openscap/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d.xml is missing. Downloading it from proxy.
Download SCAP content xml from: https://satellite.lab.localdomain:9090/compliance/policies/2/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d
DEBUG: running: oscap xccdf eval –profile xccdf_org.ssgproject.content_profile_pci-dss –results-arf /tmp/d20190731-14600-13rla95/results.xml /var/lib/openscap/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d.xml
WARNING: This content points out to the remote resources. Use `–fetch-remote-resources’ option to download them.
WARNING: Skipping https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from XCCDF content
DEBUG: running: /usr/bin/env bzip2 /tmp/d20190731-14600-13rla95/results.xml
Uploading results to https://satellite.lab.localdomain:9090/compliance/arf/2
Report uploaded, report id: 1495

You can also look for log messages on the remote hosts

# grep oscap /var/log/messages
Jul 31 12:30:45 localhost oscap: Evaluation started. Content: /var/lib/openscap/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d.xml, Profile: xccdf_org.ssgproject.content_profile_pci-dss.
Jul 31 12:32:19 localhost oscap: Evaluation finished. Return code: 2, Base score 49.753365.

Next Steps

At this point we are able to run a report on a single machine. However, this is just one machine and is so far a rather manual process to setup. Eventually I hope to determine how to configure the following

  • Automatic registration of a new host with the appropriate SCAP profile
  • Automation of Client side config (possibly via bootstrap script)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.