This is the 4th installment of a series of posts focusing on OpenSCAP. Previous posts in this series can be found below.
This time around we are going to work on integrating OpenSCAP functionality into Red Hat Satellite 6.5
Installing SCAP Content on Satellite Server
SSH into your satellite server and run the command below as root.
# foreman-rake foreman_openscap:bulk_upload:default
By default only a few content files are added.
Installing Additional SCAP Content
This can be done via the UI (and possibly via the CLI, however I have not attempted this).
In this example I have already downloaded RHEL 8 content from here.
Log into the Satellite UI, and navigate to “Hosts” > “SCAP content”
Select “Upload New SCAP Content”
And select Choose File to select a file from your local machine.
Create a Puppet Environment
First we need to create a puppet environment for our OpenSCAP scans.
Navigate to “Configure” > “Puppet” > “Environments”
Then select “Create Puppet Environment”
For this post I will create a new environment with the name “OpenSCAP_demo_env”. Select the appropriate Locations and Organizations where you want to make this Environment available.
Creating a Host Group
Now we need to create a Host Group. In the Satellite UI, navigate to “Configure” > “Host Groups” > “Create Host Group”
Fill in the fields as shown below.
- Name: The name for your host group
- Puppet Environment: The Puppet Environment you created above
- Puppet Master: Your Satellite Server
- Puppet CA: Your Satellite Server
- OpenSCAP Capsule: Your Satellite Server
Note: This is a very simple environment without any Satellite Capsule servers, your configuration may vary.
Once you have completed the fields below. Click submit. Do not explore the other tabs just yet.
Once you click submit, you will be sent back to the Host Groups page. Now click on your host group again.
Click on the “Puppet Classes” tab.
Select the foreman_scap_client classes and add them to the included classes. There should be two classes total to add.
Modify the Location and Classes if necessary.
Add a Host to the Host Group
Now we need to add a host to the host group that we just created. For this purpose we have created a test vm — rhel7-test2.lab.localdomain.
Let’s navigate to “Hosts” > “All Hosts” and select our host — rhel7-test2.lab.localdomain.
Then click on Edit.
Once in edit mode, choose your Host Group from the drop down menu. Then choose select.
Create a Compliance Policy
In the Satellite UI, navigate to “Hosts” > “Compliance” > “Policies“. Then select “New Compliance Policy“.
In this example I am going to create a policy for PCI-DSS compliance.
So let’s give our new policy a name. I christen thee PCI_DSS POLICY. Then click next.
Now we choose our SCAP content/profile. Below I am choosing RHEL 7 default content, and then PCI-DSS as the profile.
Now we need to schedule the compliance scan. For testing purposes we are going to run this to run every 5 minutes. Note that you would probably run this weekly or daily in a real production environment.
Click Next and set the Location and Organization and then select the hostgroup that you want this compliance policy to apply to. In this case, our hostgroup is OpenSCAP Demo Host Group.
Prepare RHEL Clients
First off you need to have puppet installed on your clients. I am installing puppet directly from my satellite using the rhel-7-server-satellite-tools-6.5-rpms repo
# yum -y install puppet-agent
For puppet agents version 4 and greater you need to run the following commands as you need to add your satellite server and puppet environment to your puppet.conf
# echo “server = satellite.lab.localdomain” >> /etc/puppetlabs/puppet/puppet.conf
# echo “environment = OpenSCAP_demo_env” >> /etc/puppetlabs/puppet/puppet.conf
Now run the following command
# puppet agent -t
Info: Creating a new SSL key for rhel7-test2.lab.localdomain
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for rhel7-test2.lab.localdomain
Info: Certificate Request fingerprint (SHA256): 83:4C:61:E3:7A:58:F5:81:09:5D:D5:2A:6D:E0:67:C0:1C:DA:99:87:F5:DA:40:8E:FA:E4:5A:8E:7E:7A:9D:A3
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
Start and Enable Puppet
# systemctl start puppet && systemctl enable puppet
Now we need to sign the cert we requested above.
In the Satellite UI, navigate to “Infrastructure” > “Capsules“. Select your Satellite server then select the Puppet CA tab.
Find you host in the list. Under actions, select “Sign”
To view a report, navigate to Hosts > Compliance > Reports
Under Actions, select View Report. Example report shown below.
When a scan is running on a remote host you should be able to see it if you run a ps. For example
[root@rhel7-test2 d20190731-14600-13rla95]# ps -aef | grep oscap
root 14602 14600 7 12:30 pts/1 00:00:05 oscap xccdf eval –profile xccdf_org.ssgproject.content_profile_pci-dss –results-arf /tmp/d20190731-14600-13rla95/results.xml /var/lib/openscap/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d.xml
You can also kick off the job manually via Jobs in the Satellite UI
# /usr/bin/foreman_scap_client 2
File /var/lib/openscap/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d.xml is missing. Downloading it from proxy.
Download SCAP content xml from: https://satellite.lab.localdomain:9090/compliance/policies/2/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d
DEBUG: running: oscap xccdf eval –profile xccdf_org.ssgproject.content_profile_pci-dss –results-arf /tmp/d20190731-14600-13rla95/results.xml /var/lib/openscap/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d.xml
WARNING: This content points out to the remote resources. Use `–fetch-remote-resources’ option to download them.
WARNING: Skipping https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from XCCDF content
DEBUG: running: /usr/bin/env bzip2 /tmp/d20190731-14600-13rla95/results.xml
Uploading results to https://satellite.lab.localdomain:9090/compliance/arf/2
Report uploaded, report id: 1495
You can also look for log messages on the remote hosts
# grep oscap /var/log/messages
Jul 31 12:30:45 localhost oscap: Evaluation started. Content: /var/lib/openscap/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d.xml, Profile: xccdf_org.ssgproject.content_profile_pci-dss.
Jul 31 12:32:19 localhost oscap: Evaluation finished. Return code: 2, Base score 49.753365.
At this point we are able to run a report on a single machine. However, this is just one machine and is so far a rather manual process to setup. Eventually I hope to determine how to configure the following
- Automatic registration of a new host with the appropriate SCAP profile
- Automation of Client side config (possibly via bootstrap script)