Login
Log in using an SSO provider:
Fedora Account System
Red Hat Associate
Red Hat Customer
Login using a Red Hat Bugzilla account
Forgot Password
Create an Account
Red Hat Bugzilla – Attachment 1011844 Details for
Bug 1206649
[doc] need documentation for OpenSCAP
Home
New
Search
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh92 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
[?]
This site requires JavaScript to be enabled to function correctly, please enable it.
OpenScap Plugin Satellite61 Guide
OpenScap-Plugin_Satellite61_Guide.txt (text/plain), 7.32 KB, created by
Kedar Bidarkar
on 2015-04-07 15:30:07 UTC
(
hide
)
Description:
OpenScap Plugin Satellite61 Guide
Filename:
MIME Type:
Creator:
Kedar Bidarkar
Created:
2015-04-07 15:30:07 UTC
Size:
7.32 KB
patch
obsolete
>Basic Concepts >---------------- > >There are three basic concepts (entities) in OpenSCAP plug-in: >a) SCAP Contents, >b) Compliance Policies and >c) ARF Reports. > >SCAP Content represents SCAP DataStream XML file as defined by SCAP 1.2 standard. Datastream file contains implementation of compliance, configuration or security baselines. Users are advised to acquire examplary baseline by installing scap-security-guide package. DataStream file usualy contains multiple XCCDF Profiles. Each for different security target. The content of Datastream file can be inspected by oscap tool from openscap-scanner package. > > # yum install -y scap-security-guide openscap-scanner > # oscap info /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml > # oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml > >Compliance Policy is highlevel concept of a baseline applied to the infrastructure. Compliance Policy is defined by user on web interface. User may assign following information to the Policy: > > SCAP Content > XCCDF Profile from particular SCAP Content > Host Groups that should comply with the policy > Schedule - the period in which the audit shall occur > >ARF Report is XML output of single scan occurance per single host. Asset Reporting File format is defined by SCAP 1.2 standard. Foreman plug-in stores the ARF Reports in database for later inspections. >User Interface > >The most of the Foreman-OpenSCAP controls are located in the Compliance section under the Host menu. The section contains three items as described in previous section: SCAP Contents, Compliance Policies, ARF Reports. > >OSCAP currently supports the below features: >--------------------------------------------- > >a) Centralized policy management >b) Collect & achieve OpenSCAP audit results from infrastructure >c) Display audit results >d) Search audit results >e) Search for non-compliant systems > > >----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > >Working with OSCAP for Satellite6.1: >----------------------------------- > >Installing OSCAP stuff on Satellite6.1 >----------------------------------------- > >1) By default Satellite61 does not get installed with OSCAP, We need to install the below RPM pacakge to bring in the functionality. >'yum install ruby193-rubygem-foreman_openscap -y'. > >2) Restart the below services. >a) 'systemctl restart foreman' and 'systemctl restart httpd' > >3) This displays the below pages under the "Hosts" --> "compliance". >a) Policies page >b) Scap Content page >c) Reports page > >Installing OSCAP stuff on Internal/External Capsule: >----------------------------------------------------- > >1) Now we shall install the RPM 'puppet-foreman_scap_client' package. >a) 'yum install puppet-foreman_scap_client -y' > >b) This RPM puppet-foreman_scap_client when installed on capsule adds the >'foreman_scap_client' module under '/usr/share/puppet/modules'. > >c) Due to the below reasons there is no need for a puppet-module repo for >puppet-foreman_scap_client. > >d) This RPM which is a puppet-module helps in configuring the '/etc/foreman_scap_client/config.yaml' file >brought in by rubygem-foreman_scap_client. > > >Important Notes:- >i) For OSCAP as we want 'foreman_scap_client' module to be available under all the "puppet-environments", >the idea is to install "foreman_scap_client" under "/usr/share/puppet/modules' which is under the >"basemodulepath" as per the /etc/puppet/puppet.conf file on the capsule. > >ii) What is basemodulepath? > >Although puppet-environments should contain their own modules, you might want some modules to be available >to all puppet-environments. > > >2) We also need to install the RPM 'rubygem-smart_proxy_openscap' package. >a) 'yum install rubygem-smart_proxy_openscap -y' > >3) You may require to restart the foreman-proxy service for the changes to reflect for the satellite6.1 capsule features as "OSCAP". >a) 'systemctl restart foreman-proxy' > > > >Working with the OSCAP feature: >------------------------------- > >1) foreman_scap_client puppet class is imported to your Satellite6.1 > a) Go to Configure -> Puppet classes page > b) Click Import button > c) Select foreman_scap_client and associate it to the desired 'puppet-environmnet'. > >2) Create new SCAP Content > a) Go to Hosts -> Compliance -> SCAP contents page > b) Upload DataStream file > c) DataStream file could be fetched from 'scap-security-guide' rpm package. > d) 'scap-security-guide' package can be obtained from the 'Base RHEL' repos. > e) One must download this file after uploading it and place it at the suggested location ( by help-tip) > at the clients/hosts end. [ As suggested in step 5) below. ] > f) The above help-tip mentioned can be found while performing the step 3) b) and c) below. > NOTE: - help-tip suggestion may not be visible for the 1st policy, will be available from the 2nd policy created. > We have a bug to track this issue https://bugzilla.redhat.com/show_bug.cgi?id=1196574 > >3) Create new Policy > a) Go to Hosts -> Compliance -> Policies page > b) Assign 'SCAP Content' to Policy > c) Select 'XCCDF Profile' from your SCAP Content (NOTE:- above help-tip mentioned can be seen here at this stage) > d) Define periodic scan schedule > e) Assign Hostgroups to the policy (hosts you want to audit should be assigned with one of the hostgroups) > >4) Select particular hosts for compliance audit > a) Go to Hosts -> All hosts page > b) Select hosts > c) Use Select Action -> Assign Compliance Policy button > >5) Make sure the DataStream file is present on the clients' file system. > a) At the moment, Satellite6.1 Infrastructure is not able to serve a file to the clients. > Hence, users are required to distribute their DataStream file to each client. > The expected location to place the file is defined at Compliance Policy -> Edit dialogue. > b) The file can be downloaded from the "Hosts -> Compliance -> SCAP contents page", 'Download' link via the dropdown, > which is just adjacent to "edit" button. > b) On clients/hosts one would require to create the below dir_structure. > 'mkdir -p /var/lib/openscap/content/' and place the "<random_number>.xml" file by downloading it from satellite6.1. > >6) The RPM 'puppet-foreman_scap_client' which brings in a puppet-module helps in configuring the '/etc/foreman_scap_client/config.yaml' file > brought in by 'rubygem-foreman_scap_client' on the clients/hosts. > >Important Note:- >a) There is no need to perform any tasks on clients/hosts apart from running 'puppet agent -t' to configure the clients/hosts for 'foreman_scap_client'. >b) Make sure the step 5) is performed before running 'puppet agent -t' on the clients/hosts if configuring manually. > >7) The puppet-module foreman_scap_client adds the crontab entry for the 'foreman_scap_client' command which actually runs the oscap scan on the > clients/hosts and uploads the reports to the capsule. The Reports from various capsules is then sent to satellite6.1 so that we can inspect > the compliance results. > >8) Inspect the compliance results > a) Go to Hosts -> Compliance -> Reports page > b) Wait for ARF Reports to show-up > c) Go to Hosts -> Compliance -> Policies page > d) Click the policy link to view dashboard and trend >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 1206649
: 1011844 |
1027173
|
1080673