Attachment 1011844 Details for Bug 1206649 – OpenScap Plugin Satellite61 Guide

OpenScap Plugin Satellite61 Guide

OpenScap-Plugin_Satellite61_Guide.txt (text/plain), 7.32 KB, created by Kedar Bidarkar on 2015-04-07 15:30:07 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Kedar Bidarkar

Created: 2015-04-07 15:30:07 UTC

Size: 7.32 KB

patch

obsolete

>Basic Concepts
>----------------
>
>There are three basic concepts (entities) in OpenSCAP plug-in: 
>a) SCAP Contents,
>b) Compliance Policies and
>c) ARF Reports.
>
>SCAP Content represents SCAP DataStream XML file as defined by SCAP 1.2 standard. Datastream file contains implementation of compliance, configuration or security baselines. Users are advised to acquire examplary baseline by installing scap-security-guide package. DataStream file usualy contains multiple XCCDF Profiles. Each for different security target. The content of Datastream file can be inspected by oscap tool from openscap-scanner package.
>
>  # yum install -y scap-security-guide openscap-scanner
>  # oscap info /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
>  # oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
>
>Compliance Policy is highlevel concept of a baseline applied to the infrastructure. Compliance Policy is defined by user on web interface. User may assign following information to the Policy:
>
>    SCAP Content
>    XCCDF Profile from particular SCAP Content
>    Host Groups that should comply with the policy
>    Schedule - the period in which the audit shall occur
>
>ARF Report is XML output of single scan occurance per single host. Asset Reporting File format is defined by SCAP 1.2 standard. Foreman plug-in stores the ARF Reports in database for later inspections.
>User Interface
>
>The most of the Foreman-OpenSCAP controls are located in the Compliance section under the Host menu. The section contains three items as described in previous section: SCAP Contents, Compliance Policies, ARF Reports.
>
>OSCAP currently supports the below features:
>---------------------------------------------
>
>a) Centralized policy management
>b) Collect & achieve OpenSCAP audit results from infrastructure
>c) Display audit results
>d) Search audit results
>e) Search for non-compliant systems
>
>
>-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>Working with OSCAP for Satellite6.1:
>-----------------------------------
>
>Installing OSCAP stuff on Satellite6.1
>-----------------------------------------
>
>1) By default Satellite61 does not get installed with OSCAP, We need to install the below RPM pacakge to bring in the functionality.
>'yum install ruby193-rubygem-foreman_openscap -y'.
>
>2) Restart the below services.
>a) 'systemctl restart foreman' and 'systemctl restart httpd'
>
>3) This displays the below pages under the "Hosts" --> "compliance".
>a) Policies page 
>b) Scap Content page
>c) Reports page
>
>Installing OSCAP stuff on Internal/External Capsule:
>-----------------------------------------------------
>
>1) Now we shall install the RPM 'puppet-foreman_scap_client' package.
>a) 'yum install puppet-foreman_scap_client -y'
>
>b) This RPM puppet-foreman_scap_client when installed on capsule adds the 
>'foreman_scap_client' module under '/usr/share/puppet/modules'.
>
>c) Due to the below reasons there is no need for a puppet-module repo for 
>puppet-foreman_scap_client.
>
>d) This RPM which is a puppet-module helps in configuring the '/etc/foreman_scap_client/config.yaml' file
>brought in by rubygem-foreman_scap_client. 
>
>
>Important Notes:- 
>i) For OSCAP as we want 'foreman_scap_client' module to be available under all the "puppet-environments", 
>the idea is to install "foreman_scap_client" under "/usr/share/puppet/modules' which is under the 
>"basemodulepath" as per the /etc/puppet/puppet.conf file on the capsule.
>
>ii) What is basemodulepath?
>
>Although puppet-environments should contain their own modules, you might want some modules to be available
>to all puppet-environments.
>
>
>2) We also need to install the RPM 'rubygem-smart_proxy_openscap' package.
>a) 'yum install rubygem-smart_proxy_openscap -y'
>
>3) You may require to restart the foreman-proxy service for the changes to reflect for the satellite6.1 capsule features as "OSCAP".
>a) 'systemctl restart foreman-proxy'
>
>
>
>Working with the OSCAP feature:
>-------------------------------
>
>1) foreman_scap_client puppet class is imported to your Satellite6.1
>       a) Go to Configure -> Puppet classes page
>       b) Click Import button
>       c) Select foreman_scap_client and associate it to the desired 'puppet-environmnet'.
>
>2) Create new SCAP Content
>       a) Go to Hosts -> Compliance -> SCAP contents page
>       b) Upload DataStream file
>       c) DataStream file could be fetched from 'scap-security-guide' rpm package.
>       d) 'scap-security-guide' package can be obtained from the 'Base RHEL' repos.
>       e) One must download this file after uploading it and place it at the suggested location ( by help-tip)
>          at the clients/hosts end. [ As suggested in step 5) below. ]
>       f) The above help-tip mentioned can be found while performing the step 3) b) and c) below. 
>       NOTE: - help-tip suggestion may not be visible for the 1st policy, will be available from the 2nd policy created. 
>        We have a bug to track this issue https://bugzilla.redhat.com/show_bug.cgi?id=1196574
>    
>3) Create new Policy
>       a) Go to Hosts -> Compliance -> Policies page
>       b) Assign 'SCAP Content' to Policy
>       c) Select 'XCCDF Profile' from your SCAP Content (NOTE:- above help-tip mentioned can be seen here at this stage)
>       d) Define periodic scan schedule
>       e) Assign Hostgroups to the policy (hosts you want to audit should be assigned with one of the hostgroups)
>
>4) Select particular hosts for compliance audit
>       a) Go to Hosts -> All hosts page
>       b) Select hosts
>       c) Use Select Action -> Assign Compliance Policy button
>
>5) Make sure the DataStream file is present on the clients' file system.
>       a) At the moment, Satellite6.1 Infrastructure is not able to serve a file to the clients. 
>          Hence, users are required to distribute their DataStream file to each client. 
>          The expected location to place the file is defined at Compliance Policy -> Edit dialogue.
>       b) The file can be downloaded from the "Hosts -> Compliance -> SCAP contents page", 'Download' link via the dropdown,
>          which is just adjacent to "edit" button.
>       b) On clients/hosts one would require to create the below dir_structure.
>          'mkdir -p /var/lib/openscap/content/' and place the "<random_number>.xml" file by downloading it from satellite6.1.
>
>6) The RPM 'puppet-foreman_scap_client' which brings in a puppet-module helps in configuring the '/etc/foreman_scap_client/config.yaml' file
>   brought in by 'rubygem-foreman_scap_client' on the clients/hosts. 
>
>Important Note:- 
>a) There is no need to perform any tasks on clients/hosts apart from running 'puppet agent -t' to configure the clients/hosts for 'foreman_scap_client'.
>b) Make sure the step 5)  is performed before running 'puppet agent -t' on the clients/hosts if configuring manually.
>
>7) The puppet-module foreman_scap_client adds the crontab entry for the 'foreman_scap_client' command which actually runs the oscap scan on the
>   clients/hosts and uploads the reports to the capsule. The Reports from various capsules is then sent to satellite6.1 so that we can inspect
>   the compliance results.
>   
>8) Inspect the compliance results
>       a) Go to Hosts -> Compliance -> Reports page
>       b) Wait for ARF Reports to show-up
>       c) Go to Hosts -> Compliance -> Policies page
>       d) Click the policy link to view dashboard and trend
>

Actions: View

Attachments on bug 1206649: 1011844 | 1027173 | 1080673