Bug 1196240

Summary: [RFE] Improve providing oscap content to hosts
Product: Red Hat Satellite Reporter: Kedar Bidarkar <kbidarka>
Component: OtherAssignee: Shlomi Zadok <szadok>
Status: CLOSED CURRENTRELEASE QA Contact: Kedar Bidarkar <kbidarka>
Severity: high Docs Contact:
Priority: high    
Version: 6.1.0CC: bbuckingham, bkearney, cwelton, mmccune, slukasik, sthirugn, szadok
Target Milestone: UnspecifiedKeywords: FutureFeature, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-12 16:03:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1231933, 1232194    
Bug Blocks: 1047797    

Description Kedar Bidarkar 2015-02-25 14:42:32 UTC 
Description of problem:

After creating OSCAP Content, we can see a download link to download this ds-xml file.

But this would be difficult, when there are multiple hosts?
so, Wondering how useful the download link would be when there are multiple hosts?  We need to Enhance this for sure.


I say this as I see 2 TIPS

a) while creating 'OSCAP  content' we see the below tip.

Notice: You need to install OpenSCAP on your hosts, and upload this content to the hosts as well.

The first half of above statemnet, 'install OpenSCAP on your hots' is fine, One could install it manually or gets pulled in when rubygem-foreman_scap_client package is being installed on hosts.

For the second half: How are we supposed to upload the content to multiple hosts in a simplified manner?

b) Also while creating a 'OSCAP policy' we see the below tip:

"Notice: Ensure the selected SCAP content exists on your hosts."
Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
Currently cannot provide the oscap content to "Multiple Hosts" in a simplified manner apart from the download link provided for "openscap content".

Expected results:

We really need to simplify providing the oscap content to Multiple "Hosts".
Additional info:
Comment 1 Corey Welton 2015-02-25 15:11:05 UTC 
First thought was to add this directly to the provisioning template, but mmccune suggested that not everyone may want to enable SCAP by default.


My recommendation is to add it to a snippet, then, or something, with an associated docs note.

 
In the forthcoming SCAP documentation, something like, "Note: SCAP is not enabled by default on newly provisioned systems. To add this functionality, enable snippet $foobar in your provisioning template(s)"
Comment 2 Shlomi Zadok 2015-02-26 08:37:41 UTC 
Or deploy it via puppet?
Comment 4 Shlomi Zadok 2015-04-22 09:51:31 UTC 
*** Bug 1207304 has been marked as a duplicate of this bug. ***
Comment 7 Kedar Bidarkar 2015-06-11 13:19:55 UTC 
[root@rhel66d ~]# foreman_scap_client 1
File /var/lib/openscap/content/6298742afc45309f86ac467c0c9a3e433ff505dd3d237dd8cbf72be1a02937bb.xml is missing. Downloading it from proxy
Download scap content xml from: https://xyz.redhat.com:9090/compliance/policies/1/content
DEBUG: running: oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_usgcb-rhel6-server --results-arf /tmp/d20150611-1732-1jqcoek/results.xml /var/lib/openscap/content/6298742afc45309f86ac467c0c9a3e433ff505dd3d237dd8cbf72be1a02937bb.xml
DEBUG: running: /usr/bin/bzip2 /tmp/d20150611-1732-1jqcoek/results.xml
Uploading results to https://xyz.redhat.com:9090/compliance/arf/1


As we can see running "foreman_scap_client <policy_id>" fetches the scap content xml file from proxy.

VERIFIED With sat61-GA-SNAP8
Comment 8 Kedar Bidarkar 2015-06-15 16:16:30 UTC 
Currently fails for sat61-GA-snap8-compose2 for rhel6.

I will be reopening this bug.
Comment 9 Kedar Bidarkar 2015-06-15 16:19:38 UTC 
*** Bug 1231933 has been marked as a duplicate of this bug. ***
Comment 10 Kedar Bidarkar 2015-06-15 16:21:55 UTC 
should show oscap content on rhel6 automatically like it does show when installed on rhel7.
Comment 11 Shlomi Zadok 2015-06-16 05:17:55 UTC 
Not sure why this is re-opened - If there is SCAP content (any SCAP content) it will be delivered (provided) to the client hosts, which is the scope of this issue. 
As for RHEL6 default SCAP content, let's handle it with https://bugzilla.redhat.com/show_bug.cgi?id=1231933 ?
Comment 12 Mike McCune 2015-06-16 05:49:26 UTC 
if we want to move this back to VERIFIED and re-open https://bugzilla.redhat.com/show_bug.cgi?id=1231933 , that is fine with me. I'll move this back to ON_QA and Kedar, feel free to move back to verified and re-open 1231933
Comment 13 Kedar Bidarkar 2015-06-16 10:43:27 UTC 
Will moved this to VERIFIED state when all issues related to it are solved.
Comment 14 Kedar Bidarkar 2015-07-22 12:52:58 UTC 
VERIFIED With sat6.1.1-snap13-c1

Now there is no need to manually provide contents to the clients, the clients can automatically pull in the relevant ds-stream.xml using the API from the capsule/smart-proxy.
Comment 15 Bryan Kearney 2015-08-12 16:03:24 UTC 
This bug was fixed in Satellite 6.1.1 which was delivered on 12 August, 2015.