Bug 1417765

Summary: [RFE] Allow custom OpenSCAP profiles
Product: Red Hat CloudForms Management Engine Reporter: John Osborne <josborne>
Component: SmartState AnalysisAssignee: Oved Ourfali <oourfali>
Status: CLOSED WONTFIX QA Contact: brahmani
Severity: high Docs Contact:
Priority: unspecified    
Version: 5.7.0CC: dlamotta, fsimonce, gblomqui, jhardy, lavenel, ltsai, obarenbo
Target Milestone: GAKeywords: FutureFeature
Target Release: cfme-future   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: container
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-01 18:43:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: Container Management Target Upstream Version:
Embargoed:
Bug Depends On: 1462835    
Bug Blocks:    

Description John Osborne 2017-01-30 22:20:35 UTC 
When running SmartState analysis on CloudForms 4.2 (CFME 5.7) it is hard coded to pull an OpenSCAP profile from the Internet (I think? It's actually black box) that only checks for RHEL 7 RPMs for CVEs. It's not possible to point it to run the recently announced RHEL 7 STIG from DISA, for instance, which checks various configuration files like PermitRootLogin=no in addition to other checks.

I have 3 customers this week that have asked for this capability. DoD for instance has their own security baseline that they need to add on top of the RHEL 7 STIG. They would like to implement their own OpenSCAP XML file and be able to pass that to CloudForms. Another customer, a large civilian agency, wants to create their own as well and they also want to use Blackduck's OpenSCAP XML implementation.

I'm not sure if CF uses the Atomic CLI behind the scenes for this capability, but the atomic CLI already has the capability to do custom scanning.
Comment 2 Tsai Li Ming 2017-04-28 13:10:35 UTC 
This is a common ask from my customers too.
Comment 3 Tsai Li Ming 2017-04-28 13:16:47 UTC 
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1379185. Solving #1379185 will allow a custom profile to be provided to image-inspector
Comment 5 Federico Simoncelli 2017-06-19 16:17:31 UTC 
This requires the per-provider instance advanced settings.