Bug 1957288

Summary: [RFE] Add option in the satellite to upload/sync OVAL defination to evalute the rule (xccdf_org.ssgproject.content_rule_security_patches_up_to_date) when performing Compliance scan on the client registered with the Satellite server.
Product: Red Hat Satellite Reporter: Satyajit Das <sadas>
Component: SCAP PluginAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED ERRATA QA Contact: Jameer Pathan <jpathan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.8.0CC: ehelms, mhaicman, mhulan, mmccune, rlavi, vferschm
Target Milestone: 6.11.0Keywords: FutureFeature, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-05 14:28:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
fetch remote resources none

Description Satyajit Das 2021-05-05 14:18:25 UTC 
Description of problem:

Add option in the satellite to upload/sync OVAL defination to evalute the rule  (xccdf_org.ssgproject.content_rule_security_patches_up_to_date) when performing Compliance scan on the client registered with the Satellite server.


Version-Release number of selected component (if applicable):

6.8

How reproducible:

100%


Steps to Reproduce:
1. Create a Compliance policy in the satellite server using the XCCDF Profile (CIS Red Hat Enterprise Linux 8 Benchmark)
2. Assing the compliance to the host and push the configuration on the client.
3. Perform the compliance scan.
4. Review the compliance report

Actual results:

Title: Ensure Software Patches Installed
xccdf:Rule: xccdf_org.ssgproject.content_rule_security_patches_up_to_date   // This check is skipped with the below evaluation messages
~~~~~~~~~
None of the check-content-ref elements was resolvable.
~~~~~~~~~
Expected results:

As the client registered with the satellite server fetch the SCAP content from the satellite server, so the satellite server should host the latest oval definition(com.redhat.rhsa-RHEL8.xml), so that client can fetch the content from the satellite server and use the ruleset to evaluate the rule.


Additional info:

To evaluate the rule on a client registered with the portal [subscription.rhsm.redhat.com], I just need to use the option "'--fetch-remote-resources" to fetch the remote
content containing OVAL checks that will make this rule evaluate if the patches are up to date.

Sample output:-
===============
~]# oscap xccdf eval --fetch-remote-resources --profile cis --rule xccdf_org.ssgproject.content_rule_security_patches_up_to_date --tailoring-file  ssg-rhel8-ds-cis-tailoring.xml --results test.xml --report ./report.html  /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 
Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml ... ok
Title   Ensure Software Patches Installed
Rule    xccdf_org.ssgproject.content_rule_security_patches_up_to_date
Ident   CCE-80865-9
OVAL Definition ID	oval:com.redhat.rhsa:def:20211360
OVAL Definition Title	RHSA-2021:1360: firefox security update (Important)
Result  pass

Title   Ensure Software Patches Installed
Rule    xccdf_org.ssgproject.content_rule_security_patches_up_to_date
Ident   CCE-80865-9
OVAL Definition ID	oval:com.redhat.rhsa:def:20211353
OVAL Definition Title	RHSA-2021:1353: thunderbird security update (Important)
Result  pass
Comment 1 Ondřej Pražák 2021-05-06 09:44:23 UTC 
I believe this is possible today. Ansible role and Puppet module for scap client have the ability to deploy configuration so that remote resources are fetched during scan. There is 'foreman_scap_client_fetch_remote_resources' Ansible variable and 'fetch_remote_resources' smart class param, both are set to 'false' by default. Changing override to yes and value to 'true' (or setting appropriate matchers) should be enough for the desired effect.

Note that this will work in the same way as for client registered to portal where '--fetch-remote-resources' option is supplied manually - remote resources will be fetched from the sources as specified in the profile/rule xml, not from Satellite.

Does deploying the client with config to fetch remote resources resolve this issue?
Comment 2 Ondřej Pražák 2021-05-06 09:44:55 UTC 
Created attachment 1780159 [details]
fetch remote resources
Comment 11 Marek Hulan 2022-05-04 15:27:56 UTC 
I have the write up prepared, who should convert it to the KCS? Is that a documentation or support? Vendula, do you know?
Comment 12 Marek Hulan 2022-05-06 09:08:50 UTC 
I have linked the KCS as draft, it would be great if it can be reviewed. I'm moving this to ON_QA, if that's verified, I'll switch to published.
Comment 14 Jameer Pathan 2022-05-24 11:00:39 UTC 
Moving bz to verified state based on Marek's draft KCS and https://access.redhat.com/solutions/5185891.
Comment 17 errata-xmlrpc 2022-07-05 14:28:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5498