Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1196240 - [RFE] Improve providing oscap content to hosts
Summary: [RFE] Improve providing oscap content to hosts
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Other
Version: 6.1.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: Unspecified
Assignee: Shlomi Zadok
QA Contact: Kedar Bidarkar
URL:
Whiteboard:
: 1207304 (view as bug list)
Depends On: 1231933 1232194
Blocks: 1047797
TreeView+ depends on / blocked
 
Reported: 2015-02-25 14:42 UTC by Kedar Bidarkar
Modified: 2017-02-23 20:26 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-12 16:03:24 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Kedar Bidarkar 2015-02-25 14:42:32 UTC 
Description of problem:

After creating OSCAP Content, we can see a download link to download this ds-xml file.

But this would be difficult, when there are multiple hosts?
so, Wondering how useful the download link would be when there are multiple hosts?  We need to Enhance this for sure.


I say this as I see 2 TIPS

a) while creating 'OSCAP  content' we see the below tip.

Notice: You need to install OpenSCAP on your hosts, and upload this content to the hosts as well.

The first half of above statemnet, 'install OpenSCAP on your hots' is fine, One could install it manually or gets pulled in when rubygem-foreman_scap_client package is being installed on hosts.

For the second half: How are we supposed to upload the content to multiple hosts in a simplified manner?

b) Also while creating a 'OSCAP policy' we see the below tip:

"Notice: Ensure the selected SCAP content exists on your hosts."
Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
Currently cannot provide the oscap content to "Multiple Hosts" in a simplified manner apart from the download link provided for "openscap content".

Expected results:

We really need to simplify providing the oscap content to Multiple "Hosts".
Additional info:
Comment 1 Corey Welton 2015-02-25 15:11:05 UTC 
First thought was to add this directly to the provisioning template, but mmccune suggested that not everyone may want to enable SCAP by default.


My recommendation is to add it to a snippet, then, or something, with an associated docs note.

 
In the forthcoming SCAP documentation, something like, "Note: SCAP is not enabled by default on newly provisioned systems. To add this functionality, enable snippet $foobar in your provisioning template(s)"
Comment 2 Shlomi Zadok 2015-02-26 08:37:41 UTC 
Or deploy it via puppet?
Comment 4 Shlomi Zadok 2015-04-22 09:51:31 UTC 
*** Bug 1207304 has been marked as a duplicate of this bug. ***
Comment 7 Kedar Bidarkar 2015-06-11 13:19:55 UTC 
[root@rhel66d ~]# foreman_scap_client 1
File /var/lib/openscap/content/6298742afc45309f86ac467c0c9a3e433ff505dd3d237dd8cbf72be1a02937bb.xml is missing. Downloading it from proxy
Download scap content xml from: https://xyz.redhat.com:9090/compliance/policies/1/content
DEBUG: running: oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_usgcb-rhel6-server --results-arf /tmp/d20150611-1732-1jqcoek/results.xml /var/lib/openscap/content/6298742afc45309f86ac467c0c9a3e433ff505dd3d237dd8cbf72be1a02937bb.xml
DEBUG: running: /usr/bin/bzip2 /tmp/d20150611-1732-1jqcoek/results.xml
Uploading results to https://xyz.redhat.com:9090/compliance/arf/1


As we can see running "foreman_scap_client <policy_id>" fetches the scap content xml file from proxy.

VERIFIED With sat61-GA-SNAP8
Comment 8 Kedar Bidarkar 2015-06-15 16:16:30 UTC 
Currently fails for sat61-GA-snap8-compose2 for rhel6.

I will be reopening this bug.
Comment 9 Kedar Bidarkar 2015-06-15 16:19:38 UTC 
*** Bug 1231933 has been marked as a duplicate of this bug. ***
Comment 10 Kedar Bidarkar 2015-06-15 16:21:55 UTC 
should show oscap content on rhel6 automatically like it does show when installed on rhel7.
Comment 11 Shlomi Zadok 2015-06-16 05:17:55 UTC 
Not sure why this is re-opened - If there is SCAP content (any SCAP content) it will be delivered (provided) to the client hosts, which is the scope of this issue. 
As for RHEL6 default SCAP content, let's handle it with https://bugzilla.redhat.com/show_bug.cgi?id=1231933 ?
Comment 12 Mike McCune 2015-06-16 05:49:26 UTC 
if we want to move this back to VERIFIED and re-open https://bugzilla.redhat.com/show_bug.cgi?id=1231933 , that is fine with me. I'll move this back to ON_QA and Kedar, feel free to move back to verified and re-open 1231933
Comment 13 Kedar Bidarkar 2015-06-16 10:43:27 UTC 
Will moved this to VERIFIED state when all issues related to it are solved.
Comment 14 Kedar Bidarkar 2015-07-22 12:52:58 UTC 
VERIFIED With sat6.1.1-snap13-c1

Now there is no need to manually provide contents to the clients, the clients can automatically pull in the relevant ds-stream.xml using the API from the capsule/smart-proxy.
Comment 15 Bryan Kearney 2015-08-12 16:03:24 UTC 
This bug was fixed in Satellite 6.1.1 which was delivered on 12 August, 2015.
Note You need to log in before you can comment on or make changes to this bug.