Bug 1417765 - [RFE] Allow custom OpenSCAP profiles
Summary: [RFE] Allow custom OpenSCAP profiles
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: SmartState Analysis
Version: 5.7.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: GA
: cfme-future
Assignee: Oved Ourfali
QA Contact: brahmani
Whiteboard: container
Depends On: 1462835
TreeView+ depends on / blocked
Reported: 2017-01-30 22:20 UTC by John Osborne
Modified: 2018-07-01 18:43 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-07-01 18:43:22 UTC
Category: ---
Cloudforms Team: Container Management
Target Upstream Version:

Attachments (Terms of Use)

Description John Osborne 2017-01-30 22:20:35 UTC
When running SmartState analysis on CloudForms 4.2 (CFME 5.7) it is hard coded to pull an OpenSCAP profile from the Internet (I think? It's actually black box) that only checks for RHEL 7 RPMs for CVEs. It's not possible to point it to run the recently announced RHEL 7 STIG from DISA, for instance, which checks various configuration files like PermitRootLogin=no in addition to other checks.

I have 3 customers this week that have asked for this capability. DoD for instance has their own security baseline that they need to add on top of the RHEL 7 STIG. They would like to implement their own OpenSCAP XML file and be able to pass that to CloudForms. Another customer, a large civilian agency, wants to create their own as well and they also want to use Blackduck's OpenSCAP XML implementation.

I'm not sure if CF uses the Atomic CLI behind the scenes for this capability, but the atomic CLI already has the capability to do custom scanning.

Comment 2 Tsai Li Ming 2017-04-28 13:10:35 UTC
This is a common ask from my customers too.

Comment 3 Tsai Li Ming 2017-04-28 13:16:47 UTC
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1379185. Solving #1379185 will allow a custom profile to be provided to image-inspector

Comment 5 Federico Simoncelli 2017-06-19 16:17:31 UTC
This requires the per-provider instance advanced settings.

Note You need to log in before you can comment on or make changes to this bug.