1420439 – Satellite does not push updated SCAP content on a policy

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1420439 - Satellite does not push updated SCAP content on a policy

Summary: Satellite does not push updated SCAP content on a policy

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	SCAP Plugin
Sub Component:
Version:	6.2.7
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	Unspecified
Assignee:	Ondřej Pražák
QA Contact:	Marek Hulan
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1419860 (view as bug list)
Depends On:
Blocks:	1482461
TreeView+	depends on / blocked

Reported:	2017-02-08 16:20 UTC by Ryan Kimbrell
Modified:	2021-09-09 12:07 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1482461 (view as bug list)
Environment:
Last Closed:	2018-02-21 16:54:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	17464	0	Normal	Closed	Cached scap_content on proxy is not updated	2020-10-21 03:43:38 UTC
Red Hat Knowledge Base (Article)	3420651	0	None	None	None	2018-04-22 21:23:23 UTC

Description Ryan Kimbrell 2017-02-08 16:20:10 UTC

Description of problem: Updating SCAP content on an existing Compliance Policy does not result in synchronization of the new SCAP content on subsequent puppet runs. Content hosts continue to run openscap scans using the previous outdated SCAP content.


Version-Release number of selected component (if applicable): Satellite 6.2.7


How reproducible: Always


Steps to Reproduce:
1. In the Satellite web UI, go to Hosts->Compliance->Policies
2. On an existing policy, click the drop-down arrow next to "Show Guide" and choose "Edit"
3. Click on the "SCAP Content" tab.
4. Use the drop-down in the SCAP Content field to choose different/new SCAP Content.
5. Click the "Submit" button.

Actual results:
Even after a puppet run, either waiting for the next run interval or manually running `puppet agent -t` on a host registered to Satellite, foreman_scap_client continues to scap using the old SCAP content.

Expected results:
foreman_scap_client should scan using the new/updated SCAP content.

Additional info:

Comment 1 Marek Hulan 2017-02-09 14:05:11 UTC

Thank you for the report with detailed reproducing steps. I believe this is covered by upstream issue http://projects.theforeman.org/issues/17464 so I'm linking it. It's not released yet but good thing is that the fix exists already. 

A quick workaround is to define a new policy and use that instead of the old one.

Comment 3 Marek Hulan 2017-02-09 14:19:11 UTC

*** Bug 1419860 has been marked as a duplicate of this bug. ***

Comment 4 Satellite Program 2017-02-12 09:01:31 UTC

Upstream bug assigned to oprazak

Comment 5 Satellite Program 2017-02-12 09:01:35 UTC

Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/17464 has been resolved.

Comment 6 Sanket Jagtap 2017-02-20 06:06:53 UTC

just an update, While reproducing this bug with 6.2.8 snap 2 after performing above steps the error I got, 

[root@test-xyz ~]# foreman_scap_client 1
DEBUG: running: oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-java-upstream --results-arf /tmp/d20170216-27115-19glfag/results.xml /var/lib/openscap/content/fe93f99c14251cc76e92b9da71c351c8ba45fbd3639a2cd55911ef6f7db1b650.xml
WARNING: Skipping http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced from XCCDF content
Profile "xccdf_org.ssgproject.content_profile_stig-java-upstream" was not found. Get available profiles using:
$ oscap info "/var/lib/openscap/content/fe93f99c14251cc76e92b9da71c351c8ba45fbd3639a2cd55911ef6f7db1b650.xml"
Scan failed
This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.

Comment 7 Pavel Moravec 2017-05-30 14:50:46 UTC

(In reply to Marek Hulan from comment #1)
> Thank you for the report with detailed reproducing steps. I believe this is
> covered by upstream issue http://projects.theforeman.org/issues/17464 so I'm
> linking it. It's not released yet but good thing is that the fix exists
> already. 
> 
> A quick workaround is to define a new policy and use that instead of the old
> one.

An alternative workaround is to delete the content on the client to let it force fetching a new one from the OpenScap server. I.e. if I know that the change is in:

13:
  :profile: ''
  :content_path: '/var/lib/openscap/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d.xml'
  # Download path
  # A path to download SCAP content from proxy
  :download_path: '/compliance/policies/13/content'

then I should delete the /var/lib/openscap/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d.xml file

Comment 11 Satellite Program 2018-02-21 16:54:17 UTC

Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
> 
> For information on the advisory, and where to find the updated files, follow the link below.
> 
> If the solution does not work for you, open a new bug report.
> 
> https://access.redhat.com/errata/RHSA-2018:0336

Note You need to log in before you can comment on or make changes to this bug.