Bug 1591629 - [RFE] Satellite should support SCAP reports without the need of puppet installed on hosts
Summary: [RFE] Satellite should support SCAP reports without the need of puppet instal...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: SCAP Plugin
Version: 6.3.0
Hardware: Unspecified
OS: Unspecified
high
high with 1 vote vote
Target Milestone: 6.6.0
Assignee: Ondřej Pražák
QA Contact: Sanket Jagtap
URL:
Whiteboard:
: 1625752 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-15 07:09 UTC by Luc de Louw
Modified: 2019-11-18 18:32 UTC (History)
14 users (show)

Fixed In Version: tfm-rubygem-foreman_openscap-0.12.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-22 12:46:42 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Foreman Issue Tracker 23950 Normal Closed Satellite should support SCAP reports without the need of puppet installed on hosts 2020-01-08 17:56:47 UTC
Red Hat Bugzilla 1625752 'unspecified' 'CLOSED' '[RFE] Ansible role for OpenSCAP installation is missing' 2019-12-05 12:58:50 UTC
Red Hat Knowledge Base (Solution) 3781731 None None None 2019-01-02 13:36:22 UTC
Red Hat Product Errata RHSA-2019:3172 None None None 2019-10-22 12:46:56 UTC

Description Luc de Louw 2018-06-15 07:09:27 UTC
Description of problem:

At the moment there is no (comfortable) way to make use of the SCAP reporting of hosts without the usage of puppet.

There should be a different way provided to configure the scap client for foreman


Version-Release number of selected component (if applicable):
6.3

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 3 Marek Hulan 2018-06-15 07:23:07 UTC
Created redmine issue http://projects.theforeman.org/issues/23950 from this bug

Comment 4 Luc de Louw 2018-11-15 13:59:27 UTC
Workaround: 

# On Satellite
satellite-installer --enable-foreman-plugin-openscap
foreman-rake foreman_openscap:bulk_upload:default

# On Clients
yum install rubygem-foreman_scap_client openscap-utils scap-security-guide

# Configure /etc/foreman_scap_client/config.yaml

# Configuring the foreman_scap_client config.yaml
 :server: sat6.example.com # or capsule.example.com
 :port: 9090
 :ca_file: '/etc/rhsm/ca/katello-server-ca.pem'
 :host_certificate: '/etc/pki/consumer/cert.pem'
 :host_private_key: '/etc/pki/consumer/key.pem'

# Profile number as stated in Foreman/Satellite 6
1:
 :profile: pci-dss # profile id as per oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
 :content_path: '/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml'

# Run the client manually to check the functionality
foreman_scap_client 1

# Cronjob
echo "00 15 * * * /usr/bin/foreman_scap_client 1 /dev/null 2>&1"

Comment 5 Aymeric Marchal SG 2019-01-07 10:51:54 UTC
Hello,

Happy new year !
Thank you for the work arround.


The need would be about to allow the apply of an official red hat satellite ansible role.

On the other hand, the need is about Red Hat Satellite 6.4 and over/next versions and futur versions.

Regards,
Aymeric

Comment 6 Bryan Kearney 2019-01-08 13:30:31 UTC
Upstream bug assigned to oprazak@redhat.com

Comment 7 Bryan Kearney 2019-01-08 13:30:33 UTC
Upstream bug assigned to oprazak@redhat.com

Comment 8 Bryan Kearney 2019-03-15 12:03:42 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/23950 has been resolved.

Comment 10 Ondřej Pražák 2019-03-20 08:13:03 UTC
*** Bug 1625752 has been marked as a duplicate of this bug. ***

Comment 13 Sanket Jagtap 2019-07-19 08:06:42 UTC
Build : Satellite 6.6 snap 11

1. Import the theforeman.foreman_scap_client Ansible role into Satellite 
2. Import the Ansible Variables. Configure -> Ansible -> Variable -> Import from capsule where role installed
3. Create a Scap policy, with method as "Ansible", associate with all other options content, profile and hostgroup
4. Create a host, associate the ansible role with host.
5. Host is created, Go to host details -> Play Ansible roles on host
6. REX is used to deploy ansible host 

The role is run on host and foreman_scap_client is installed and configured 

Job invocation log:

PLAY [all] *********************************************************************
TASK [Gathering Facts] *********************************************************
ok: [ansible-scap.domain.zz]
TASK [Display all parameters known for the Foreman host] ***********************
ok: [ansible-scap.domain.zz] => 
  foreman_params: VARIABLE IS NOT DEFINED!
TASK [theforeman.foreman_scap_client : Configure plugins repository] ***********
ok: [ansible-scap.domain.zz]
TASK [theforeman.foreman_scap_client : Install the foreman_scap_client package] ***
changed: [ansible-scap.domain.zz]
TASK [theforeman.foreman_scap_client : Get certificate paths] ******************
ok: [ansible-scap.domain.zz]
TASK [theforeman.foreman_scap_client : Set facts for rh certs] *****************
ok: [ansible-scap.domain.zz]
TASK [theforeman.foreman_scap_client : Create cron in /etc/cron.d/] ************
changed: [ansible-scap.domain.zz]
TASK [theforeman.foreman_scap_client : Create config.yaml in /etc/foreman_scap_client] ***
changed: [ansible-scap.domain.zz]
TASK [theforeman.foreman_scap_client : Ensure cron and config are present] *****
ok: [ansible-scap.domain.zz] => (item=/etc/cron.d/foreman_scap_client_cron)
ok: [ansible-scap.domain.zz] => (item=/etc/foreman_scap_client/config.yaml)
PLAY RECAP *********************************************************************
ansible-scap.domain.zz : ok=9    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
Exit status: 0

Comment 15 errata-xmlrpc 2019-10-22 12:46:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3172


Note You need to log in before you can comment on or make changes to this bug.