Description of problem: Add option in the satellite to upload/sync OVAL defination to evalute the rule (xccdf_org.ssgproject.content_rule_security_patches_up_to_date) when performing Compliance scan on the client registered with the Satellite server. Version-Release number of selected component (if applicable): 6.8 How reproducible: 100% Steps to Reproduce: 1. Create a Compliance policy in the satellite server using the XCCDF Profile (CIS Red Hat Enterprise Linux 8 Benchmark) 2. Assing the compliance to the host and push the configuration on the client. 3. Perform the compliance scan. 4. Review the compliance report Actual results: Title: Ensure Software Patches Installed xccdf:Rule: xccdf_org.ssgproject.content_rule_security_patches_up_to_date // This check is skipped with the below evaluation messages ~~~~~~~~~ None of the check-content-ref elements was resolvable. ~~~~~~~~~ Expected results: As the client registered with the satellite server fetch the SCAP content from the satellite server, so the satellite server should host the latest oval definition(com.redhat.rhsa-RHEL8.xml), so that client can fetch the content from the satellite server and use the ruleset to evaluate the rule. Additional info: To evaluate the rule on a client registered with the portal [subscription.rhsm.redhat.com], I just need to use the option "'--fetch-remote-resources" to fetch the remote content containing OVAL checks that will make this rule evaluate if the patches are up to date. Sample output:- =============== ~]# oscap xccdf eval --fetch-remote-resources --profile cis --rule xccdf_org.ssgproject.content_rule_security_patches_up_to_date --tailoring-file ssg-rhel8-ds-cis-tailoring.xml --results test.xml --report ./report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml ... ok Title Ensure Software Patches Installed Rule xccdf_org.ssgproject.content_rule_security_patches_up_to_date Ident CCE-80865-9 OVAL Definition ID oval:com.redhat.rhsa:def:20211360 OVAL Definition Title RHSA-2021:1360: firefox security update (Important) Result pass Title Ensure Software Patches Installed Rule xccdf_org.ssgproject.content_rule_security_patches_up_to_date Ident CCE-80865-9 OVAL Definition ID oval:com.redhat.rhsa:def:20211353 OVAL Definition Title RHSA-2021:1353: thunderbird security update (Important) Result pass
I believe this is possible today. Ansible role and Puppet module for scap client have the ability to deploy configuration so that remote resources are fetched during scan. There is 'foreman_scap_client_fetch_remote_resources' Ansible variable and 'fetch_remote_resources' smart class param, both are set to 'false' by default. Changing override to yes and value to 'true' (or setting appropriate matchers) should be enough for the desired effect. Note that this will work in the same way as for client registered to portal where '--fetch-remote-resources' option is supplied manually - remote resources will be fetched from the sources as specified in the profile/rule xml, not from Satellite. Does deploying the client with config to fetch remote resources resolve this issue?
Created attachment 1780159 [details] fetch remote resources
I have the write up prepared, who should convert it to the KCS? Is that a documentation or support? Vendula, do you know?
I have linked the KCS as draft, it would be great if it can be reviewed. I'm moving this to ON_QA, if that's verified, I'll switch to published.
Moving bz to verified state based on Marek's draft KCS and https://access.redhat.com/solutions/5185891.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5498