Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2022514 - [RFE] Offer a better admin experience of updating SCAP contents on Satellite
Summary: [RFE] Offer a better admin experience of updating SCAP contents on Satellite
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SCAP Plugin
Version: 6.9.6
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Jameer Pathan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-11-11 20:30 UTC by Pablo Hess
Modified: 2023-09-18 04:28 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-01-04 19:25:26 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 33913 0 Normal New Offer a better experience of updating SCAP contents 2021-11-12 07:45:17 UTC
Red Hat Issue Tracker SAT-6055 0 None None None 2021-11-12 19:02:16 UTC

Description Pablo Hess 2021-11-11 20:30:32 UTC 
Description of problem:

Updating OpenSCAP contents on Satellite is currently painful:
Once a given SCAP content file is updated, the best approach is usually to manually create a new SCAP content file and change any policy that was using the old (original) SCAP content over to the newly created one.

If you effectively use multiple SCAP content files then you need to do this for every single SCAP content file you have updated.

As a Satellite admin, I'd like to have a way to tell Satellite to update _in-place_ all SCAP contents based on the files I've uploaded previously and ensure Compliance Policies are refreshed to include the updated SCAP content version as well. For example, if I install an update to the scap-security-guide package and this brings in an updated `ssg-rhel8-ds.xml` SCAP content file, I'd like to have a single command or a couple button presses on the web UI to have Satellite replace the outdated version of this file with the new one.

Furthermore, if old SCAP content files are already cached in foreman-proxy instances -- be it the internal one or an external capsule's -- this SCAP content update should also be notified to those foreman-proxies so client hosts always access the latest SCAP contents and policies.

I suppose simply deleting local caches of SCAP contents from /var/lib/foreman-proxy/openscap/content/*/ could suffice as a means to "notify" them of new SCAP contents, which hopefully makes this RFE a bit simpler to implement.

Finally, once policies are updated and tailoring files are potentially added or modified, I currently have to re-run the theforeman.foreman_scap_client Ansible role on all client hosts to have them adapt their local config files to point to tailoring files or apply any other changes, which is significantly less convenient than having puppet do this every 30 minutes. So I'd like to ask to have the SCAP-content-update process that is being proposed/requested here do also this bit and run the theforeman.foreman_scap_client Ansible role on all hosts that are currently linked to the updated SCAP Content/Compliance Policy.
Comment 1 Ondřej Pražák 2021-11-12 07:45:16 UTC 
Created redmine issue https://projects.theforeman.org/issues/33913 from this bug
Comment 2 Ondřej Pražák 2021-11-12 07:45:46 UTC 
Updating scap contents is indeed a lengthy process as you describe. I see 3 main points:

1) A simple way to replace imported scap contents with new versions from updated scap-security-guide
This is a valid RFE

2) Notify foreman-proxies about new scap content version so that their cache is updated
I believe this is implemented already, even though the cached scap content is replaced only when clients start requesting the new one - a hash based on file content is created to track if scap content assigned to policy has changed and this information is available to clients (after new configuration is applied). So if client finds out that it does not have a scap content corresponding to the hash in client config, it asks proxy. At that point the proxy fetches the new one from server.

3) Ansible roles need to be re-run manually
This comes from the fact that Ansible behaves differently than Puppet, but having the configuration applied continuously is a great advantage here. This is planned to be addressed in 7.y
Comment 6 Brad Buckingham 2022-12-02 18:43:29 UTC 
Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team.  Thank you.
Comment 7 Brad Buckingham 2023-01-04 19:25:26 UTC 
Thank you for your interest in Red Hat Satellite. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this feel free to contact your Red Hat Account Team. Thank you.
Comment 8 Red Hat Bugzilla 2023-09-18 04:28:00 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Note You need to log in before you can comment on or make changes to this bug.