Satellite 6.3 introduces the Tailoring Files feature. Tailoring Files allow existing OpenSCAP policies to be tailored, or customised, without forking or rewriting the policy.
This feature overview will set a little background on SCAP, then go into more detail about Tailoring Files and how to upload and assign them to a policy.
This content takes heavily from section 6 of the Satellite 6.3 Administering Red Hat Satellite guide, specifically section 6.1: What is SCAP and section 6.4: Tailoring Files.
The Security Content Automation Protocol or SCAP enables the definition of security configuration policies. For example, a security policy might specify that for hosts running Red Hat Enterprise Linux, login via SSH is not permitted for the root account. In Satellite 6, tools provided by the OpenSCAP project are used to implement security compliance auditing. For more information about OpenSCAP see the Red Hat Enterprise Linux 7 Security Guide.
SCAP content is a datastream format containing the configuration and security baseline against which hosts are checked.
You can either create SCAP content or obtain it from a vendor. Supported profiles are provided for Red Hat Enterprise Linux in the scap-security-guide package.
SCAP Content in Satellite uses the XCCDF Profile. An XCCDF profile is a checklist against which a host or host group is evaluated. Profiles are generally created to verify compliance with a standard, whether that be an industry standard or a custom standard.
As mentioned above, Tailoring Files allow existing OpenSCAP policies to be customised without forking or rewriting the policy.
It is important to note that the Tailoring files feature does not provide the abililty to create tailoring files. A Tailoring file can be created using SCAP Workbench, available at https://www.open-scap.org.
For more information on using the SCAP Workbench tool, see Customizing SCAP Security Guide for your use-case.
Once you have a Tailoring file you can upload it and assign the Tailoring File to a policy.
Uploading a Tailoring File
To upload a Tailoring File into Satellite, complete the following steps:
- Log in to the Satellite web UI.
- Navigate to Hosts → Compliance - Tailoring Files and click New Tailoring File.
- Enter a name in the Name text box.
- Click Choose File, navigate to the location containing the SCAP DataStream Tailoring File and select Open.
- Click Submit to upload the chosen Tailoring File.
Assigning a Tailoring File to a Policy
To assign a Tailoring File to a Policy, complete the following steps:
- Log in to the Satellite web UI.
- Navigate to Hosts → Compliance - Policies.
- Click New Policy, or New Compliance Policy if there are existing Compliance Policies.
- Enter a name in the Name text box, and click Next.
- Select a Scap content from the dropdown menu.
- Select a XCCDF Profile from the dropdown menu.
- Select a Tailoring File from the dropdown menu.
Select a XCCDF Profile in Tailoring File from the dropdown menu.
It is important to select the XCCDF Profile because Tailoring Files are able to contain multiple XCCDF Profiles.
- Click Next.
- Select a Period from the dropdown menu.
- Select a Weekday from the dropdown menu, and click Next.
- Select a Location to move it to the Selected Items window, and click Next.
- Select an Organization to move it to the Selected Items window, and click Next.
- Select a Hostgroup to move it to the Selected Items window, and click Submit.
For more information on Tailoring Files, refer to section 6 of the Satellite 6.3 Administering Red Hat Satellite guide.