Security audit on Satellite 6.1 with OpenSCAP

Introduction

The Foreman-OpenSCAP gem suite enables Satellite 6.1 to receive automated vulnerability assessment and security compliance audits from managed hosts.
You can upload SCAP compliance contents, create compliance policies out of them and assign the policies to hosts or hostgroups. The foreman_openscap plugin provides three default SCAP contents, so you can start testing security compliance on RHEL6/7 and on Fedora.

OpenSCAP reports (aka ARF reports) will help you find vulnerabilities on your hosts and also suggest a remediation plan to fix those vulnerabilities.

The Satellite OpenSCAP suite is made up of 5 components (gems):

• Scaptimony – Rails engine which creates and persists SCAP content, compliance policy and ARF report objects
• foreman_openscap – UI to display the Scaptimony engine (which actually connects to OpenSCAP)
• smart_proxy_openscap – Capsule plugin which distributes SCAP content to hosts and post ARF reports from client hosts to Satellite
• foreman_scap_client – A client script which runs OpenSCAP scan and uploads the scan report to the Capsule
• puppet-foreman_scap_clien – A puppet module which configures foreman_scap_client

OpenSCAP basic concepts

There are three basic concepts (entities) in the OpenSCAP plug-in: SCAP Contents, Compliance Policies and ARF Reports.

SCAP Content – A file which contains SCAP DataStream XML.
The DataStream contains the compliance, configuration or security baselines. Meaning, in this file there are the SCAP security guidelines and policies in a form called XCCDF (Extensible Configuration Checklist Description Format) where the XCCDF profile is the checklist which audits the specific security target.

Compliance Policy- in Satellite, you can create a compliance policy and assign it to a host / hostgroup. The policy audit is made of the XCCDF profile you wish to test. A compliance policy is made of:

• SCAP Content
• XCCDF Profile from particular SCAP Content
• Hostgroups that should comply with the policy
• Schedule – the period in which the audit shall occur

ARF Report – When a Compliance policy is run on the selected host(s) – they result is an ARF report which is uploaded back to foreman and generates a report where you can learn about your host’s security vulnerabilities and security issues.

Installation

On Satellite

yum install ruby193-rubygem-foreman_openscap
service foreman restart

On Capsule

yum install rubygem-smart_proxy_openscap
service foreman-proxy restart

On puppet master

puppet module install puppet-foreman_scap_client

** Please note that foreman_openscap will install scaptimony engine with it, and the puppet module will install foreman_scap_client on the client hosts.

Using OpenSCAP on Satellite 6.1

Pre-emption:
foreman_scap_client puppet module is imported either via content views or via puppet module import.
To manually import foreman_scap_client puppet module into Satellite.
In the menu: Configure -> Puppet classes. Import from

The menu for using OpenSCAP is set under: Hosts -> Compliance

Creating SCAP content.
Please note that if Satellite 6.1 is installed on RHEL-6, foreman_openscap will provide default RHEL-6 SCAP content. In RHEL-7, foreman_openscap will provide Red Hat default SCAP content for RHEL 6 and RHEL 7.
However, you can also upload your own SCAP content.

Now that we have some SCAP contents (which contains one or more XCCDF profiles) we can create policies.
A policy is the mapping of which XCCDF profile to run on which host(groups) at what time.

Creating a Policy

To create a policy, go to Hosts -> Policies and choose “New Compliance Policy” and follow the wizard’s steps:

• Name your policy
• Choose which SCAP content & SCAP profile to apply
• Choose schedule when to run this policy
• Select to which locations / organizations this policy belongs to, if enabled
• Choose to which hostgroup you wish apply this policy

In the final part, the policy will be applied to each host which belongs to the selected hostgroup.
Another method to assign a policy to a host is via the hosts index “select action” button:

** In the background, foreman_scap_client is configuring which Capsule will serve openscap and which policies to apply to the client hosts. When ‘puppet agent’ will run on the client, it will install “foreman_scap_client” and configure the policies and the proxy to upload the scan reports. The puppet module will also set a cron line to run the policy on its selected schedule.

And finally, reports from our hosts are starting to get in….

ARF reports

as soon as the client is running it generates reports which are uploaded back to Satellite (via the Capsule).

To access reports: Hosts -> Reports

The reports index shows a brief status of how many tests have passed / failed on that report.
To view the detailed report, click on “View Report”

In the detailed report, you could find which tests have passed, and more important which tests have failed and do not comply with the security standard. On each failed test you could also find explanations and remediation procedure which will help you eliminate the security issue.