OpenScap and RH Satellite questions
Hi we are just getting our feet wet with oscap. Our server estate consists of all RHEL server 6.7 systems and we need a way to automate the oscap scans using a central mgmt. server. Upon reading it seems like we are going to need RH Satellite in order to do this. If this is true then I have a few high level questions.
1) If we stand up Satellite server would the remote systems need to run some sort of Satellite agent (capsule server?) or would we just need to install spacewalk-oscap on the systems? I ask because this documentation below in section 8.4 talks about spacewalk-oscap.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Security_Guide/index.html#chap-Compliance_and_Vulnerability_Scanning
However the link below talks about some sort of "satellite capsule server", which, I assume, is something that gets installed on the systems to be managed by Satellite.
https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.1/html/Installation_Guide/sect-Red_Hat_Satellite-Installation_Guide-Red_Hat_Satellite_Capsule_Server_Prerequisites.html
2) What do I need to know if we are also using puppet? Are the 2 environments compatible? We are running puppet 3.8.3. The doc above in section 1.4.1 below talks about how the Satellite server must not have any puppet RPMS installed. However there is more documentation down the line on how these 2 co-exist in the same environment. So I am a bit confused.
Any guidance is much appreciated thanks!
Responses
Pro
798 points
First things first: Red Hat is current supporting 2 completely different generations of the "Satellite" product: Satellite 5.x (based on the "spacewalk" open-source tools) and Satellite 6.x (based on a combination of Pulp, Foreman, Puppet, and assorted smaller pieces). The cannot be mixed and matched.
There is no "Satellite agent" as such for Satellite 5.x - the "rhn" tools (rhn_register) and "yum" already built into the base RHEL operating system are it. Satellite 6.x can run with no agent ("subscription manager", also built in to RHEL 6+ and "yum"). Satellite 6.x clients can also use the "katello agent" package (technically optional, but required for Satellite 6.x server-level reporting of errata & "push" installs of patches/packages), and a specific version of the Puppet client.
Anything with "Spacewalk" in the name is associated with Satellite 5.x, so I would not expect the "spacewalk-oscap" package to work in a Satellite 6.x environment.
Satellite 5.x can use (optional) "satellite proxy" servers to support remote sites, e.g. where you have more than a few Satellite clients on the wrong end of a WAN link, and only want the package files to be copied across that link once. A "Satellite Capsule" is the Satellite 6.x equivalent, and has the same function - it is not required, but is very useful for bandwidth reduction/speed improvements in any WAN environment with a non-trivial number of remote clients.
The "capusle" server is not per-client, it is a per-site system.
Puppet integration is...interesting. It only exists in Satellite 6.x, and is based on a specific version of open-source Puppet which Red Hat has used to build Satellite 6--so RH does not want the Satellite server itself "contaminated" with a different version of Puppet. Clients are another story; you may be able to use an arbitrary Puppet version there (3.6.2 or newer), though if you are attempting to integrate Satellite 6.x and Puppet, I would use the Red Hat versions (3.6.2, or was it updated for Sat. 6.1.x?) first.
For 2) - you can either use Satellite 6.x-only (as the Puppet Master, node classifier, etc., plus the built-in client package) or Puppet Enterprise, but mixing the two may not work well. If you use PE, stick with it; it is much more mature at this point. Satellite 6.x's built-in Puppet is (IMO) more appropriate for an environment where Puppet (or System Orchestration in general) hasn't bee used at all, or Puppet has previously only been used in stand-alone mode to apply configs to client systems.
Hello
This might also help: Satellite 6.1 Feature Overview: OpenSCAP
Pro
798 points
Yes, that link is visible to the public (at least I could see it, and I was not logged in to anything at redhat.com at the time).
Also, it is very good news! I've been very happy with the capabilities of Puppet Enterprise, and would rather see PE and Satellite work together than in a strict one-or-the-other mode.
Pro
798 points
Good question...as I read the article, it is very much a "future" feature-but that was written 3 months ago, and before Satellite 6.1.x was released. I haven't had the time to dig deeply enough into Sat 6.1 to find it (or not), but recent phone conversations with both Red Hat sales & PuppetLabs sales still seem to be indicating "coming soon, but not yet."
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.