Compliand and reporting tool for Satellite

Latest response

Hello All,

Does anyone knows or implemented OpenScap or any other reporting tools in Satellite 6.2.13 successfully?

Any help is appreciated and thanks in advance.

Regards,

MP.

Responses

Hi Mike Patel,

Please check Chapter 5 within the Satellite documention Host Configuration guide https://access.redhat.com/documentation/en-us/red_hat_satellite/6.2/html/host_configuration_guide/chap-red_hat_satellite-host_configuration_guide-security_compliance_management_with_openscap.

Also check this https://access.redhat.com/solutions/2377951.

Additionally, the OpenScap documentation is useful (I like the command-line version for individual scans, this is separate/apart from the above for one-off scanning of systems). This is an upstream project documentation. When you land there, scroll down at https://www.open-scap.org/getting-started/ and you’ll see instructions for a GUI and command-line versions. Again, this is separate from your question, for one-off systems you may wish to scan individually for whatever reason.

Let us know if you need anything further

-RJ

Thanks for the help but what got me worried when Red Hat support was saying that is option is untested approach and not recommended.

do you know if OpenSCAP is supported by Red hat?

Hello RJ,

We have approximate 300 systems and we are trying to set up some sort of reporting tools like OpenSCAP that will give us some capabilities on Compliance reporting, inventory function. Does OpenSCAP strictly does Compliance Reporting or does it have other function like inventory and such that we can use?

Do we must install Puppet on all the 300 systems for OpenSCAP to work?

Also, this link you gave me is not working https://www.open-scap.org/getting-started/ - getting “application is not available Error”.

And if you better and easier solution/suggestion then please let me know.

Regards, MP

That's odd that url is giving an error, I just looked at the URL earlier today. Maybe they are having a temporary error. I just checked it now, and see the same error you report. Oddly, it worked earlier today. Hopefully this is a temporary issue.

There used to be a wonderful tool called spacewalk-report under the previous satellite that could be used for inventory queries. I will post back soon (hopefully) with something that kinda replaces that... kinda. However, check this discussion https://access.redhat.com/discussions/1395523 Also check (and I mean test in a test environment, heavily examine this sat6inventory script).

Annoyingly, I have something, but it's at another customer site that I'll be visiting later in the month. However, in the meantime, try this https://access.redhat.com/solutions/2481861. I thought I had a hammer command that would do something like this, or some script, I just don't have it with me now.

SCAP can do a number of things, and it's based on the xml file (profile file) you use. In the case of SCAP and security reporting, there are a number of profiles you can use. Everything from DISA STIG to other varieties.

We haven't used puppet within the satellite server, we have our own separate puppet server. We have used SCAP with ansible-playbooks (not Ansible Tower, but the free version of Ansible). We generally push out jobs using ansible-playbooks to our systems using ansible playbooks such as SCAP security compliance reports (there will be false positives, and there will be things you will likely want to either acquire an exception based on sane operational needs of your organization)

EDITED/ADDED: Here's documentation on Ansible Playbook, Now there is a paid product named "Ansible Tower" (does wonderful things), but it it is sold as a product by Red Hat. You can use the "EPEL" version of Ansible for free. "EPEL" is "Extra Packages for Enterprise Linux" which is described here https://access.redhat.com/solutions/3358

We are in process of setting Ansible Tower and if you have any suggestion for compliance reporting tools then let me know. I used the Sat6inventory python script but most of the data was coming back as unknown, only gave the list of the servers.

Hi Mike Patel,

Ansible Tower is a wonderful product. If you have Red Hat Online Training, I'd highly recommend going through that portion which is included (courses D0409 & D0410).

I just found in the Red Hat Satellite version 6.2 Host Configuration Guide in Chapter 5, instructions on SCAP, I'm hoping that helps. Now paragraph 5.4.1 of that document seems to show an overview including Compliance Reports Overview in Paragraph 5.4.2 which seems to likely fall in line with what you're interested in (along with the surrounding context).

I intend on getting that command I use to get an inventory, it is at a customer site, but if I find it prior, I'll post it here.

Regular SCAP, perhaps for one-off reports, or stand-alone-network (non-satellite). (This is for someone who may want SCAP but doesn't have satellite) The SCAP guide I mentioned previously, that website https://www.open-scap.org/getting-started/ is now functioning again (see my original post at top). I have an ansible playbook that runs a script which names the file based on the date and hostname in a standard location. If you had a few systems, the reporting location could be shared (nfs share), and variables set such that each system reports into it's own specific directory with a proper time/date stamp.

Kind Regards, -RJ

I found a hammer command that will give you a csv report of the systems in your inventory. Run this from your Red Hat Satellite server.

/bin/su -
<enter password>
hammer csv content-hosts --export --file /tmp/myhostreport.txt

Thanks and appreciate your help very much. We are also trying to get the compliance reporting through open scap.

I open the case with Redhat but this is what they replied with. Not sure what they mean by not supported "Even if you manage to get the config file right and scan the client, there may be some hidden catch when importing the report (or somewhere else) because this is untested approach and not recommended."

OpenSCAP functionality in Sat6 relies heavily on Puppet for configuring clients. There is a check that does not allow you to create a policy unless foreman_scap_client Puppet class is imported into Sat6 server, so you definitely need to do that. You need to install foreman_scap_client to your clients, set up cron for periodic executions and what is more important, get the correct entries into /etc/foreman_scap_client/config.yaml, which is probably the most challenging task. Even if you manage to get the config file right and scan the client, there may be some hidden catch when importing the report (or somewhere else) because this is untested approach and not recommended.

Here is the steps to manually configuring the OpenScap without using Puppet.

The thing I hate about the way they recommend pushing things through foreman is that they say in their docs/solutions to set up a no-password sudoer rule for that account which we can't accept due to security reasons. If that account gets compromised, it would be ... "bad", and we just can't do that due to sane security policies. One can certainly use puppet, but Ansible (doesn't have to be Ansible Tower) can be set up with sudo rights to where you can create the necessary ansible playbooks to achieve this goal without having to "just take" the unacceptable risk of no-password sudo directives for the foreman account.