Red Hat Training
A Red Hat training course is available for Red Hat Satellite
6.2. OpenSCAP in RHN Satellite
6.2.1. Prerequisites
Package Requirements
SCAP requires these packages:
- For the Server: RHN Satellite 5.5
- For the Client: spacewalk-oscap package (available from the RHN Tools Child Channel)
Entitlement Requirements
A Management entitlement is required for scheduling scans.
Other Requirements
For the Client: Distributing the XCCDF content to client machines
Distributing XCCDF content to client machines can be done through the following methods:
- Traditional Methods (CD, USB, nfs, scp, ftp)
- Satellite Scripts
- RPMsCustom RPMs are the recommended way to distribute SCAP content to other machines. RPM packages can be signed and verified to ensure their integrity. Installation, removal, and verification of RPM packages can be managed from the user interface.
6.2.2. Performing Audit Scans
OpenSCAP integration in the RHN Satellite Server gives the ability to perform audit scans on client systems. This section discusses the two methods available.
Procedure 6.1. Scans via the Web Interface
To perform a scan through the Satellite Web Interface:
- Log in to the Satellite web interface.
- Click on Systems → Target System.
- Click on Audit → Schedule
- Fill in the
Schedule New XCCDF Scan
form:- Command-line Arguments: Additional arguments for the oscap tool can be added into this field. There are only two command line arguments that are permitted. These are:
--profile PROFILE
— Selects a particular profile from the XCCDF document. Profiles are determined by the XCCDF xml file and can be checked using theProfile id
tag. For example:Profile id="RHEL6-Default"
Note
Certain versions of OpenSCAP need the --profile command-line argument or the scan will fail.--skip-valid
— Do not validate input/output files. Users without a well-formed XCCDF content may choose to use this to bypass the file validation process.If no command-line argument is passed, it will use the default profile. - Path to XCCDF Document: This is a required field. The
path
parameter points to the content location on the client system. For example:/usr/local/scap/dist_rhel6_scap-rhel6-oval.xml
Warning
The xccdf content is validated before it is run on the remote system. Specifying invalid arguments can make spacewalk-oscap fail to validate or run. Due to security concerns the 'osccap xccdf eval' command only accepts a limited set of parameters.
- Run the
rhn_check
to ensure that the action is being picked up by the client system.rhn_check -vv
Note
Alternatively, ifrhnsd
orosad
are running on the client system, the action will be picked up by these services. To check if they are running:service rhnsd start
orservice osad start
To view the results of the scan, please refer to Section 6.2.3, “How to View SCAP Results”.
Figure 6.1. Scheduling a Scan via Web UI
Procedure 6.2. Scans via API
To perform an audit scan via API:
- Choose an existing script or create a script for scheduling a system scan through
system.scap.scheduleXccdfScan
, the front end API.Example Script:#!/usr/bin/python client = xmlrpclib.Server('https://spacewalk.example.com/rpc/api') key = client.auth.login('username', 'password') client.system.scap.scheduleXccdfScan(key, 1000010001, '/usr/local/share/scap/usgcb-rhel5desktop-xccdf.xml', '--profile united_states_government_configuration_baseline')
Where:- 1000010001 is the
system ID (sid)
. /usr/local/share/scap/usgcb-rhel5desktop-xccdf.xml
is the path parameter that points to the content location on the client system. In this case, it assumes USGSB content in the/usr/local/share/scap
directory.--profile united_states_government_configuration_baseline
represents the additional argument for the oscap tool. In this case, it is using the USCFGB.
- Run the script on the command-line interface of any system. The system needs the appropriate python and xmlrpc libraries installed.
- Run the
rhn_check
to ensure that the action is being picked up by the client system.rhn_check -vv
Note
Alternatively, ifrhnsd
orosad
are running on the client system, the action will be picked up by these services. To check if they are running:service rhnsd start
orservice osad start
6.2.3. How to View SCAP Results
There are three methods of viewing the results of finished scans:
- Via the web interface. Once the action has been executed, the results should show up on the system's Audit Tab. This page is discussed in Section 6.2.4, “OpenSCAP Satellite Pages”.
- Via the API functions in handler
system.scap
. - Via the Satellite's
spacewalk-reports
tool by running these commands:# /usr/bin/spacewalk-reports system-history-scap # /usr/bin/spacewalk-reports scap-scan # /usr/bin/spacewalk-reports scap-scan-results
6.2.4. OpenSCAP Satellite Pages
The following sections describe the tabs in the RHN Satellite Web UI that encompasses OpenSCAP.
6.2.4.1. Audit
The Audit tab on the top navigation bar is the encompassing page for the OpenSCAP functionality in RHN Satellite Server 5.5. Clicking on this tab will enable you to view completed OpenSCAP scans, search, and compare them.
- Audit → All Scans
- All Scans is the default page that appears when the Audit tab is chosen. This page displays all completed OpenSCAP scans which the viewer has permission to see. Permissions for scans derive from system permissions.
Figure 6.2. Audit ⇒ All Scans
For each scan, the following information is displayed:- System
- the scan's targeted system
- XCCDF Profile
- the evaluated profile
- Completed
- time of completion
- Satisfied
- number of rules satisfied/passed. A rule is considered to be satisfied if the result is the evaluation is either Pass or Fixed.
- Dissatisfied
- number of rules dissatisfied/failed. A rule is considered to be dissatisfied if the result of the evaluation is a Fail.
- Unknown
- number of rules which failed to evaluate. A rule is considered to be Unknown if the result of the evaluation is an Error, Unknown or Not Checked.
The evaluation of XCCDF rules may also return statuses like Informational, Not Applicable, or not Selected. In such cases, the given rule is not included in the statistics on this page. See System Details → Audit for information on those. - Audit → XCCDF Diff
- XCCDF Diff is an application which visualizes the comparison of two XCCDF scans. It shows metadata for two scans as well as the lists of results.
Figure 6.3. Audit ⇒ XCCDF Diff
You can access thediff
of similar scans directly by clicking on icon at the List Scans page or you candiff
arbitrary scans by specifying their id.Items that show up in only one of the compared scans are considered to be "varying". Varying items are always highlighted in beige. There are three possible comparison modes: Full Comparison which shows all the scan items, Only Changed Items which shows items that have changed, and finally Only Invariant Items which shows unchanged or similar items. - Audit → Advanced Search
- The Search page allows you to search through your scans according to specified criteria, including:
- rule results
- targeted machine
- time frame of the scan
Figure 6.4. Audit ⇒ Advanced Search
The search either returns a list of results or list of scans which are included in the results.
6.2.4.2. Systems → System Details → Audit
This tab and its subtabs allow you to schedule and view compliance scans for the system. A scan is performed by the SCAP tool, which implements NIST's standard SCAP (Security Content Automation Protocol). To scan the system, make sure that the SCAP content is prepared and all prerequisites in Section 6.2.1, “Prerequisites” are met.
- Systems → System Details → Audit → List Scans
Figure 6.5. Systems ⇒ System Details ⇒ Audit ⇒ List Scans Scan Results
This subtab lists a summary of all scans completed on the system. The columns are as follows:Table 6.1. OpenSCAP Scan Labels
Column Label Definition XCCDF Test Result The scanned test result name which provides a link to the detailed results of the scan. Completed The exact time the scan finished Compliance The unweighted pass/fail ratio of compliance based on the Standard used P Number of Checks that Passed F Number of Checks that Failed E Errors experienced in the Scan U Unknown N Not applicable to the machine K Not checked S Not Selected I Informational X Fixed Total Total number of checks Each line starts with an icon indicating the results of a comparison to a previous similar scan. The icons indicate that in the newer scan there is either:- — no difference compared to the previous scan
- — arbitrary differences
- — major differences, either there are more failures than the previous scan or less passes
- — no comparable scan was found, therefore, no comparison was made.
- Systems → System Details → Audit → Scan Details
- This page contains the results of a single scanning. It can be divided into two parts:
- Details of the XCCDF ScanThe details of the scan gives you:
- the general information of the file path
- what command-line arguments were used
- who scheduled it
- what is the benchmark identifier and version
- the Profile Identifier
- the Profile Title
- when it was started and completed
- any error output.
- XCCDF Rule ResultsThe rule results provide the full list of XCCDF rule identifiers, identifying tags and the result for each of these rule results. This list can be filtered by a specific result.
- Systems → System Details → Audit → Schedule
- This subtab is where new scans can be scheduled. Additional command line arguments can be provided, along with the path to the XCCDF document on the system which is being scanned. Based on the "
Schedule no sooner than
" parameter, the scan will be performed at the system's next scheduled check-in with the Satellite Server. For more information about how to schedule via the Satellite web interface, refer to Procedure 6.1, “Scans via the Web Interface” in this chapter.