Red Hat Training

A Red Hat training course is available for Red Hat Satellite

6.2. OpenSCAP in RHN Satellite

6.2.1. Prerequisites

Package Requirements

SCAP requires these packages:

  • For the Server: RHN Satellite 5.5
  • For the Client: spacewalk-oscap package (available from the RHN Tools Child Channel)
Entitlement Requirements

A Management entitlement is required for scheduling scans.

Other Requirements

For the Client: Distributing the XCCDF content to client machines

Distributing XCCDF content to client machines can be done through the following methods:
  • Traditional Methods (CD, USB, nfs, scp, ftp)
  • Satellite Scripts
  • RPMs
    Custom RPMs are the recommended way to distribute SCAP content to other machines. RPM packages can be signed and verified to ensure their integrity. Installation, removal, and verification of RPM packages can be managed from the user interface.

6.2.2. Performing Audit Scans

OpenSCAP integration in the RHN Satellite Server gives the ability to perform audit scans on client systems. This section discusses the two methods available.

Procedure 6.1. Scans via the Web Interface

To perform a scan through the Satellite Web Interface:
  1. Log in to the Satellite web interface.
  2. Click on SystemsTarget System.
  3. Click on AuditSchedule
  4. Fill in the Schedule New XCCDF Scan form:
    • Command-line Arguments: Additional arguments for the oscap tool can be added into this field. There are only two command line arguments that are permitted. These are:
      --profile PROFILE — Selects a particular profile from the XCCDF document. Profiles are determined by the XCCDF xml file and can be checked using the Profile id tag. For example: 
      Profile id="RHEL6-Default"

      Note

      Certain versions of OpenSCAP need the --profile command-line argument or the scan will fail.
      --skip-valid — Do not validate input/output files. Users without a well-formed XCCDF content may choose to use this to bypass the file validation process.
      If no command-line argument is passed, it will use the default profile.
    • Path to XCCDF Document: This is a required field. The path parameter points to the content location on the client system. For example: /usr/local/scap/dist_rhel6_scap-rhel6-oval.xml

      Warning

      The xccdf content is validated before it is run on the remote system. Specifying invalid arguments can make spacewalk-oscap fail to validate or run. Due to security concerns the 'osccap xccdf eval' command only accepts a limited set of parameters.
  5. Run the rhn_check to ensure that the action is being picked up by the client system. 
    rhn_check -vv

    Note

    Alternatively, if rhnsd or osad are running on the client system, the action will be picked up by these services. To check if they are running: 
    service rhnsd start
    or 
    service osad start
To view the results of the scan, please refer to Section 6.2.3, “How to View SCAP Results”.
Scheduling a Scan via Web UI

Figure 6.1. Scheduling a Scan via Web UI

Procedure 6.2. Scans via API

To perform an audit scan via API:
  1. Choose an existing script or create a script for scheduling a system scan through system.scap.scheduleXccdfScan, the front end API.
    Example Script: 
    #!/usr/bin/python
client = xmlrpclib.Server('https://spacewalk.example.com/rpc/api')
key = client.auth.login('username', 'password')
client.system.scap.scheduleXccdfScan(key, 1000010001,
    '/usr/local/share/scap/usgcb-rhel5desktop-xccdf.xml',
    '--profile united_states_government_configuration_baseline')
    Where:
    • 1000010001 is the system ID (sid).
    • /usr/local/share/scap/usgcb-rhel5desktop-xccdf.xml is the path parameter that points to the content location on the client system. In this case, it assumes USGSB content in the /usr/local/share/scap directory.
    • --profile united_states_government_configuration_baseline represents the additional argument for the oscap tool. In this case, it is using the USCFGB.
  2. Run the script on the command-line interface of any system. The system needs the appropriate python and xmlrpc libraries installed.
  3. Run the rhn_check to ensure that the action is being picked up by the client system. 
    rhn_check -vv

    Note

    Alternatively, if rhnsd or osad are running on the client system, the action will be picked up by these services. To check if they are running: 
    service rhnsd start
    or 
    service osad start

6.2.3. How to View SCAP Results

There are three methods of viewing the results of finished scans:
  • Via the web interface. Once the action has been executed, the results should show up on the system's Audit Tab. This page is discussed in Section 6.2.4, “OpenSCAP Satellite Pages”.
  • Via the API functions in handler system.scap.
  • Via the Satellite's spacewalk-reports tool by running these commands: 
        # /usr/bin/spacewalk-reports system-history-scap
    # /usr/bin/spacewalk-reports scap-scan
    # /usr/bin/spacewalk-reports scap-scan-results

6.2.4. OpenSCAP Satellite Pages

The following sections describe the tabs in the RHN Satellite Web UI that encompasses OpenSCAP.

6.2.4.1. Audit

The Audit tab on the top navigation bar is the encompassing page for the OpenSCAP functionality in RHN Satellite Server 5.5. Clicking on this tab will enable you to view completed OpenSCAP scans, search, and compare them.
AuditAll Scans
All Scans is the default page that appears when the Audit tab is chosen. This page displays all completed OpenSCAP scans which the viewer has permission to see. Permissions for scans derive from system permissions.
Audit ⇒ All Scans

Figure 6.2. Audit ⇒ All Scans

For each scan, the following information is displayed:
System
the scan's targeted system
XCCDF Profile
the evaluated profile
Completed
time of completion
Satisfied
number of rules satisfied/passed. A rule is considered to be satisfied if the result is the evaluation is either Pass or Fixed.
Dissatisfied
number of rules dissatisfied/failed. A rule is considered to be dissatisfied if the result of the evaluation is a Fail.
Unknown
number of rules which failed to evaluate. A rule is considered to be Unknown if the result of the evaluation is an Error, Unknown or Not Checked.
The evaluation of XCCDF rules may also return statuses like Informational, Not Applicable, or not Selected. In such cases, the given rule is not included in the statistics on this page. See System DetailsAudit for information on those.
AuditXCCDF Diff
XCCDF Diff is an application which visualizes the comparison of two XCCDF scans. It shows metadata for two scans as well as the lists of results.
Audit ⇒ XCCDF Diff

Figure 6.3. Audit ⇒ XCCDF Diff

You can access the diff of similar scans directly by clicking on icon at the List Scans page or you can diff arbitrary scans by specifying their id.
Items that show up in only one of the compared scans are considered to be "varying". Varying items are always highlighted in beige. There are three possible comparison modes: Full Comparison which shows all the scan items, Only Changed Items which shows items that have changed, and finally Only Invariant Items which shows unchanged or similar items.
AuditAdvanced Search
The Search page allows you to search through your scans according to specified criteria, including:
  • rule results
  • targeted machine
  • time frame of the scan
The search either returns a list of results or list of scans which are included in the results.

6.2.4.2. SystemsSystem DetailsAudit

This tab and its subtabs allow you to schedule and view compliance scans for the system. A scan is performed by the SCAP tool, which implements NIST's standard SCAP (Security Content Automation Protocol). To scan the system, make sure that the SCAP content is prepared and all prerequisites in Section 6.2.1, “Prerequisites” are met.
SystemsSystem DetailsAuditList Scans
Systems ⇒ System Details ⇒ Audit ⇒ List Scans Scan Results

Figure 6.5. Systems ⇒ System Details ⇒ Audit ⇒ List Scans Scan Results

This subtab lists a summary of all scans completed on the system. The columns are as follows:

Table 6.1. OpenSCAP Scan Labels

Column Label Definition
XCCDF Test Result The scanned test result name which provides a link to the detailed results of the scan.
Completed The exact time the scan finished
Compliance The unweighted pass/fail ratio of compliance based on the Standard used
P Number of Checks that Passed
F Number of Checks that Failed
E Errors experienced in the Scan
U Unknown
N Not applicable to the machine
K Not checked
S Not Selected
I Informational
X Fixed
Total Total number of checks
Each line starts with an icon indicating the results of a comparison to a previous similar scan. The icons indicate that in the newer scan there is either:
  • "RHN List Checked" Icon — no difference compared to the previous scan
  • "RHN List Alert" Icon — arbitrary differences
  • "RHN List Error" Icon — major differences, either there are more failures than the previous scan or less passes
  • "RHN List Check In" Icon — no comparable scan was found, therefore, no comparison was made.
SystemsSystem DetailsAuditScan Details
This page contains the results of a single scanning. It can be divided into two parts:
  • Details of the XCCDF Scan
    The details of the scan gives you:
    • the general information of the file path
    • what command-line arguments were used
    • who scheduled it
    • what is the benchmark identifier and version
    • the Profile Identifier
    • the Profile Title
    • when it was started and completed
    • any error output.
  • XCCDF Rule Results
    The rule results provide the full list of XCCDF rule identifiers, identifying tags and the result for each of these rule results. This list can be filtered by a specific result.
SystemsSystem DetailsAuditSchedule
This subtab is where new scans can be scheduled. Additional command line arguments can be provided, along with the path to the XCCDF document on the system which is being scanned. Based on the "Schedule no sooner than" parameter, the scan will be performed at the system's next scheduled check-in with the Satellite Server. For more information about how to schedule via the Satellite web interface, refer to Procedure 6.1, “Scans via the Web Interface” in this chapter.