Chapter 9. Security Compliance Management with OpenSCAP

The Security Content Automation Protocol (SCAP) enables the definition of configuration and security policies, also the means of auditing for compliance with those policies. In Satellite 6, SCAP is implemented with the tools provided by the OpenSCAP project. For more information about OpenSCAP see the Red Hat Enterprise Linux 7 Security Guide.
OpenSCAP provides the means of conducting compliance auditing across your managed environment. Configuration and security policies are expressed in a SCAP-compliant format and hosts are checked for compliance. The Satellite web UI provides the means of compliance auditing and tools to analyse non-compliance. Scheduled auditing against policies ensures that non-compliant hosts are identified, even if they were previously compliant.
The following specifications are supported by OpenSCAP:
  • XCCDF: The Extensible Configuration Checklist Description Format (version 1.2)
  • OVAL: Open Vulnerability and Assessment Language (version 5.11)
  • Asset Identification (version 1.1)
  • ARF: Asset Reporting Format (version 1.1)
  • CCE: Common Configuration Enumeration (version 5.0)
  • CPE: Common Platform Enumeration (version 2.3)
  • CVE: Common Vulnerabilities and Exposures
  • CVSS: Common Vulnerability Scoring System (version 2.0)

9.1. Installation

The high-level installation steps for OpenSCAP are:
  • Install the OpenSCAP packages on the Satellite server.
  • Install the OpenSCAP packages on all Satellite Capsule servers.
  • Import the Puppet classes and associate them with specific environments.

Note

If OpenSCAP functionality is to be enabled on a Satellite Capsule server, Puppet must already have been enabled on that server.

Procedure 9.1. Install OpenSCAP

  1. On the Satellite server, install the ruby193-rubygem-foreman_openscap RPM package.
  2. Restart the httpd service.
    On Red Hat Enterprise Linux 7
    # systemctl restart httpd
    On Red Hat Enterprise Linux 6
    # service httpd restart
    This action adds to the Satellite web UI a Compliance section, under the Hosts menu, containing the following pages:
    • Policies
    • SCAP Contents
    • Reports
  3. On the Satellite server and all Satellite Capsule servers, install the puppet-foreman_scap_client and rubygem-smart_proxy_openscap RPM packages.
    The puppet-foreman_scap_client package provides the Puppet classes required to set up hosts to perform scans via OpenSCAP and creates the Cron job for periodic scanning as specified by the applicable policy.
  4. On the Satellite server and all Satellite Capsule servers, restart the foreman-proxy service.
    Red Hat Enterprise Linux 7

    # systemctl restart foreman-proxy

    Red Hat Enterprise Linux 6

    # service foreman-proxy restart

  5. In the Satellite web UI, select ConfigurePuppet classesImport from SATELLITE_HOST. Select the line with the new module and click Update to load the module.