Show Table of Contents
Chapter 9. Security Compliance Management with OpenSCAP
The Security Content Automation Protocol (SCAP) enables the definition of configuration and security policies, also the means of auditing for compliance with those policies. In Satellite 6, SCAP is implemented with the tools provided by the OpenSCAP project. For more information about OpenSCAP see the Red Hat Enterprise Linux 7 Security Guide.
OpenSCAP provides the means of conducting compliance auditing across your managed environment. Configuration and security policies are expressed in a SCAP-compliant format and hosts are checked for compliance. The Satellite web UI provides the means of compliance auditing and tools to analyse non-compliance. Scheduled auditing against policies ensures that non-compliant hosts are identified, even if they were previously compliant.
The following specifications are supported by OpenSCAP:
- XCCDF: The Extensible Configuration Checklist Description Format (version 1.2)
- OVAL: Open Vulnerability and Assessment Language (version 5.11)
- Asset Identification (version 1.1)
- ARF: Asset Reporting Format (version 1.1)
- CCE: Common Configuration Enumeration (version 5.0)
- CPE: Common Platform Enumeration (version 2.3)
- CVE: Common Vulnerabilities and Exposures
- CVSS: Common Vulnerability Scoring System (version 2.0)
9.1. Installation
The high-level installation steps for OpenSCAP are:
- Install the OpenSCAP packages on the Satellite server.
- Install the OpenSCAP packages on all Satellite Capsule servers.
- Import the Puppet classes and associate them with specific environments.
Note
If OpenSCAP functionality is to be enabled on a Satellite Capsule server, Puppet must already have been enabled on that server.
Procedure 9.1. Install OpenSCAP
- On the Satellite server, install the ruby193-rubygem-foreman_openscap RPM package.
- Restart the
httpdservice.On Red Hat Enterprise Linux 7# systemctl restart httpd
On Red Hat Enterprise Linux 6# service httpd restart
This action adds to the Satellite web UI a Compliance section, under the menu, containing the following pages: - On the Satellite server and all Satellite Capsule servers, install the
puppet-foreman_scap_clientandrubygem-smart_proxy_openscapRPM packages.Thepuppet-foreman_scap_clientpackage provides the Puppet classes required to set up hosts to perform scans via OpenSCAP and creates the Cron job for periodic scanning as specified by the applicable policy. - On the Satellite server and all Satellite Capsule servers, restart the
foreman-proxyservice.Red Hat Enterprise Linux 7#
systemctl restart foreman-proxyRed Hat Enterprise Linux 6#
service foreman-proxy restart - In the Satellite web UI, select → → . Select the line with the new module and click to load the module.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.