9.2. SCAP Concepts

9.2.1. SCAP Content

SCAP content is a datastream format containing the configuration and security baseline against which hosts are checked. Checklists are described in the extensible checklist configuration description format (XCCDF) and vulnerabilities in the open vulnerability and assessment language (OVAL). Checklist items, also known as rules express the desired configuration of a system item. For example, you may specify that no-one can login to a host over SSH using the root user account. Rules can be grouped into one or more profiles, allowing multiple profiles to share a rule. SCAP content consists of both rules and profiles.
You can either create SCAP content or obtain it from a vendor. A number of supported profiles are provided for Red Hat Enterprise Linux in the scap-security-guide package. The creation of SCAP content is outside the scope of this guide, but see the Red Hat Enterprise Linux 7 Security Guide or Red Hat Enterprise Linux 6 Security Guide for information on how to download, deploy, tailor, and define your own content using the SCAP Workbench. The SCAP content provided with Red Hat Enterprise Linux is compliant with SCAP specification 1.2.
If you install the OpenSCAP components of Satellite 6 on Red Hat Enterprise Linux 6, default SCAP content will be installed for Red Hat Enterprise Linux 6. If you install the OpenSCAP components of Satellite 6 on Red Hat Enterprise Linux 7, default SCAP content will be installed for both Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

9.2.2. XCCDF Profile

An XCCDF profile is a checklist against which a host or host group is evaluated. Profiles are generally created to verify compliance with a standard, whether that be an industry standard or a custom standard.
To list all available profiles, open the Satellite web UI, navigate to HostsPolicies, select Edit from the drop-down list next to the policy of interest and select the SCAP Content tab. Select the SCAP Content of interest and browse the available profiles in the XCCDF Profile drop-down list.
The profiles provided with Satellite 6 are obtained from the SCAP Security Guide project, which is hosted at https://fedorahosted.org/scap-security-guide.

9.2.3. Compliance Policy

A compliance policy is the application of specific SCAP content and XCCDF profile to one or more host groups, on a set schedule. The schedule on which a scan is run is specified by the Satellite server but the scan itself occurs on the host. When the scan is complete, an Asset Reporting File (ARF) is output in XML format and uploaded to the Satellite server. You can see the results of the scan in the compliance policy dashboard.
The OpenSCAP content includes several profiles and their associated rules but no policies are included by default. For details on how to create a policy, see Section 9.2.5, “Creating a Policy”.

9.2.4. Elements of a Compliance Policy

A compliance policy specifies the following:
  • SCAP Content (including the XCCDF profile)
  • Schedule at which the policy will be run on the target host(s)
  • Locations, organizations and host groups to which it applies
The SCAP Content tab provides the option of selecting the SCAP content and XCCDF profile for this policy. Once you have selected these, the SCAP Content tab provides the name of the SCAP content file which will be distributed to the directory /var/lib/openscap/content/ on all target hosts.
Elements of a Compliance Policy

Figure 9.1. Elements of a Compliance Policy

9.2.5. Creating a Policy

Follow these steps to create a compliance policy, which specifies the SCAP content and profile to be applied to a location and either a host or host group at a specified time.

Procedure 9.2. To Create a Policy:

  1. In the Satellite web UI, navigate to HostsPolicies, click New Compliance Policy and follow the wizard’s steps.
  2. Enter a name for this policy, a description (optional), then click Next.
  3. Select the SCAP Content and XCCDF Profile to be applied, then click Next.
  4. Specify the scheduled time when the policy is to be applied, then click Next.
    Select Weekly, Monthly or Custom from the Period drop-down list.
    • If you select Weekly, also select the desired day of the week from the Weekday drop-down list.
    • If you select Monthly, also specify the desired day of the month in the Day of month field.
    • If you select Custom, enter a valid Cron expression in the Cron line field.
    The Custom option allows for greater flexibility in the policy's schedule than either the Weekly or Monthly options.
  5. Select the location(s) to which the policy is to be applied, then click Next.
  6. Select the organizations to which the policy is to be applied, then click Next.
  7. Select the host group(s) to which the policy is to be applied, then click Next.
  8. Click Submit.
When the Puppet agent runs on the hosts which belong to the selected host group, or hosts to which the policy has been applied, the OpenSCAP client will be installed and a Cron job added with the policy's specified schedule.
Creating a Compliance Policy

Figure 9.2. Creating a Compliance Policy

9.2.6. Viewing a Policy

Follow these steps to preview the rules which will be applied by specific OpenSCAP content and profile combination. This is useful when planning policies.
  1. In the Satellite web UI, navigate to HostsPolicies.
  2. Click Show Guide.

9.2.7. Editing a Policy

Follow these steps to edit an existing policy.
  1. In the Satellite web UI, navigate to HostsPolicies.
  2. From the drop-down list to the right of the policy's name, select Edit.
  3. Edit the necessary attributes.
  4. Click Submit.
An edited policy is applied to the host when its Puppet agent next checks with the Satellite server for updates. By default this occurs every 30 minutes.

9.2.8. Deleting a Policy

Follow these steps to delete an existing policy.
  1. In the Satellite web UI, navigate to HostsPolicies.
  2. From the drop-down list to the right of the policy's name, select Delete.
  3. Click OK in the confirmation message.

9.2.9. Compliance Policy Dashboard

The compliance policy dashboard provides an overview of hosts' compliance with a policy. To view a compliance policy's dashboard, open the Satellite web UI and navigate to HostsPolicies, then click the policy's name. The dashboard provides the following information:
  • A ring chart illustrating a high-level view of hosts' compliance with the policy.
  • A statistical breakdown of hosts' compliance with the policy, in tabular format.
  • Links to the policy's latest reports.
Compliance Policy Dashboard

Figure 9.3. Compliance Policy Dashboard