5.2.1. Install OpenSCAP Packages
Procedure 5.1. Installing OpenSCAP Packages
Install the OpenSCAP plugin and content on the Satellite Server and all external Capsule Servers.
- On the Satellite Server, install the OpenSCAP plug-in and content.
# satellite-installer --enable-foreman-plugin-openscapSuccessful installation is indicated by a progress indicator, and the word
Success!. The OpenSCAP plugin adds to the Satellite web UI a Compliance section, under the Hosts menu, containing the following pages:
- SCAP Contents
# yum install puppet-foreman_scap_client
- On all external Capsule Servers, install the OpenSCAP plug-in and content.
NoteIf OpenSCAP functionality is to be enabled on a Capsule Server, Puppet must already have been enabled on that server.
# satellite-installer --enable-foreman-proxy-plugin-openscapSuccessful installation is indicated by a progress indicator, and the word
Success!. This provides the Puppet classes required to set up hosts to perform OpenSCAP scans and creates the Cron jobs for automated compliance scanning.
- On external Capsule Servers with the Puppet master role, install the OpenSCAP client.
# yum install puppet-foreman_scap_clientTo identify the relevant external Capsule Servers, open the Satellite web UI, navigate to Infrastructure → Capsules and identify those external Capsule Servers with Puppet listed in the Features column.
5.2.2. Loading Default OpenSCAP Content
Procedure 5.2. Load the Default OpenSCAP Content
- Load the OpenSCAP content on the Satellite Server.
# foreman-rake foreman_openscap:bulk_upload:default
5.2.3. Importing OpenSCAP Puppet Modules
Procedure 5.3. Import OpenSCAP Puppet Modules
- OpenSCAP requires a Puppet environment, but by default they are only created for Content Views which contain Puppet modules. To list available Puppet environments, open the Satellite web UI and navigate to Configure → Environments.If there are no Puppet environments, open a CLI session on the Satellite Server and create a directory for the
# mkdir -p /etc/puppet/environments/production/modules
- Import the OpenSCAP content into selected Puppet environments. Each host which is to be audited with OpenSCAP must be associated with a Puppet environment.
- In the Satellite web UI, select from the context menu Any Organization and Any Location.
- Navigate to Configure → Environments.
- Click Import, then Import from satellite.example.com.
- For each Puppet environment associated with hosts to be audited using OpenSCAP, select the check box, then click Update. If no other Puppet environment exists, select the production environment.The foreman_scap_client Puppet module, amongst others, will be added to the selected environments.
- Verify that the foreman_scap_client Puppet module has been added.Navigate to Configure → Environments, then click Classes in the Puppet environment's row. The procedure has been successful if the foreman_scap_client Puppet class is listed.
5.2.4. Uploading Extra SCAP Content
You can upload extra SCAP content into the Satellite Server, either content created by yourself or obtained elsewhere. SCAP content must be imported into the Satellite Server before being applied in a policy. For example, the scap-security-guide RPM package available in the Red Hat Enterprise Linux 7.2 repositories includes a profile for the Payment Card Industry Data Security Standard (PCI-DSS) version 3. You can upload this content into a Satellite Server even if it is not running Red Hat Enterprise Linux 7.2 as the content is not specific to an operating system version.
Procedure 5.4. Upload Extra SCAP Content
- Log in to the Satellite web UI.
- Navigate to Hosts → SCAP contents and click Upload New SCAP Content.
- Enter a title in the Title text box. For example:
RHEL 7.2 SCAP Content.
- Click Choose file, navigate to the location containing the SCAP content file and select Open.
- Click Submit.
If the SCAP content file is loaded successfully, a message similar to
Successfully created RHEL 7.2 SCAP Contentwill be shown and the list of SCAP Contents will include the new title.