5.2. Installation

5.2.1. Install OpenSCAP Packages

Procedure 5.1. Installing OpenSCAP Packages

Install the OpenSCAP plugin and content on the Satellite Server and all external Capsule Servers.
  1. On the Satellite Server, install the OpenSCAP plug-in and content.
    1. # satellite-installer --enable-foreman-plugin-openscap
      Successful installation is indicated by a progress indicator, and the word Success!. The OpenSCAP plugin adds to the Satellite web UI a Compliance section, under the Hosts menu, containing the following pages:
      • Policies
      • SCAP Contents
      • Reports
    2. # yum install puppet-foreman_scap_client
  2. On all external Capsule Servers, install the OpenSCAP plug-in and content.

    Note

    If OpenSCAP functionality is to be enabled on a Capsule Server, Puppet must already have been enabled on that server.
    # satellite-installer --enable-foreman-proxy-plugin-openscap
    Successful installation is indicated by a progress indicator, and the word Success!. This provides the Puppet classes required to set up hosts to perform OpenSCAP scans and creates the Cron jobs for automated compliance scanning.
  3. On external Capsule Servers with the Puppet master role, install the OpenSCAP client.
    # yum install puppet-foreman_scap_client
    To identify the relevant external Capsule Servers, open the Satellite web UI, navigate to InfrastructureCapsules and identify those external Capsule Servers with Puppet listed in the Features column.

5.2.2. Loading Default OpenSCAP Content

Procedure 5.2. Load the Default OpenSCAP Content

  • Load the OpenSCAP content on the Satellite Server.
    # foreman-rake foreman_openscap:bulk_upload:default

5.2.3. Importing OpenSCAP Puppet Modules

Procedure 5.3. Import OpenSCAP Puppet Modules

  1. OpenSCAP requires a Puppet environment, but by default they are only created for Content Views which contain Puppet modules. To list available Puppet environments, open the Satellite web UI and navigate to ConfigureEnvironments.
    If there are no Puppet environments, open a CLI session on the Satellite Server and create a directory for the production Puppet environment.
    # mkdir -p /etc/puppet/environments/production/modules
  2. Import the OpenSCAP content into selected Puppet environments. Each host which is to be audited with OpenSCAP must be associated with a Puppet environment.
    1. In the Satellite web UI, select from the context menu Any Organization and Any Location.
    2. Navigate to ConfigureEnvironments.
    3. Click Import, then Import from satellite.example.com.
    4. For each Puppet environment associated with hosts to be audited using OpenSCAP, select the check box, then click Update. If no other Puppet environment exists, select the production environment.
      The foreman_scap_client Puppet module, amongst others, will be added to the selected environments.
    5. Verify that the foreman_scap_client Puppet module has been added.
      Navigate to ConfigureEnvironments, then click Classes in the Puppet environment's row. The procedure has been successful if the foreman_scap_client Puppet class is listed.

5.2.4. Uploading Extra SCAP Content

You can upload extra SCAP content into the Satellite Server, either content created by yourself or obtained elsewhere. SCAP content must be imported into the Satellite Server before being applied in a policy. For example, the scap-security-guide RPM package available in the Red Hat Enterprise Linux 7.2 repositories includes a profile for the Payment Card Industry Data Security Standard (PCI-DSS) version 3. You can upload this content into a Satellite Server even if it is not running Red Hat Enterprise Linux 7.2 as the content is not specific to an operating system version.

Procedure 5.4. Upload Extra SCAP Content

  1. Log in to the Satellite web UI.
  2. Navigate to HostsSCAP contents and click Upload New SCAP Content.
  3. Enter a title in the Title text box. For example: RHEL 7.2 SCAP Content.
  4. Click Choose file, navigate to the location containing the SCAP content file and select Open.
  5. Click Submit.
If the SCAP content file is loaded successfully, a message similar to Successfully created RHEL 7.2 SCAP Content will be shown and the list of SCAP Contents will include the new title.