SCAP content is a datastream format containing the configuration and security baseline against which hosts are checked. Checklists are described in the extensible checklist configuration description format
) and vulnerabilities in the open vulnerability and assessment language
). Checklist items, also known as rules
express the desired configuration of a system item. For example, you may specify that no one can log in to a host over SSH using the
user account. Rules can be grouped into one or more profiles
, allowing multiple profiles to share a rule. SCAP content consists of both rules and profiles.
You can either create SCAP content or obtain it from a vendor. Supported profiles are provided for Red Hat Enterprise Linux in the scap-security-guide
package. The creation of SCAP content is outside the scope of this guide, but see the Red Hat Enterprise Linux 7 Security Guide
or Red Hat Enterprise Linux 6 Security Guide
for information on how to download, deploy, modify, and create your own content. The SCAP content provided with Red Hat Enterprise Linux is compliant with SCAP specification 1.2.
The default SCAP content provided with the OpenSCAP components of Satellite 6 depends on the version of Red Hat Enterprise Linux:
On Red Hat Enterprise Linux 6, content for Red Hat Enterprise Linux 6 is installed.
On Red Hat Enterprise Linux 7, content for both Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 is installed.
An XCCDF profile is a checklist against which a host or host group is evaluated. Profiles are generally created to verify compliance with a standard, whether that be an industry standard or a custom standard.
To list all available profiles, open the Satellite web UI, navigate to SCAP Content tab. Select the SCAP Content of interest and browse the available profiles in the XCCDF Profile drop-down list.
→ , select from the drop-down list next to the policy of interest and select the
The profiles provided with Satellite 6 are obtained from the OpenSCAP
A scheduled audit, also known as a compliance policy
, is a scheduled task which checks the specified hosts for compliance against an XCCDF profile. The schedule on which a scan is run is specified by the Satellite Server but the scan itself occurs on the host. When the scan is complete, an Asset Reporting File
) is generated in XML format and uploaded to the Satellite Server. You can see the results of the scan in the compliance policy dashboard. A compliance policy does not make any changes to the scanned hosts. The OpenSCAP content includes several profiles and their associated rules but no policies are included by default.