Chapter 12. Running OpenSCAP Scans

Procedure

  1. In the Satellite web UI, navigate to Hosts > All Hosts.
  2. Select one or multiple hosts.

  3. Click on Run OpenSCAP scan.

    Alternatively, schedule a remote job to scan one or multiple hosts. For more information, see Executing a Remote Job in Managing Hosts.

12.1. Configuring a Host for OpenSCAP

Use this procedure to configure all the OpenSCAP requirements for a host.

Prerequisites

  • Enable OpenSCAP on Capsule. For more information, see Enabling OpenSCAP on External Capsules in Installing Capsule Server.
  • Assign an OpenSCAP Capsule.
  • Assign a Puppet environment that contains the Puppet classes to deploy the OpenSCAP policies.
  • Assign the foreman_scap_client and foreman_scap_client::params Puppet classes.
  • Assign any compliance policies that you want to add.

For information about creating and administering hosts, see the Managing Hosts guide.

Procedure

  1. In the Satellite web UI, navigate to Hosts > All Hosts, and select Edit on the host you want to configure for OpenSCAP reporting.
  2. From the Puppet Environment list, select the Puppet environment that contains the foreman_scap_client and foreman_scap_client::params Puppet classes.
  3. From the OpenSCAP Capsule list, select the Capsule with OpenSCAP enabled that you want to use.
  4. Click the Puppet Classes tab, and add the foreman_scap_client and foreman_scap_client::params Puppet classes.
  5. To add a compliance policy, navigate to one of the following locations:
  6. In the Satellite web UI, navigate to Hosts > All Hosts.
  7. Select the host or hosts to which you want to add the policy.
  8. Click Select Action.
  9. Select Assign Compliance Policy from the list.
  10. In the Policy window, select the policy that you want from the list of available policies and click Submit.

12.2. Monitoring Compliance

Satellite enables centralized compliance monitoring and management. A compliance dashboard provides an overview of compliance of hosts and the ability to view details for each host within the scope of that policy. Compliance reports provide a detailed analysis of compliance of each host with the applicable policy. With this information, you can evaluate the risks presented by each host and manage the resources required to bring hosts into compliance.

Common objectives when monitoring compliance using SCAP include the following:

  • Verifying policy compliance.
  • Detecting changes in compliance.

12.2.1. Compliance Policy Dashboard

The compliance policy dashboard provides a statistical summary of compliance of hosts and the ability to view details for each host within the scope of that policy. For all hosts which were evaluated as non-compliant, the Failed statistic provides a useful metric for prioritizing compliance effort. The hosts detected as Never audited should also be a priority, since their status is unknown.

Compliance Policy Dashboard

12.2.2. Viewing the Compliance Policy Dashboard

Use the Satellite web UI to verify policy compliance with the compliance policy dashboard.

Procedure

  1. In the Satellite web UI, navigate to Hosts > Policies.

  2. Click the required policy name. The dashboard provides the following information:

    • A ring chart illustrating a high-level view of compliance of hosts with the policy.
    • A statistical breakdown of compliance of hosts with the policy, in a tabular format.
    • Links to the latest policy report for each host.

12.2.3. Compliance Email Notifications

Satellite Server sends an OpenSCAP Summary email to all users who subscribe to the Openscap policy summary email notifications. For more information on subscribing to email notifications, see Section 10.2, “Configuring Email Notification Preferences”. Each time a policy is run, Satellite checks the results against the previous run, noting any changes between them. The email is sent according to the frequency requested by each subscriber, providing a summary of each policy and its most recent result.

An OpenSCAP Summary email message contains the following information:

  • Details of the time period it covers.
  • Totals for all hosts by status: changed, compliant, and noncompliant.
  • A tabular breakdown of each host and the result of its latest policy, including totals of the rules that passed, failed, changed, or where results were unknown.

12.2.4. Compliance Reports

A compliance report is the output of a policy run against a host. Each report includes the total number of rules passed or failed per policy. By default, reports are listed in descending date order.

In the Satellite web UI, navigate to Hosts > Reports to list all compliance reports.

A compliance report consists of the following areas:

  • Introduction
  • Evaluation Characteristics
  • Compliance and Scoring
  • Rule Overview

Evaluation Characteristics

The Evaluation Characteristics area provides details about an evaluation against a specific profile, including the host that was evaluated, the profile used in the evaluation, and when the evaluation started and finished. For reference, the IPv4, IPv6, and MAC addresses of the host are also listed.

NameDescriptionExample

Target machine

The fully-qualified domain name (FQDN) of the evaluated host.

test-system.example.com

Benchmark URL

The URL of the SCAP content against which the host was evaluated.

/var/lib/openscap/content/1fbdc87d24db51ca184419a2b6f

Benchmark ID

The identifier of the benchmark against which the host was evaluated. A benchmark is a set of profiles

xccdf_org.ssgproject.content_benchmark_RHEL_7

Profile ID

The identifier of the profile against which the host was evaluated.

xccdf_org.ssgproject_content_profile_rht-ccp

Started at

The date and time at which the evaluation started, in ISO 8601 format.

2015-09-12T14:40:02

Finished at

The date and time at which the evaluation finished, in ISO 8601 format.

2015-09-12T14:40:05

Performed by

The local account name under which the evaluation was performed on the host.

root

Compliance and Scoring

The Compliance and Scoring area provides an overview of whether or not the host is in compliance with the profile rules, a breakdown of compliance failures by severity, and an overall compliance score as a percentage. If compliance with a rule was not checked, this is categorized in the Rule results field as Other.

Rule Overview

The Rule Overview area provides details about every rule and the compliance result, with the rules presented in a hierarchical layout.

Select or clear the checkboxes to narrow the list of rules included in the compliance report. For example, if the focus of your review is any non-compliance, clear the pass and informational checkboxes.

To search all rules, enter a criterion in the Search field. The search is dynamically applied as you type. The Search field only accepts a single plain-text search term and it is applied as a case-insensitive search. When you perform a search, only those rules whose descriptions match the search criterion will be listed. To remove the search filter, delete the search criterion.

For an explanation of each result, hover the cursor over the status shown in the Result column.

12.2.5. Examining Compliance Failures of Hosts

Use the Satellite web UI to determine why a host failed compliance on a rule.

Procedure

  1. In the Satellite web UI, navigate to Hosts > Reports to list all compliance reports.
  2. Click View Report in the row of the specific host to view the details of an individual report.

  3. Click on the rule’s title to see further details:

    • A description of the rule with instructions for bringing the host into compliance if available.
    • The rationale for the rule.
    • In some cases, a remediation script.
Warning

Do not implement any of the recommended remedial actions or scripts without first testing them in a non-production environment.

12.2.6. Searching Compliance Reports

Use the Compliance Reports search field to filter the list of available reports on any given subset of hosts.

Procedure

  • To apply a filter, enter the search query in the Search field and click Search. The search query is case insensitive.

Search Use Cases

  • The following search query finds all compliance reports for which more than five rules failed: 

    failed > 5

  • The following search query finds all compliance reports created after January 1, YYYY, for hosts with host names that contain the prod- group of characters: 

    host ~ prod- AND date > "Jan 1, YYYY"

  • The following search query finds all reports generated by the rhel7_audit compliance policy from an hour ago: 

    "1 hour ago" AND compliance_policy = date = "1 hour ago" AND compliance_policy = rhel7_audit

  • The following search query finds reports that pass an XCCDF rule: 

    xccdf_rule_passed = xccdf_org.ssgproject.content_rule_firefox_preferences-auto-download_actions

  • The following search query finds reports that fail an XCCDF rule: 

    xccdf_rule_failed = xccdf_org.ssgproject.content_rule_firefox_preferences-auto-download_actions

  • The following search query finds reports that have a result different than fail or pass for an XCCDF rule: 

    xccdf_rule_othered = xccdf_org.ssgproject.content_rule_firefox_preferences-auto-download_actions

Additional Information

12.2.7. Deleting a Compliance Report

You can delete compliance reports on your Satellite.

Procedure

  1. In the Satellite web UI, navigate to Hosts > Reports.
  2. In the Compliance Reports window, identify the policy that you want to delete and, on the right of the policy’s name, select Delete.
  3. Click OK.

12.2.8. Deleting Multiple Compliance Reports

You can delete multiple compliance policies simultaneously. However, in the Satellite web UI, compliance policies are paginated, so you must delete one page of reports at a time. If you want to delete all OpenSCAP reports, use the script in the Deleting OpenSCAP Reports section of API Guide.

Procedure

  1. In the Satellite web UI, navigate to Hosts > Reports.
  2. In the Compliance Reports window, select the compliance reports that you want to delete.
  3. In the upper right of the list, select Delete reports.
  4. Repeat these steps for as many pages as you want to delete.

12.3. Specifications Supported by OpenSCAP

The following specifications are supported by OpenSCAP:

TitleDescriptionVersion

XCCDF

The Extensible Configuration Checklist Description Format

1.2

OVAL

Open Vulnerability and Assessment Language

5.11

-

Asset Identification

1.1

ARF

Asset Reporting Format

1.1

CCE

Common Configuration Enumeration

5.0

CPE

Common Platform Enumeration

2.3

CVE

Common Vulnerabilities and Exposures

-

CVSS

Common Vulnerability Scoring System

2.0