Chapter 7. Managing Security Compliance

Security compliance management is the ongoing process of defining security policies, auditing for compliance with those policies and resolving instances of non-compliance. Any non-compliance is managed according to the organization’s configuration management policies. Security policies range in scope from host-specific to industry-wide, therefore, flexibility in their definition is required.

7.1. Security Content Automation Protocol

Satellite uses the Security Content Automation Protocol (SCAP) to define security configuration policies. For example, a security policy might specify that for hosts running Red Hat Enterprise Linux, login via SSH is not permitted for the root account. With Satellite, you can schedule compliance auditing and reporting on all managed hosts. For more information about SCAP, see the Red Hat Enterprise Linux 7 Security Guide.

7.1.1. SCAP Content

SCAP content is a datastream format containing the configuration and security baseline against which hosts are checked. Checklists are described in the extensible checklist configuration description format (XCCDF) and vulnerabilities in the open vulnerability and assessment language (OVAL). Checklist items, also known as rules express the desired configuration of a system item. For example, you may specify that no one can log in to a host over SSH using the root user account. Rules can be grouped into one or more profiles, allowing multiple profiles to share a rule. SCAP content consists of both rules and profiles.

You can either create SCAP content or obtain it from a vendor. Supported profiles are provided for Red Hat Enterprise Linux in the scap-security-guide package. The creation of SCAP content is outside the scope of this guide, but see the Red Hat Enterprise Linux 7 Security Guide for information on how to download, deploy, modify, and create your own content.

The default SCAP content provided with the OpenSCAP components of Satellite depends on the version of Red Hat Enterprise Linux. On Red Hat Enterprise Linux 7, content for both Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 is installed.

7.1.2. XCCDF Profile

An XCCDF profile is a checklist against which a host or host group is evaluated. Profiles are created to verify compliance with an industry standard or custom standard.

The profiles provided with Satellite are obtained from the OpenSCAP project.

7.1.2.1. Listing Available XCCDF Profiles

In the Satellite web UI, list the available XCCD profiles.

Procedure

  • In the Satellite web UI, navigate to Hosts > SCAP contents.

7.2. Installing the OpenSCAP Plug-in

You can install and enable the OpenSCAP plug-in to generate OpenSCAP compliance reports. The OpenSCAP plug-in consists of the main OpenSCAP plug-in itself, the OpenSCAP smart proxy plug-in, and the OpenSCAP Hammer CLI plug-in.

Procedure

  1. Install the OpenSCAP plug-in on your Satellite Server: 

    # satellite-installer --enable-foreman-plugin-openscap --enable-foreman-proxy-plugin-openscap

  2. Install the OpenSCAP plug-in on any Capsule Servers: 

    # satellite-installer --enable-foreman-proxy-plugin-openscap

  3. Install the OpenSCAP plug-in Puppet module: 

    # yum install puppet-foreman_scap_client
  4. In the Satellite web UI, navigate to Configure > Puppet Classes.

  5. Click Import environments from satellite.example.com.

    You can use Puppet to install and configure the OpenSCAP plug-in on your Satellite Server and Capsules.

7.3. Configuring SCAP Content

7.3.1. Importing OpenSCAP Puppet Modules

Note

If you do not use Puppet to configure OpenSCAP auditing on hosts, you can skip this procedure.

To audit hosts with OpenSCAP, you must first import a Puppet environment. The Puppet environment contains the Puppet classes you must assign to each host to deploy the OpenSCAP configuration.

You must associate each host that you want to audit with the Puppet environment in the Satellite web UI.

Procedure

  1. In the Satellite web UI, navigate to Configure > Environments.
  2. Click Import environments from satellite.example.com.

  3. Select the Puppet environment checkbox associated with the host you want to audit.

    If no Puppet environment exists, select the production environment checkbox. The Puppet classes that you require for OpenSCAP are in the production environment by default.

  4. Click Update.

7.3.2. Loading the Default OpenSCAP Content

In the CLI, load the default OpenSCAP content using one of the following methods.

Procedure

  • Use the Hammer command: 

    # hammer scap-content bulk-upload --type default

  • (Deprecated) Use the foreman-rake command: 

    # foreman-rake foreman_openscap:bulk_upload:default

7.3.3. Extra SCAP Content

You can upload extra SCAP content into Satellite Server, either content created by yourself or obtained elsewhere. SCAP content must be imported into Satellite Server before being applied in a policy.

For example, the scap-security-guide RPM package available in the Red Hat Enterprise Linux repositories includes a profile for the Payment Card Industry Data Security Standard (PCI-DSS) version 3. You can upload this content into a Satellite Server even if it is not running Red Hat Enterprise Linux as the content is not specific to an operating system version.

7.3.3.1. Uploading Extra SCAP Content

In the Satellite web UI, upload the extra SCAP content. To use the CLI instead of the Satellite web UI, see the CLI procedure.

Procedure

  1. In the Satellite web UI, navigate to Hosts > SCAP contents and click New SCAP Content.

  2. Enter a title in the Title text box.

    Example: RHEL 7.2 SCAP Content.

  3. Click Choose file, navigate to the location containing the SCAP content file and select Open.
  4. Click Submit.

If the SCAP content file is loaded successfully, a message similar to Successfully created RHEL 7.2 SCAP Content is shown and the list of SCAP Contents includes the new title.

CLI procedure

  1. To upload SCAP content to your Satellite Server, enter the following command: 

    # hammer scap-content bulk-upload \
--directory /usr/share/xml/scap/ssg/content/ \
--location "_My_Location_" \
--organization "_My_Organization_" \
--type directory

    SCAP content in /usr/share/xml/scap/ssg/content/ is part of the scap-security-guide package.

7.4. Managing Compliance Policies

7.4.1. Compliance Policy

A scheduled audit, also known as a compliance policy, is a scheduled task that checks the specified hosts for compliance against an XCCDF profile. The schedule for scans is specified by Satellite Server and the scans are performed on the host. When a scan completes, an Asset Reporting File (ARF) is generated in XML format and uploaded to Satellite Server. You can see the results of the scan in the compliance policy dashboard. No changes are made to the scanned host by the compliance policy. The SCAP content includes several profiles with associated rules but policies are not included by default.

7.4.2. Creating a Compliance Policy

With Satellite, you can create a compliance policy to scan your content hosts to ensure that the hosts remain compliant to your security requirements.

You can use either Puppet or Ansible to deploy the compliance policy to your hosts. Note that Puppet runs by default every 30 minutes. If you assign a new policy, the next Puppet run synchronizes the policy to the host. However Ansible does not perform scheduled runs. To add a new policy, you must run Ansible role manually or using remote execution. For more information about remote execution, see Configuring and Setting up Remote Jobs in the Managing Hosts guide.

Prerequisites

Before you begin, you must decide whether you want to use a Puppet or Ansible deployment.

Procedure

  1. In the Satellite web UI, navigate to Hosts > Policies, and select whether you want a manual, Ansible, or Puppet deployment.
  2. Enter a name for this policy, a description (optional), then click Next.

  3. Select the SCAP Content and XCCDF Profile to be applied, then click Next.

    Note that the openSCAP plugin does not detect if a SCAP content role has no content, which means that the Default XCCDF Profile might return an empty report.

  4. Specify the scheduled time when the policy is to be applied, then click Next.

    Select Weekly, Monthly, or Custom from the Period list.

    • If you select Weekly, also select the desired day of the week from the Weekday list.
    • If you select Monthly, also specify the desired day of the month in the Day of month field.

    • If you select Custom, enter a valid Cron expression in the Cron line field.

      The Custom option allows for greater flexibility in the policy’s schedule than either the Weekly or Monthly options.

  5. Select the locations to which the policy is to be applied, then click Next.
  6. Select the organizations to which the policy is to be applied, then click Next.
  7. Select the host groups to which the policy is to be applied, then click Submit.

When the Puppet agent runs on the hosts which belong to the selected host group, or hosts to which the policy has been applied, the OpenSCAP client will be installed and a Cron job added with the policy’s specified schedule. The SCAP Content tab provides the name of the SCAP content file which will be distributed to the directory /var/lib/openscap/content/ on all target hosts.

7.4.3. Viewing a Compliance Policy

You can preview the rules which will be applied by specific OpenSCAP content and profile combination. This is useful when planning policies.

Procedure

  1. In the Satellite web UI, navigate to Hosts > Policies.
  2. In the Actions column of the required policy, click Show Guide or select it from the list.

7.4.4. Editing a Compliance Policy

In the Satellite web UI, you can edit compliance policies.

Procedure

  1. In the Satellite web UI, navigate to Hosts > Policies.
  2. From the drop-down list to the right of the policy’s name, select Edit.
  3. Edit the necessary attributes.
  4. Click Submit.

An edited policy is applied to the host when its Puppet agent next checks with Satellite Server for updates. By default, this occurs every 30 minutes.

7.4.5. Deleting a Compliance Policy

In the Satellite web UI, you can delete existing compliance policies.

Procedure

  1. In the Satellite web UI, navigate to Hosts > Policies.
  2. From the drop-down list to the right of the policy’s name, select Delete.
  3. Click OK in the confirmation message.

7.5. Tailoring Files

Tailoring Files allow existing OpenSCAP policies to be customized without forking or rewriting the policy. You can assign a Tailoring File to a policy when creating or updating a policy.

You can create a Tailoring File using the SCAP Workbench. For more information on using the SCAP Workbench tool, see Customizing SCAP Security Guide for your use-case.

7.5.1. Uploading a Tailoring File

In the Satellite web UI, you can upload a Tailoring file.

Procedure

  1. In the Satellite web UI, navigate to Hosts > Compliance – Tailoring Files and click New Tailoring File.
  2. Enter a name in the Name text box.
  3. Click Choose File, navigate to the location containing the SCAP DataStream Tailoring File and select Open.
  4. Click Submit to upload the chosen Tailoring File.

7.5.2. Assigning a Tailoring File to a Policy

In the Satellite web UI, assign a Tailoring file to a policy.

Procedure

  1. In the Satellite web UI, navigate to Hosts > Compliance – Policies.
  2. Click New Policy, or New Compliance Policy if there are existing Compliance Policies.
  3. Enter a name in the Name text box, and click Next.
  4. Select a Scap content from the dropdown menu.
  5. Select a XCCDF Profile from the dropdown menu.
  6. Select a Tailoring File from the dropdown menu.

  7. Select a XCCDF Profile in Tailoring File from the dropdown menu.

    It is important to select the XCCDF Profile because Tailoring Files are able to contain multiple XCCDF Profiles.

  8. Click Next.
  9. Select a Period from the dropdown menu.
  10. Select a Weekday from the dropdown menu, and click Next.
  11. Select a Location to move it to the Selected Items window, and click Next.
  12. Select an Organization to move it to the Selected Items window, and click Next.
  13. Select a Hostgroup to move it to the Selected Items window, and click Submit.

7.6. Configuring a Host Group for OpenSCAP

Use this procedure to configure all the OpenSCAP requirements for a host group.

Prerequisites

  • Enable OpenSCAP on Capsule. For more information, see Enabling OpenSCAP on External Capsules in the Installing Capsule Server guide.
  • Assign an OpenSCAP Capsule.
  • Assign a Puppet environment that contains the Puppet classes to deploy the OpenSCAP policies.
  • Assign the foreman_scap_client and foreman_scap_client::params Puppet classes.
  • Assign any compliance policies that you want to add.

For information about creating and administering hosts, see the Managing Hosts guide.

Procedure

  1. In the Satellite web UI, navigate to Configure > Host Groups, and either create a host group or click the host group that you want to configure for OpenSCAP reporting.
  2. From the Puppet Environment list, select the Puppet environment that contains the foreman_scap_client and foreman_scap_client::params Puppet classes.
  3. From the OpenSCAP Capsule list, select the Capsule with OpenSCAP enabled that you want to use.
  4. Click the Puppet Classes tab, and add the foreman_scap_client and foreman_scap_client::params Puppet classes.
  5. Click Submit to save your changes.
  6. In the Satellite web UI, navigate to Hosts > Policies.
  7. Select the policy that you want to assign to the host group.
  8. Click the Host Groups tab.
  9. From the Host Groups list, select as many host groups as you want to assign to this policy.
  10. Click Submit to save your changes.