6.4. Performing Audit Scans
OpenSCAP integration in Red Hat Satellite Server provides the ability to perform audit scans on client systems. This section describes the methods available for performing these scans.
6.4.1. Using the Web Interface to Perform Audit Scans
This section describes how to use the Satellite web interface to perform audit scans.
Procedure 6.1. To Perform an Audit Scan Using the Web Interface:
- Log in to the Satellite web interface.
- Click
- Click
- Complete the
Schedule New XCCDF Scanpage. See Section 6.5.2.3, “Schedule Page” for information about the fields on this page.Warning
The XCCDF content is validated before it is run on the remote system. Specifying invalid command-line arguments can causespacewalk-oscapto fail to validate or run. Due to security concerns theoscap xccdf evalcommand only accepts a limited set of parameters.
Note
You can run the
rhn_check command to ensure that the action is being picked up by the client system.
# rhn_check -vv
If
rhnsd or osad are running on the client system, the action will be picked up by these services. To check if they are running, run one of the following commands.
For Red Hat Enterprise Linux 5 and 6:
# service rhnsd start# chkconfig rhnsd onOR# service osad start# chkconfig osad on
For Red Hat Enterprise Linux 7:
# systemctl enable rhnsd# systemctl start rhnsdOR# systemctl enable osad# systemctl start osad
To view the results of the scan, see Section 6.4.3, “Viewing the Results of SCAP Audits”.
6.4.2. Using the API to Perform Audit Scans
This section describes how to use the Satellite API to perform audit scans.
Procedure 6.2. To Perform an Audit Scan Using the API:
- Choose an existing script or create a script for scheduling a system scan through
system.scap.scheduleXccdfScan, the front-end API, for example:#!/usr/bin/python import xmlrpclib client = xmlrpclib.Server('https://satellite.example.com/rpc/api') key = client.auth.login('username', 'password') client.system.scap.scheduleXccdfScan(key, 1000010001, '/usr/local/share/scap/usgcb-rhel5desktop-xccdf.xml', '--profile united_states_government_configuration_baseline')Where:- 1000010001 is the
system ID (sid). /usr/local/share/scap/usgcb-rhel5desktop-xccdf.xmlis the path to the content location on the client system. In this case, it assumes USGCB content in the/usr/local/share/scapdirectory.--profile united_states_government_configuration_baselineis an additional argument to theoscapcommand. In this case, it is using the USGCB.
- Run the script on the command-line interface of any system. The system needs the appropriate Python and XML-RPC libraries installed.
Note
You can run the
rhn_check command to ensure that the action is being picked up by the client system.
# rhn_check -vv
If
rhnsd or osad are running on the client system, the action will be picked up by these services. To check if they are running, run one of the following commands:
For Red Hat Enterprise Linux 5 and 6:
# service rhnsd start# chkconfig rhnsd onOR# service osad start# chkconfig osad on
For Red Hat Enterprise Linux 7:
# systemctl enable rhnsd# systemctl start rhnsdOR# systemctl enable osad# systemctl start osad
6.4.3. Viewing the Results of SCAP Audits
There are three methods of viewing the results of finished scans:
- Using the web interface. After the scan has finished, the results are available on the page of specific system. See Section 6.5, “OpenSCAP Satellite Web Interface”.
- Using the API functions in handler
system.scap. - Using the
spacewalk-reportcommand, as follows:# spacewalk-report system-history-scap# spacewalk-report scap-scan# spacewalk-report scap-scan-results
