Red Hat Summit6.5. OpenSCAP Satellite Web Interface
The following sections describe the pages in the Red Hat Satellite web interface that provide access to OpenSCAP and its features.
6.5.1. OpenSCAP Scans Page
Click the Audit tab on the top navigation bar to display the OpenSCAP Scans page. This is the "overview" page for all OpenSCAP functionality in Satellite Server. Use this page to view, search for, and compare completed scans.
6.5.1.1. All Scans
The All Scans page is the default page that appears on the Audit tab. This page displays all the completed OpenSCAP scans that the viewer has permission to see. Permissions for scans are derived from system permissions.
For each scan, the following information is displayed:
- System: the system that was scanned.
- XCCDF Profile: the evaluated profile.
- Completed: the time the scan was completed.
- Satisfied: the number of rules that were satisfied. A rule is considered to be Satisfied if the result of the evaluation is either Pass or Fixed.
- Dissatisfied: the number of rules that were not satisfied. A rule is considered to be Dissatisfied if the result of the evaluation is Fail.
- Unknown: the number of rules that failed to evaluate. A rule is considered to be Unknown if the result of the evaluation is Error, Unknown or Not Checked.
The evaluation of XCCDF rules may also return status results such as Informational, Not Applicable, or not Selected. In such cases, the given rule is not included in the statistics on this page. See
6.5.1.2. XCCDF Diff
XCCDF Diff is an application which visualizes the comparison of two XCCDF scans. It shows metadata for two scans as well as the lists of results.
Click the appropriate icon on the List Scans page to access the
diff output of similar scans. Alternatively, or you can specify the ID of arbitrary scans.
Items that show up in only one of the compared scans are considered to be "varying". Varying items are always highlighted in beige. There are three possible comparison modes: Full Comparison which shows all the scan items, Only Changed Items which shows items that have changed, and finally Only Invariant Items which shows unchanged or similar items.
6.5.1.3. Advanced Search
Use the Advanced Search page to search through your scans according to specified criteria, including:
- Rule results.
- Targeted machine.
- Time frame of the scan.
The search either returns a list of results or a list of scans which are included in the results.
6.5.2. Systems Audit Page
Use the Systems Audit page to schedule and view compliance scans for a particular system. Scans are performed by the OpenSCAP tool, which implements NIST's standard
Security Content Automation Protocol (SCAP). Before you scan a system, ensure that the SCAP content is prepared and all prerequisites are met.
To display the Systems Audit page, click
6.5.2.1. List Scans
This page displays a summary of all scans completed on the selected system. The following columns are displayed:
| Column Label | Definition |
|---|---|
| XCCDF Test Result | The scan test result name. This is also a link to the detailed results of the scan. |
| Completed | The exact time the scan finished. |
| Compliance | The unweighted pass:fail ratio of compliance based on the standard that was used. |
| P | The number of checks that passed. |
| F | The number of checks that failed. |
| E | The number of errors that occurred during the scan. |
| U | Unknown |
| N | Not applicable to the machine. |
| K | Not checked. |
| S | Not selected. |
| I | Informational |
| X | Fixed |
| Total | Total number of checks. |
Each entry begins with an icon indicating the results of a comparison to a previous similar scan. The icons indicate the following:
No difference between the compared scans.
Arbitrary differences between the compared scans.
Major differences between the compared scans. Either there are more failures than the previous scan or less passes.
No comparable scan was found, and therefore no comparison was made.
6.5.2.2. Scan Details
The Scan Details page contains the results of a single scan. This page is divided into two sections:
Details of the XCCDF Scan
This section displays various details about the scan, including:
File System Path:The path to the XCCDF file used for the scan.Command-line Arguments:Any additional command-line arguments that were used.Profile Identifier:The profile identifier used for the scan.Profile Title:The title of the profile used for the scan.Scan's Error output:Any errors encountered during the scan.
XCCDF Rule Results
The rule results provide the full list of XCCDF rule identifiers, identifying tags, and the result for each of these rule checks. This list can be filtered by a specific result.
6.5.2.3. Schedule Page
Use the Schedule New XCCDF Scan page to schedule new scans for specific machines. Scans occur at the system's next scheduled check-in that occurs after the date and time specified.
The following fields can be configured:
- Command-line Arguments: Optional arguments to the
oscapcommand, either:--profile PROFILE: Specifies a particular profile from the XCCDF document.Profiles are determined by theProfiletag in the XCCDF XML file. Use theoscapcommand to see a list of profiles within a given XCCDF file, for example:$ oscap info /usr/share/openscap/scap-rhel6-xccdf.xml Document type: XCCDF Checklist Checklist version: 1.1 Status: draft Generated: 2011-10-12 Imported: 2012-11-15T22:10:41 Resolved: false Profiles: RHEL6-DefaultIf not specified, the default profile is used.Note
Some early versions of OpenSCAP in Red Hat Enterprise Linux 5 require that you use the--profileoption or the scan will fail.--skip-valid: Do not validate input and output files. You can use this option to bypass the file validation process if you do not have well-formed XCCDF content.
- Path to XCCDF Document: This is a required field. The
pathparameter points to the XCCDF content location on the client system. For example:/usr/local/scap/dist_rhel6_scap-rhel6-oval.xmlWarning
The XCCDF content is validated before it is run on the remote system. Specifying invalid arguments can causespacewalk-oscapto fail to validate or run. Due to security concerns, theoscap xccdf evalcommand only accepts a limited set of parameters.
For information about how to schedule scans using the Satellite web interface, see Section 6.4.1, “Using the Web Interface to Perform Audit Scans”.
