Search
SupportConsoleDevelopersStart a trialContact

Chapter 7. Configuring SCAP contents

download PDF

You can upload SCAP data streams and tailoring files to define compliance policies.

7.1. Loading the default SCAP contents

By loading the default SCAP contents on Satellite Server, you ensure that the data streams from the SCAP Security Guide (SSG) are loaded and assigned to all organizations and locations.

SSG is provided by the operating system of Satellite Server and installed in /usr/share/xml/scap/ssg/content/. Note that the available data streams depend on the operating system version on which Satellite runs. You can only use this SCAP content to scan hosts that have the same minor RHEL version as your Satellite Server. For more information, see Section 7.2, “Getting supported SCAP contents for RHEL”.

Prerequisites

  • Your user account has a role assigned that has the create_scap_contents permission.

Procedure

  • Use the following Hammer command on Satellite Server: 

    # hammer scap-content bulk-upload --type default

7.2. Getting supported SCAP contents for RHEL

You can get the latest SCAP Security Guide (SSG) for Red Hat Enterprise Linux on the Red Hat Customer Portal. You have to get a version of SSG that is designated for the minor RHEL version of your hosts.

Procedure

  1. Access the SCAP Security Guide in the package browser.
  2. From the Version menu, select the latest SSG version for the minor version of RHEL that your hosts are running. For example, for RHEL 8.6, select a version named *.el8_6.
  3. Download the package RPM.

  4. Extract the data-stream file (*-ds.xml) from the RPM. For example: 

    $ rpm2cpio scap-security-guide-0.1.69-3.el8_6.noarch.rpm \
| cpio -iv --to-stdout ./usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml \
> ssg-rhel-8.6-ds.xml
  5. Upload the data stream to Satellite. For more information, see Section 7.3, “Uploading additional SCAP content”.

Additional resources

7.3. Uploading additional SCAP content

You can upload additional SCAP content into Satellite Server, either content created by yourself or obtained elsewhere. Note that Red Hat only provides support for SCAP content obtained from Red Hat. To use the CLI instead of the Satellite web UI, see the CLI procedure.

Prerequisites

  • Your user account has a role assigned that has the create_scap_contents permission.
  • You have acquired a SCAP data-stream file.

Procedure

  1. In the Satellite web UI, navigate to Hosts > Compliance > SCAP contents.
  2. Click Upload New SCAP Content.
  3. Enter a title in the Title text box, such as My SCAP Content.
  4. In Scap File, click Choose file, navigate to the location containing a SCAP data-stream file and click Open.
  5. On the Locations tab, select locations.
  6. On the Organizations tab, select organizations.
  7. Click Submit.

If the SCAP content file is loaded successfully, a message similar to Successfully created My SCAP Content is displayed.

CLI procedure

  1. Place the SCAP data-stream file to a directory on your Satellite Server, such as /usr/share/xml/scap/my_content/.

  2. Run the following Hammer command on Satellite Server: 

    # hammer scap-content bulk-upload --type directory \
--directory /usr/share/xml/scap/my_content/ \
--location "My_Location" \
--organization "My_Organization"

Verification

7.4. Tailoring XCCDF profiles

You can customize existing XCCDF profiles using tailoring files without editing the original SCAP content. A single tailoring file can contain customizations of multiple XCCDF profiles.

You can create a tailoring file using the SCAP Workbench tool. For more information on using the SCAP Workbench tool, see Customizing SCAP Security Guide for your use case.

Then you can assign a tailoring file to a compliance policy to customize an XCCDF profile in the policy.

7.5. Uploading a tailoring file

After uploading a tailoring file, you can apply it in a compliance policy to customize an XCCDF profile.

Prerequisites

  • Your user account has a role assigned that has the create_tailoring_files permission.

Procedure

  1. In the Satellite web UI, navigate to Hosts > Compliance > Tailoring Files and click New Tailoring File.
  2. Enter a name in the Name text box.
  3. Click Choose File, navigate to the location containing the tailoring file and select Open.
  4. Click Submit to upload the chosen tailoring file.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.