Chapter 7. Configuring SCAP contents
You can upload SCAP data streams and tailoring files to define compliance policies.
7.1. Loading the default SCAP contents
By loading the default SCAP contents on Satellite Server, you ensure that the data streams from the SCAP Security Guide (SSG) are loaded and assigned to all organizations and locations.
SSG is provided by the operating system of Satellite Server and installed in /usr/share/xml/scap/ssg/content/
. Note that the available data streams depend on the operating system version on which Satellite runs. You can only use this SCAP content to scan hosts that have the same minor RHEL version as your Satellite Server. For more information, see Section 7.2, “Getting supported SCAP contents for RHEL”.
Prerequisites
-
Your user account has a role assigned that has the
create_scap_contents
permission.
Procedure
Use the following Hammer command on Satellite Server:
# hammer scap-content bulk-upload --type default
7.2. Getting supported SCAP contents for RHEL
You can get the latest SCAP Security Guide (SSG) for Red Hat Enterprise Linux on the Red Hat Customer Portal. You have to get a version of SSG that is designated for the minor RHEL version of your hosts.
Procedure
- Access the SCAP Security Guide in the package browser.
-
From the Version menu, select the latest SSG version for the minor version of RHEL that your hosts are running. For example, for RHEL 8.6, select a version named
*.el8_6
. - Download the package RPM.
Extract the data-stream file (
*-ds.xml
) from the RPM. For example:$ rpm2cpio scap-security-guide-0.1.69-3.el8_6.noarch.rpm \ | cpio -iv --to-stdout ./usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml \ > ssg-rhel-8.6-ds.xml
- Upload the data stream to Satellite. For more information, see Section 7.3, “Uploading additional SCAP content”.
Additional resources
- Supported versions of the SCAP Security Guide in RHEL in the Red Hat Knowledgebase
- SCAP Security Guide profiles supported in RHEL 9 in Red Hat Enterprise Linux 9 Security hardening
- SCAP Security Guide profiles supported in RHEL 8 in Red Hat Enterprise Linux 8 Security hardening
- SCAP Security Guide profiles supported in RHEL 7 in Red Hat Enterprise Linux 7 Security Guide
7.3. Uploading additional SCAP content
You can upload additional SCAP content into Satellite Server, either content created by yourself or obtained elsewhere. Note that Red Hat only provides support for SCAP content obtained from Red Hat. To use the CLI instead of the Satellite web UI, see the CLI procedure.
Prerequisites
-
Your user account has a role assigned that has the
create_scap_contents
permission. - You have acquired a SCAP data-stream file.
Procedure
- In the Satellite web UI, navigate to Hosts > Compliance > SCAP contents.
- Click Upload New SCAP Content.
-
Enter a title in the Title text box, such as
My SCAP Content
. - In Scap File, click Choose file, navigate to the location containing a SCAP data-stream file and click Open.
- On the Locations tab, select locations.
- On the Organizations tab, select organizations.
- Click Submit.
If the SCAP content file is loaded successfully, a message similar to Successfully created My SCAP Content
is displayed.
CLI procedure
-
Place the SCAP data-stream file to a directory on your Satellite Server, such as
/usr/share/xml/scap/my_content/
. Run the following Hammer command on Satellite Server:
# hammer scap-content bulk-upload --type directory \ --directory /usr/share/xml/scap/my_content/ \ --location "My_Location" \ --organization "My_Organization"
Verification
- List the available SCAP contents. The list of SCAP contents includes the new title.
7.4. Tailoring XCCDF profiles
You can customize existing XCCDF profiles using tailoring files without editing the original SCAP content. A single tailoring file can contain customizations of multiple XCCDF profiles.
You can create a tailoring file using the SCAP Workbench tool. For more information on using the SCAP Workbench tool, see Customizing SCAP Security Guide for your use case.
Then you can assign a tailoring file to a compliance policy to customize an XCCDF profile in the policy.
7.5. Uploading a tailoring file
After uploading a tailoring file, you can apply it in a compliance policy to customize an XCCDF profile.
Prerequisites
-
Your user account has a role assigned that has the
create_tailoring_files
permission.
Procedure
- In the Satellite web UI, navigate to Hosts > Compliance > Tailoring Files and click New Tailoring File.
- Enter a name in the Name text box.
- Click Choose File, navigate to the location containing the tailoring file and select Open.
- Click Submit to upload the chosen tailoring file.