Search
SupportConsoleDevelopersStart a trialContact

Chapter 9. Deploying compliance policies

download PDF

To deploy a compliance policy, you must install the SCAP client, update the cron schedule file, and upload the SCAP content selected in the policy onto a host.

9.1. Inclusion of remote SCAP resources

SCAP data streams can reference remote resources, such as OVAL files, that the SCAP client fetches over the internet when it runs on hosts. If a data stream requires a remote resource, you can see a warning from the OpenSCAP Scanner tool on your Satellite Server, such as: 

# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml | grep "WARNING"
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2'
points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'.
Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' file
which is referenced from datastream

By default, the SCAP client is configured to ignore the remote resources and skip the XCCDF rules that rely on the resources. The skipped rules then result in the notchecked status.

For hosts with internet access, you can enable the download of remote resources on hosts in Satellite. For information about applying remote SCAP resources to hosts that cannot access the internet, see Section 9.2, “Applying remote SCAP resources in a disconnected environment”.

Using the Ansible deployment method

Override the following Ansible variable:

  • Name: foreman_scap_client_fetch_remote_resources
  • Type: boolean
  • Value: true

For more information, see Overriding Ansible Variables in Satellite in Managing configurations using Ansible integration.

Using the Puppet deployment method

Configure the following Puppet Smart Class Parameter:

  • Name: fetch_remote_resources
  • Type: boolean
  • Value: true

For more information, see Configuring Puppet Smart Class Parameters in Managing configurations using Puppet integration.

9.2. Applying remote SCAP resources in a disconnected environment

SCAP data streams can contain remote resources, such as OVAL files, that the SCAP client can fetch over the internet when it runs on hosts. If your hosts do not have internet access, you must download remote SCAP resources and distribute them from Satellite Server to your hosts as local files by downloading the files on hosts from a custom file type repository.

Prerequisites

Procedure

  1. On your Satellite Server, examine the data stream you use in your compliance policy to find out which missing resource you must download: 

    # oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml | grep "WARNING"
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2'
points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'.
Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' file
which is referenced from datastream

  2. Examine the name of the local file that is referenced by the data stream: 

    # oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
...
		Referenced check files:
			ssg-rhel8-oval.xml
				system: http://oval.mitre.org/XMLSchema/oval-definitions-5
			ssg-rhel8-ocil.xml
				system: http://scap.nist.gov/schema/ocil/2
			security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2
				system: http://oval.mitre.org/XMLSchema/oval-definitions-5
...

  3. On an online machine, download the missing resource: 

    # curl -o security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2
    Important

    Ensure that the name of the downloaded file matches the name the data stream references.

  4. Add the file as new custom file type content into your Satellite Server. For more information, see Managing custom file type content in Managing content.

    Note the URL on which your repository is published, such as http://satellite.example.com/pulp/content/My_Organization_Label/Library/custom/My_Product_Label/My_Repo_Label/.

  5. Schedule a remote job to upload the file to the home directory of root on your host. For example, use the Run Command - Script Default job template and enter the following command: 

    # curl -o /root/security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 http://satellite.example.com/pulp/content/My_Organization_Label/Library/custom/My_Product_Label/My_Repo_Label/security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2

    For more information about running remote jobs, see Executing a Remote Job in Managing hosts.

  6. Continue with deploying your compliance policy.

9.3. Deploying a policy in a host group using Ansible

After you deploy a compliance policy in a host group using Ansible, the Ansible role installs the SCAP client and configures OpenSCAP scans on the hosts according to the selected compliance policy.

The SCAP content in the compliance policy might require remote resources. For more information, see Section 9.1, “Inclusion of remote SCAP resources”.

Prerequisites

  • You have enabled OpenSCAP on your Capsule. For more information, see Enabling OpenSCAP on Capsule Servers in Installing Capsule Server.

  • You have enabled and synced the operating system repositories to Satellite, and enabled them on the hosts:

    • Red Hat Enterprise Linux 9 for x86_64 - BaseOS and Appstream (RPMs) – rhel-9-for-x86_64-baseos-rpms and rhel-9-for-x86_64-appstream-rpms
    • Red Hat Enterprise Linux 8 for x86_64 - BaseOS and Appstream (RPMs) – rhel-8-for-x86_64-baseos-rpms and rhel-8-for-x86_64-appstream-rpms
    • Red Hat Enterprise Linux 7 Server and Extras (RPMs) – rhel-7-server-rpms and rhel-7-server-extras-rpms
  • You have enabled and synced the Satellite Client 6 repository to Satellite, and enabled it on the hosts.
  • You have created a compliance policy with the Ansible deployment option and assigned the host group.

Procedure

  1. In the Satellite web UI, navigate to Configure > Host Groups.
  2. Click the host group that you want to configure for OpenSCAP reporting.
  3. From the OpenSCAP Capsule list, select the Capsule with OpenSCAP enabled that you want to use.
  4. On the Ansible Roles tab, assign the theforeman.foreman_scap_client Ansible role.
  5. Optional: On the Parameters tab, configure any Ansible variables of the role.
  6. Click Submit to save your changes.
  7. In the row of the required host group, navigate to the Actions column and select Run all Ansible roles.

9.4. Deploying a policy on a host using Ansible

After you deploy a compliance policy on a host using Ansible, the Ansible role installs the SCAP client and configures OpenSCAP scans on the host according to the selected compliance policy.

The SCAP content in the compliance policy might require remote resources. For more information, see Section 9.1, “Inclusion of remote SCAP resources”.

Prerequisites

  • You have enabled OpenSCAP on your Capsule. For more information, see Enabling OpenSCAP on Capsule Servers in Installing Capsule Server.

  • You have enabled and synced the operating system repositories to Satellite, and enabled them on the hosts:

    • Red Hat Enterprise Linux 9 for x86_64 - BaseOS and Appstream (RPMs) – rhel-9-for-x86_64-baseos-rpms and rhel-9-for-x86_64-appstream-rpms
    • Red Hat Enterprise Linux 8 for x86_64 - BaseOS and Appstream (RPMs) – rhel-8-for-x86_64-baseos-rpms and rhel-8-for-x86_64-appstream-rpms
    • Red Hat Enterprise Linux 7 Server and Extras (RPMs) – rhel-7-server-rpms and rhel-7-server-extras-rpms
  • You have enabled and synced the Satellite Client 6 repository to Satellite, and enabled it on the host.
  • You have created a compliance policy with the Ansible deployment option.

Procedure

  1. In the Satellite web UI, navigate to Hosts > All Hosts, and select Edit on the host you want to configure for OpenSCAP reporting.
  2. From the OpenSCAP Capsule list, select the Capsule with OpenSCAP enabled that you want to use.
  3. On the Ansible Roles tab, add the theforeman.foreman_scap_client Ansible role.
  4. Optional: On the Parameters tab, configure any Ansible variables of the role.
  5. Click Submit to save your changes.
  6. Click the Hosts breadcrumbs link to navigate back to the host index page.
  7. Select the host or hosts to which you want to add the policy.
  8. Click Select Action.
  9. Select Assign Compliance Policy from the list.
  10. In the Assign Compliance Policy window, select Remember hosts selection for the next bulk action.
  11. Select the required policy from the list of available policies and click Submit.
  12. Click Select Action.
  13. Select Run all Ansible roles from the list.

9.5. Deploying a policy in a host group using Puppet

After you deploy a compliance policy in a host group using Puppet, the Puppet agent installs the SCAP client and configures OpenSCAP scans on the hosts on the next Puppet run according to the selected compliance policy.

The SCAP content in your compliance policy might require remote resources. For more information, see Section 9.1, “Inclusion of remote SCAP resources”.

Prerequisites

  • You have enabled OpenSCAP on your Capsule. For more information, see Enabling OpenSCAP on Capsule Servers in Installing Capsule Server.

  • You have enabled and synced the operating system repositories to Satellite, and enabled them on the hosts:

    • Red Hat Enterprise Linux 9 for x86_64 - BaseOS and Appstream (RPMs) – rhel-9-for-x86_64-baseos-rpms and rhel-9-for-x86_64-appstream-rpms
    • Red Hat Enterprise Linux 8 for x86_64 - BaseOS and Appstream (RPMs) – rhel-8-for-x86_64-baseos-rpms and rhel-8-for-x86_64-appstream-rpms
    • Red Hat Enterprise Linux 7 Server and Extras (RPMs) – rhel-7-server-rpms and rhel-7-server-extras-rpms
  • You have enabled and synced the Satellite Client 6 repository to Satellite, and enabled it on the hosts.
  • You have created a compliance policy with the Puppet deployment option and assigned the host group.

Procedure

  1. In the Satellite web UI, navigate to Configure > Host Groups.
  2. Click the host group that you want to configure for OpenSCAP reporting.
  3. In the Environment list, select the Puppet environment that contains the foreman_scap_client* Puppet classes.
  4. In the OpenSCAP Capsule list, select the Capsule with OpenSCAP enabled that you want to use.
  5. On the Puppet ENC tab, add the foreman_scap_client Puppet class.
  6. Optional: Configure any Puppet Class Parameters.
  7. Click Submit to save your changes.

9.6. Deploying a policy on a host using Puppet

After you deploy a compliance policy on a host using Puppet, the Puppet agent installs the SCAP client and configures OpenSCAP scans on the host on the next Puppet run according to the selected compliance policy.

The SCAP content in your compliance policy might require remote resources. For more information, see Section 9.1, “Inclusion of remote SCAP resources”.

Prerequisites

  • You have enabled OpenSCAP on your Capsule. For more information, see Enabling OpenSCAP on Capsule Servers in Installing Capsule Server.

  • You have enabled and synced the operating system repositories to Satellite, and enabled them on the hosts:

    • Red Hat Enterprise Linux 9 for x86_64 - BaseOS and Appstream (RPMs) – rhel-9-for-x86_64-baseos-rpms and rhel-9-for-x86_64-appstream-rpms
    • Red Hat Enterprise Linux 8 for x86_64 - BaseOS and Appstream (RPMs) – rhel-8-for-x86_64-baseos-rpms and rhel-8-for-x86_64-appstream-rpms
    • Red Hat Enterprise Linux 7 Server and Extras (RPMs) – rhel-7-server-rpms and rhel-7-server-extras-rpms
  • You have enabled and synced the Satellite Client 6 repository to Satellite, and enabled it on the host.
  • You have created a compliance policy with the Puppet deployment option.

Procedure

  1. In the Satellite web UI, navigate to Hosts > All Hosts, and select Edit on the host you want to configure for OpenSCAP reporting.
  2. From the Environment list, select the Puppet environment that contains the foreman_scap_client and foreman_scap_client::params Puppet classes.
  3. From the OpenSCAP Capsule list, select the Capsule with OpenSCAP enabled that you want to use.
  4. On the Puppet ENC tab, add the foreman_scap_client Puppet class.
  5. Optional: Configure any Puppet Class Parameters.
  6. Click the Hosts breadcrumbs link to navigate back to the host index page.
  7. Select the host or hosts to which you want to add the policy.
  8. Click Select Action.
  9. Select Assign Compliance Policy from the list.
  10. In the Assign Compliance Policy window, select Remember hosts selection for the next bulk action.
  11. Select the required policy from the list of available policies and click Submit.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.