Chapter 9. Deploying compliance policies
To deploy a compliance policy, you must install the SCAP client, update the cron schedule file, and upload the SCAP content selected in the policy onto a host.
9.1. Inclusion of remote SCAP resources
SCAP data streams can reference remote resources, such as OVAL files, that the SCAP client fetches over the internet when it runs on hosts. If a data stream requires a remote resource, you can see a warning from the OpenSCAP Scanner tool on your Satellite Server, such as:
# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml | grep "WARNING"
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2'
points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'.
Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' file
which is referenced from datastream
By default, the SCAP client is configured to ignore the remote resources and skip the XCCDF rules that rely on the resources. The skipped rules then result in the notchecked
status.
For hosts with internet access, you can enable the download of remote resources on hosts in Satellite. For information about applying remote SCAP resources to hosts that cannot access the internet, see Section 9.2, “Applying remote SCAP resources in a disconnected environment”.
- Using the Ansible deployment method
Override the following Ansible variable:
-
Name:
foreman_scap_client_fetch_remote_resources
-
Type:
boolean
-
Value:
true
For more information, see Overriding Ansible Variables in Satellite in Managing configurations using Ansible integration.
-
Name:
- Using the Puppet deployment method
Configure the following Puppet Smart Class Parameter:
-
Name:
fetch_remote_resources
-
Type:
boolean
-
Value:
true
For more information, see Configuring Puppet Smart Class Parameters in Managing configurations using Puppet integration.
-
Name:
9.2. Applying remote SCAP resources in a disconnected environment
SCAP data streams can contain remote resources, such as OVAL files, that the SCAP client can fetch over the internet when it runs on hosts. If your hosts do not have internet access, you must download remote SCAP resources and distribute them from Satellite Server to your hosts as local files by downloading the files on hosts from a custom file type repository.
Prerequisites
- You have registered your host to Satellite with remote execution enabled.
- Fetching remote resources must be disabled, which is the default. For more information, see Section 9.1, “Inclusion of remote SCAP resources”.
Procedure
On your Satellite Server, examine the data stream you use in your compliance policy to find out which missing resource you must download:
# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml | grep "WARNING" WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'. Use '--fetch-remote-resources' option to download it. WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' file which is referenced from datastream
Examine the name of the local file that is referenced by the data stream:
# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml ... Referenced check files: ssg-rhel8-oval.xml system: http://oval.mitre.org/XMLSchema/oval-definitions-5 ssg-rhel8-ocil.xml system: http://scap.nist.gov/schema/ocil/2 security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 system: http://oval.mitre.org/XMLSchema/oval-definitions-5 ...
On an online machine, download the missing resource:
# curl -o security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2
ImportantEnsure that the name of the downloaded file matches the name the data stream references.
Add the file as new custom file type content into your Satellite Server. For more information, see Managing custom file type content in Managing content.
Note the URL on which your repository is published, such as
http://satellite.example.com/pulp/content/My_Organization_Label/Library/custom/My_Product_Label/My_Repo_Label/
.Schedule a remote job to upload the file to the home directory of
root
on your host. For example, use theRun Command - Script Default
job template and enter the following command:# curl -o /root/security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 http://satellite.example.com/pulp/content/My_Organization_Label/Library/custom/My_Product_Label/My_Repo_Label/security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2
For more information about running remote jobs, see Executing a Remote Job in Managing hosts.
- Continue with deploying your compliance policy.
9.3. Deploying a policy in a host group using Ansible
After you deploy a compliance policy in a host group using Ansible, the Ansible role installs the SCAP client and configures OpenSCAP scans on the hosts according to the selected compliance policy.
The SCAP content in the compliance policy might require remote resources. For more information, see Section 9.1, “Inclusion of remote SCAP resources”.
Prerequisites
- You have enabled OpenSCAP on your Capsule. For more information, see Enabling OpenSCAP on Capsule Servers in Installing Capsule Server.
You have enabled and synced the operating system repositories to Satellite, and enabled them on the hosts:
-
Red Hat Enterprise Linux 9 for x86_64 - BaseOS and Appstream (RPMs) –
rhel-9-for-x86_64-baseos-rpms
andrhel-9-for-x86_64-appstream-rpms
-
Red Hat Enterprise Linux 8 for x86_64 - BaseOS and Appstream (RPMs) –
rhel-8-for-x86_64-baseos-rpms
andrhel-8-for-x86_64-appstream-rpms
-
Red Hat Enterprise Linux 7 Server and Extras (RPMs) –
rhel-7-server-rpms
andrhel-7-server-extras-rpms
-
Red Hat Enterprise Linux 9 for x86_64 - BaseOS and Appstream (RPMs) –
- You have enabled and synced the Satellite Client 6 repository to Satellite, and enabled it on the hosts.
- You have created a compliance policy with the Ansible deployment option and assigned the host group.
Procedure
- In the Satellite web UI, navigate to Configure > Host Groups.
- Click the host group that you want to configure for OpenSCAP reporting.
- From the OpenSCAP Capsule list, select the Capsule with OpenSCAP enabled that you want to use.
-
On the Ansible Roles tab, assign the
theforeman.foreman_scap_client
Ansible role. - Optional: On the Parameters tab, configure any Ansible variables of the role.
- Click Submit to save your changes.
- In the row of the required host group, navigate to the Actions column and select Run all Ansible roles.
9.4. Deploying a policy on a host using Ansible
After you deploy a compliance policy on a host using Ansible, the Ansible role installs the SCAP client and configures OpenSCAP scans on the host according to the selected compliance policy.
The SCAP content in the compliance policy might require remote resources. For more information, see Section 9.1, “Inclusion of remote SCAP resources”.
Prerequisites
- You have enabled OpenSCAP on your Capsule. For more information, see Enabling OpenSCAP on Capsule Servers in Installing Capsule Server.
You have enabled and synced the operating system repositories to Satellite, and enabled them on the hosts:
-
Red Hat Enterprise Linux 9 for x86_64 - BaseOS and Appstream (RPMs) –
rhel-9-for-x86_64-baseos-rpms
andrhel-9-for-x86_64-appstream-rpms
-
Red Hat Enterprise Linux 8 for x86_64 - BaseOS and Appstream (RPMs) –
rhel-8-for-x86_64-baseos-rpms
andrhel-8-for-x86_64-appstream-rpms
-
Red Hat Enterprise Linux 7 Server and Extras (RPMs) –
rhel-7-server-rpms
andrhel-7-server-extras-rpms
-
Red Hat Enterprise Linux 9 for x86_64 - BaseOS and Appstream (RPMs) –
- You have enabled and synced the Satellite Client 6 repository to Satellite, and enabled it on the host.
- You have created a compliance policy with the Ansible deployment option.
Procedure
- In the Satellite web UI, navigate to Hosts > All Hosts, and select Edit on the host you want to configure for OpenSCAP reporting.
- From the OpenSCAP Capsule list, select the Capsule with OpenSCAP enabled that you want to use.
-
On the Ansible Roles tab, add the
theforeman.foreman_scap_client
Ansible role. - Optional: On the Parameters tab, configure any Ansible variables of the role.
- Click Submit to save your changes.
- Click the Hosts breadcrumbs link to navigate back to the host index page.
- Select the host or hosts to which you want to add the policy.
- Click Select Action.
- Select Assign Compliance Policy from the list.
- In the Assign Compliance Policy window, select Remember hosts selection for the next bulk action.
- Select the required policy from the list of available policies and click Submit.
- Click Select Action.
- Select Run all Ansible roles from the list.
9.5. Deploying a policy in a host group using Puppet
After you deploy a compliance policy in a host group using Puppet, the Puppet agent installs the SCAP client and configures OpenSCAP scans on the hosts on the next Puppet run according to the selected compliance policy.
The SCAP content in your compliance policy might require remote resources. For more information, see Section 9.1, “Inclusion of remote SCAP resources”.
Prerequisites
- You have enabled OpenSCAP on your Capsule. For more information, see Enabling OpenSCAP on Capsule Servers in Installing Capsule Server.
You have enabled and synced the operating system repositories to Satellite, and enabled them on the hosts:
-
Red Hat Enterprise Linux 9 for x86_64 - BaseOS and Appstream (RPMs) –
rhel-9-for-x86_64-baseos-rpms
andrhel-9-for-x86_64-appstream-rpms
-
Red Hat Enterprise Linux 8 for x86_64 - BaseOS and Appstream (RPMs) –
rhel-8-for-x86_64-baseos-rpms
andrhel-8-for-x86_64-appstream-rpms
-
Red Hat Enterprise Linux 7 Server and Extras (RPMs) –
rhel-7-server-rpms
andrhel-7-server-extras-rpms
-
Red Hat Enterprise Linux 9 for x86_64 - BaseOS and Appstream (RPMs) –
- You have enabled and synced the Satellite Client 6 repository to Satellite, and enabled it on the hosts.
- You have created a compliance policy with the Puppet deployment option and assigned the host group.
Procedure
- In the Satellite web UI, navigate to Configure > Host Groups.
- Click the host group that you want to configure for OpenSCAP reporting.
-
In the Environment list, select the Puppet environment that contains the
foreman_scap_client*
Puppet classes. - In the OpenSCAP Capsule list, select the Capsule with OpenSCAP enabled that you want to use.
-
On the Puppet ENC tab, add the
foreman_scap_client
Puppet class. - Optional: Configure any Puppet Class Parameters.
- Click Submit to save your changes.
9.6. Deploying a policy on a host using Puppet
After you deploy a compliance policy on a host using Puppet, the Puppet agent installs the SCAP client and configures OpenSCAP scans on the host on the next Puppet run according to the selected compliance policy.
The SCAP content in your compliance policy might require remote resources. For more information, see Section 9.1, “Inclusion of remote SCAP resources”.
Prerequisites
- You have enabled OpenSCAP on your Capsule. For more information, see Enabling OpenSCAP on Capsule Servers in Installing Capsule Server.
You have enabled and synced the operating system repositories to Satellite, and enabled them on the hosts:
-
Red Hat Enterprise Linux 9 for x86_64 - BaseOS and Appstream (RPMs) –
rhel-9-for-x86_64-baseos-rpms
andrhel-9-for-x86_64-appstream-rpms
-
Red Hat Enterprise Linux 8 for x86_64 - BaseOS and Appstream (RPMs) –
rhel-8-for-x86_64-baseos-rpms
andrhel-8-for-x86_64-appstream-rpms
-
Red Hat Enterprise Linux 7 Server and Extras (RPMs) –
rhel-7-server-rpms
andrhel-7-server-extras-rpms
-
Red Hat Enterprise Linux 9 for x86_64 - BaseOS and Appstream (RPMs) –
- You have enabled and synced the Satellite Client 6 repository to Satellite, and enabled it on the host.
- You have created a compliance policy with the Puppet deployment option.
Procedure
- In the Satellite web UI, navigate to Hosts > All Hosts, and select Edit on the host you want to configure for OpenSCAP reporting.
-
From the Environment list, select the Puppet environment that contains the
foreman_scap_client
andforeman_scap_client::params
Puppet classes. - From the OpenSCAP Capsule list, select the Capsule with OpenSCAP enabled that you want to use.
-
On the Puppet ENC tab, add the
foreman_scap_client
Puppet class. - Optional: Configure any Puppet Class Parameters.
- Click the Hosts breadcrumbs link to navigate back to the host index page.
- Select the host or hosts to which you want to add the policy.
- Click Select Action.
- Select Assign Compliance Policy from the list.
- In the Assign Compliance Policy window, select Remember hosts selection for the next bulk action.
- Select the required policy from the list of available policies and click Submit.