5.2. Installation
5.2.1. Install OpenSCAP Packages
Procedure 5.1. Installing OpenSCAP Packages
Install the OpenSCAP plugin and content on the Satellite Server and all external Capsule Servers.
- On the Satellite Server, install the OpenSCAP plug-in and content.
# satellite-installer --enable-foreman-plugin-openscap
Successful installation is indicated by a progress indicator, and the wordSuccess!
. The OpenSCAP plugin adds to the Satellite web UI a Compliance section, under the menu, containing the following pages:# yum install puppet-foreman_scap_client
- On all external Capsule Servers, install the OpenSCAP plug-in and content.
Note
If OpenSCAP functionality is to be enabled on a Capsule Server, Puppet must already have been enabled on that server.# satellite-installer --enable-foreman-proxy-plugin-openscap
Successful installation is indicated by a progress indicator, and the wordSuccess!
. This provides the Puppet classes required to set up hosts to perform OpenSCAP scans and creates the Cron jobs for automated compliance scanning. - On external Capsule Servers with the Puppet master role, install the OpenSCAP client.
# yum install puppet-foreman_scap_client
To identify the relevant external Capsule Servers, open the Satellite web UI, navigate toand identify those external Capsule Servers with Puppet listed in the Features column.
5.2.2. Loading Default OpenSCAP Content
Procedure 5.2. Load the Default OpenSCAP Content
- Load the OpenSCAP content on the Satellite Server.
# foreman-rake foreman_openscap:bulk_upload:default
5.2.3. Importing OpenSCAP Puppet Modules
Procedure 5.3. Import OpenSCAP Puppet Modules
- OpenSCAP requires a Puppet environment, but by default they are only created for Content Views which contain Puppet modules. To list available Puppet environments, open the Satellite web UI and navigate to
. If there are no Puppet environments, open a CLI session on the Satellite Server and create a directory for theproduction
Puppet environment.# mkdir -p /etc/puppet/environments/production/modules
- Import the OpenSCAP content into selected Puppet environments. Each host which is to be audited with OpenSCAP must be associated with a Puppet environment.
- In the Satellite web UI, select from the context menu Any Organization and Any Location.
- Navigate to
. - Click, then .
- For each Puppet environment associated with hosts to be audited using OpenSCAP, select the check box, then click production environment.. If no other Puppet environment exists, select theThe foreman_scap_client Puppet module, amongst others, will be added to the selected environments.
- Verify that the foreman_scap_client Puppet module has been added.Navigate to
, then click in the Puppet environment's row. The procedure has been successful if the foreman_scap_client Puppet class is listed.
5.2.4. Uploading Extra SCAP Content
You can upload extra SCAP content into the Satellite Server, either content created by yourself or obtained elsewhere. SCAP content must be imported into the Satellite Server before being applied in a policy. For example, the scap-security-guide RPM package available in the Red Hat Enterprise Linux 7.2 repositories includes a profile for the Payment Card Industry Data Security Standard (PCI-DSS) version 3. You can upload this content into a Satellite Server even if it is not running Red Hat Enterprise Linux 7.2 as the content is not specific to an operating system version.
Procedure 5.4. Upload Extra SCAP Content
- Log in to the Satellite web UI.
- Navigate to
and click Upload New SCAP Content. - Enter a title in the Title text box. For example:
RHEL 7.2 SCAP Content
. - Click, navigate to the location containing the SCAP content file and select .
- Click.
If the SCAP content file is loaded successfully, a message similar to
Successfully created RHEL 7.2 SCAP Content
will be shown and the list of SCAP Contents will include the new title.