Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 3. Configuring SCAP contents for compliance policies in Satellite
You can upload SCAP data streams and tailoring files to define compliance policies. These policies define the requirements for scanning systems against security standards such as Defense Information Security Agency Security Technical Implementation Guide (DISA STIG) or Payment Card Industry Data Security Standard (PCI DSS).
3.1. Listing available SCAP contents using Satellite web UI
View what SCAP contents are already loaded in Satellite before uploading additional SCAP contents. You can use Satellite web UI to view available SCAP contents.
Prerequisites
-
Your user account has a role assigned that has the
view_scap_contentspermission.
Procedure
- In the Satellite web UI, navigate to Hosts > Compliance > SCAP contents.
3.2. Listing available SCAP contents using CLI
View what SCAP contents are already loaded in Satellite before uploading additional SCAP contents. You can use Hammer CLI to view available SCAP contents.
Prerequisites
-
Your user account has a role assigned that has the
view_scap_contentspermission.
Procedure
Run the following Hammer command on Satellite Server:
$ hammer scap-content list \ --location "My_Location" \ --organization "My_Organization"
3.3. Loading the default SCAP contents
By loading the default SCAP contents on Satellite Server, you ensure that the data streams from the SCAP Security Guide (SSG) are loaded and assigned to all organizations and locations.
SSG is provided by the operating system of Satellite Server and installed in /usr/share/xml/scap/ssg/content/. Note that the available data streams depend on the operating system version on which Satellite runs. You can only use this SCAP content to scan hosts that have the same minor RHEL version as your Satellite Server. For more information, see Section 3.4, “Getting supported SCAP contents for RHEL”.
The default SCAP contents on Satellite Server get updated with new patch versions of Satellite. They might not contain the latest available version of security policies but only the version that was available when the patch version was built. If the policy files in /usr/share/xml/scap/ssg/content/ were updated after a new patch version became available, follow the procedure below to load them into Satellite.
Prerequisites
-
Your user account has a role assigned that has the
create_scap_contentspermission.
Procedure
On Satellite Server, load the default SCAP contents:
$ hammer scap-content bulk-upload --type default
3.4. Getting supported SCAP contents for RHEL
You can obtain supported SCAP contents for Red Hat Enterprise Linux (RHEL) by downloading the latest SCAP Security Guide (SSG) to match your RHEL minor version from the Red Hat Customer Portal.
Procedure
- Access the SCAP Security Guide in the package browser.
-
From the Version menu, select the latest SSG version for the minor version of RHEL that your hosts are running. For example, for RHEL 8.6, select a version named
*.el8_6. - Download the RPM package.
Extract the data-stream file (
*-ds.xml) from the RPM. For example:$ rpm2cpio scap-security-guide-0.1.69-3.el8_6.noarch.rpm \ | cpio -iv --to-stdout ./usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml \ > ssg-rhel-8.6-ds.xmlUpload the data stream to Satellite. For more information, see the following sections:
Additional resources
- Supported versions of the SCAP Security Guide in RHEL in the Red Hat Knowledgebase
- SCAP Security Guide profiles supported in RHEL 9 in Red Hat Enterprise Linux 9 Security hardening
- SCAP Security Guide profiles supported in RHEL 8 in Red Hat Enterprise Linux 8 Security hardening
- SCAP Security Guide profiles supported in RHEL 7 in the Red Hat Enterprise Linux 7 Security Guide
3.5. Uploading additional SCAP content using Satellite web UI
You can upload additional SCAP content into Satellite Server, either content created by yourself or obtained elsewhere.
Red Hat only provides support for SCAP content obtained from Red Hat.
Prerequisites
-
Your user account has a role assigned that has the
create_scap_contentspermission. - You have acquired a SCAP data-stream file.
Procedure
- In the Satellite web UI, navigate to Hosts > Compliance > SCAP contents.
- Click Upload New SCAP Content.
-
Enter a title in the Title text box, such as
My SCAP Content. - In Scap File, click Choose file, navigate to the location containing a SCAP data-stream file and click Open.
- On the Locations tab, select locations.
- On the Organizations tab, select organizations.
- Click Submit.
Verification
-
If the SCAP content file is loaded successfully, a message similar to
Successfully created My SCAP Contentis displayed.
3.6. Uploading additional SCAP content using CLI
You can upload additional SCAP content into Satellite Server, either content created by yourself or obtained elsewhere.
Red Hat only provides support for SCAP content obtained from Red Hat.
Prerequisites
-
Your user account has a role assigned that has the
create_scap_contentspermission. - You have acquired a SCAP data-stream file.
Procedure
-
Place the SCAP data-stream file to a directory on your Satellite Server, such as
/usr/share/xml/scap/my_content/. Run the following Hammer command on Satellite Server:
$ hammer scap-content bulk-upload --type directory \ --directory /usr/share/xml/scap/my_content/ \ --location "My_Location" \ --organization "My_Organization"
Verification
- List the available SCAP contents. The list of SCAP contents includes the new title.
3.7. Customizing XCCDF profiles with tailoring files
You can use tailoring files to customize existing XCCDF profiles without editing the original SCAP content. After uploading a tailoring file, you can apply it in a compliance policy to customize an XCCDF profile.
Prerequisites
-
Your user account has a role assigned that has the
create_tailoring_filespermission. You have a tailoring file to upload to Satellite. You can create a tailoring file by using the SCAP Workbench tool. For more information on using the SCAP Workbench tool, see Customizing SCAP Security Guide for your use case.
NoteA single tailoring file can contain customizations of multiple XCCDF profiles.
Procedure
- In the Satellite web UI, navigate to Hosts > Compliance > Tailoring Files.
- Click New Tailoring File.
- Enter a name in the Name text box.
- Click Choose File, navigate to the location containing the tailoring file and select Open.
- Click Submit to upload the chosen tailoring file.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}