Red Hat Summit6.3.2. Creating a Compliance Policy
With Satellite 6, you can create a compliance policy to scan your content hosts to ensure that the hosts remain compliant to your security requirements.
You can use either Puppet or Ansible to deploy the compliance policy to your hosts. Note that Puppet runs by default every 30 minutes. If you assign a new policy, the next Puppet run synchronizes the policy to the host. However Ansible does not perform scheduled runs. To add a new policy, you must run Ansible role manually or using remote execution. For more information about remote execution, see Configuring and Setting up Remote Jobs in the Managing Hosts guide.
Prerequisites
Before you begin, you must decide whether you want to use a Puppet or Ansible deployment.
- For Puppet deployment, ensure that each host that you want to audit is associated with a Puppet environment. For more information, see 「Importing OpenSCAP Puppet Modules」.
-
For Ansible deployment, ensure that you import the
theforeman.foreman_scap_clientAnsible role. For more information about importing Ansible roles, see Getting Started with Ansible in Satellite in Configuring Satellite to use Ansible.
Procedure
- Navigate to Hosts > Policies, and select whether you want a manual, Ansible, or Puppet deployment.
- Enter a name for this policy, a description (optional), then click Next.
Select the SCAP Content and XCCDF Profile to be applied, then click Next.
Until BZ#1704582 is resolved, note that the
Default XCCDF Profilemight return an empty report.Specify the scheduled time when the policy is to be applied, then click Next.
Select Weekly, Monthly, or Custom from the Period list.
- If you select Weekly, also select the desired day of the week from the Weekday list.
- If you select Monthly, also specify the desired day of the month in the Day of month field.
If you select Custom, enter a valid Cron expression in the Cron line field.
The Custom option allows for greater flexibility in the policy’s schedule than either the Weekly or Monthly options.
- Select the locations to which the policy is to be applied, then click Next.
- Select the organizations to which the policy is to be applied, then click Next.
- Select the host groups to which the policy is to be applied, then click Submit.
When the Puppet agent runs on the hosts which belong to the selected host group, or hosts to which the policy has been applied, the OpenSCAP client will be installed and a Cron job added with the policy’s specified schedule. The SCAP Content tab provides the name of the SCAP content file which will be distributed to the directory /var/lib/openscap/content/ on all target hosts.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}