검색

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 9. Deploying compliance policies

download PDF

To deploy a compliance policy, you must install the SCAP client, update the cron schedule file, and upload the SCAP content selected in the policy onto a host.

9.1. Inclusion of remote SCAP resources

SCAP data streams can reference remote resources, such as OVAL files, that the SCAP client fetches over the internet when it runs on hosts. If a data stream requires a remote resource, you can see a warning from the OpenSCAP Scanner tool on your Satellite Server, such as:

# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml | grep "WARNING"
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2'
points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'.
Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' file
which is referenced from datastream

By default, the SCAP client is configured to ignore the remote resources and skip the XCCDF rules that rely on the resources. The skipped rules then result in the notchecked status.

For hosts with internet access, you can enable the download of remote resources on hosts in Satellite. For information about applying remote SCAP resources to hosts that cannot access the internet, see Section 9.2, “Applying remote SCAP resources in a disconnected environment”.

Using the Ansible deployment method

Override the following Ansible variable:

  • Name: foreman_scap_client_fetch_remote_resources
  • Type: boolean
  • Value: true

For more information, see Overriding Ansible Variables in Satellite in Managing configurations using Ansible integration.

Using the Puppet deployment method

Configure the following Puppet Smart Class Parameter:

  • Name: fetch_remote_resources
  • Type: boolean
  • Value: true

For more information, see Configuring Puppet Smart Class Parameters in Managing configurations using Puppet integration.

9.2. Applying remote SCAP resources in a disconnected environment

SCAP data streams can contain remote resources, such as OVAL files, that the SCAP client can fetch over the internet when it runs on hosts. If your hosts do not have internet access, you must download remote SCAP resources and distribute them from Satellite Server to your hosts as local files by downloading the files on hosts from a custom file type repository.

Prerequisites

Procedure

  1. On your Satellite Server, examine the data stream you use in your compliance policy to find out which missing resource you must download:

    # oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml | grep "WARNING"
    WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2'
    points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'.
    Use '--fetch-remote-resources' option to download it.
    WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' file
    which is referenced from datastream
  2. Examine the name of the local file that is referenced by the data stream:

    # oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
    ...
    		Referenced check files:
    			ssg-rhel8-oval.xml
    				system: http://oval.mitre.org/XMLSchema/oval-definitions-5
    			ssg-rhel8-ocil.xml
    				system: http://scap.nist.gov/schema/ocil/2
    			security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2
    				system: http://oval.mitre.org/XMLSchema/oval-definitions-5
    ...
  3. On an online machine, download the missing resource:

    # curl -o security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2
    Important

    Ensure that the name of the downloaded file matches the name the data stream references.

  4. Add the file as new custom file type content into your Satellite Server. For more information, see Managing custom file type content in Managing content.

    Note the URL on which your repository is published, such as http://satellite.example.com/pulp/content/My_Organization_Label/Library/custom/My_Product_Label/My_Repo_Label/.

  5. Schedule a remote job to upload the file to the home directory of root on your host. For example, use the Run Command - Script Default job template and enter the following command:

    # curl -o /root/security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 http://satellite.example.com/pulp/content/My_Organization_Label/Library/custom/My_Product_Label/My_Repo_Label/security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2

    For more information about running remote jobs, see Executing a Remote Job in Managing hosts.

  6. Continue with deploying your compliance policy.

9.3. Deploying a policy in a host group using Ansible

After you deploy a compliance policy in a host group using Ansible, the Ansible role installs the SCAP client and configures OpenSCAP scans on the hosts according to the selected compliance policy.

The SCAP content in the compliance policy might require remote resources. For more information, see Section 9.1, “Inclusion of remote SCAP resources”.

Prerequisites

  • You have enabled OpenSCAP on your Capsule. For more information, see Enabling OpenSCAP on Capsule Servers in Installing Capsule Server.
  • Repositories for the operating system version of the host are synchronized on Satellite Server and enabled on the host.

    • Red Hat Enterprise Linux 9 BaseOS and Appstream RPMs repositories
    • Red Hat Enterprise Linux 8 BaseOS and Appstream RPMs repositories
    • Red Hat Enterprise Linux 7 Server and Extras RPMs repositories
  • Red Hat Satellite Client 6 repository for the operating system version of the host is synchronized on Satellite Server, available in the content view and the lifecycle environment of the host, and enabled for the host. For more information, see Changing the repository sets status for a host in Satellite in Managing content. This repository is required for installing the SCAP client.
  • You have created a compliance policy with the Ansible deployment option and assigned the host group.

Procedure

  1. In the Satellite web UI, navigate to Configure > Host Groups.
  2. Click the host group that you want to configure for OpenSCAP reporting.
  3. From the OpenSCAP Capsule list, select the Capsule with OpenSCAP enabled that you want to use.
  4. On the Ansible Roles tab, assign the theforeman.foreman_scap_client Ansible role.
  5. Optional: On the Parameters tab, configure any Ansible variables of the role.
  6. Click Submit to save your changes.
  7. In the row of the required host group, navigate to the Actions column and select Run all Ansible roles.

9.4. Deploying a policy on a host using Ansible

After you deploy a compliance policy on a host using Ansible, the Ansible role installs the SCAP client and configures OpenSCAP scans on the host according to the selected compliance policy.

The SCAP content in the compliance policy might require remote resources. For more information, see Section 9.1, “Inclusion of remote SCAP resources”.

Prerequisites

  • You have enabled OpenSCAP on your Capsule. For more information, see Enabling OpenSCAP on Capsule Servers in Installing Capsule Server.
  • Repositories for the operating system version of the host are synchronized on Satellite Server and enabled on the host.

    • Red Hat Enterprise Linux 9 BaseOS and Appstream RPMs repositories
    • Red Hat Enterprise Linux 8 BaseOS and Appstream RPMs repositories
    • Red Hat Enterprise Linux 7 Server and Extras RPMs repositories
  • Red Hat Satellite Client 6 repository for the operating system version of the host is synchronized on Satellite Server, available in the content view and the lifecycle environment of the host, and enabled for the host. For more information, see Changing the repository sets status for a host in Satellite in Managing content. This repository is required for installing the SCAP client.
  • You have created a compliance policy with the Ansible deployment option.

Procedure

  1. In the Satellite web UI, navigate to Hosts > All Hosts, and select Edit on the host you want to configure for OpenSCAP reporting.
  2. From the OpenSCAP Capsule list, select the Capsule with OpenSCAP enabled that you want to use.
  3. On the Ansible Roles tab, add the theforeman.foreman_scap_client Ansible role.
  4. Optional: On the Parameters tab, configure any Ansible variables of the role.
  5. Click Submit to save your changes.
  6. Click the Hosts breadcrumbs link to navigate back to the host index page.
  7. Select the host or hosts to which you want to add the policy.
  8. Click Select Action.
  9. Select Assign Compliance Policy from the list.
  10. In the Assign Compliance Policy window, select Remember hosts selection for the next bulk action.
  11. Select the required policy from the list of available policies and click Submit.
  12. Click Select Action.
  13. Select Run all Ansible roles from the list.

9.5. Deploying a policy in a host group using Puppet

After you deploy a compliance policy in a host group using Puppet, the Puppet agent installs the SCAP client and configures OpenSCAP scans on the hosts on the next Puppet run according to the selected compliance policy.

The SCAP content in your compliance policy might require remote resources. For more information, see Section 9.1, “Inclusion of remote SCAP resources”.

Prerequisites

  • You have enabled OpenSCAP on your Capsule. For more information, see Enabling OpenSCAP on Capsule Servers in Installing Capsule Server.
  • Repositories for the operating system version of the host are synchronized on Satellite Server and enabled on the host.

    • Red Hat Enterprise Linux 9 BaseOS and Appstream RPMs repositories
    • Red Hat Enterprise Linux 8 BaseOS and Appstream RPMs repositories
    • Red Hat Enterprise Linux 7 Server and Extras RPMs repositories
  • Red Hat Satellite Client 6 repository for the operating system version of the host is synchronized on Satellite Server, available in the content view and the lifecycle environment of the host, and enabled for the host. For more information, see Changing the repository sets status for a host in Satellite in Managing content. This repository is required for installing the SCAP client.
  • You have created a compliance policy with the Puppet deployment option and assigned the host group.

Procedure

  1. In the Satellite web UI, navigate to Configure > Host Groups.
  2. Click the host group that you want to configure for OpenSCAP reporting.
  3. In the Environment list, select the Puppet environment that contains the foreman_scap_client* Puppet classes.
  4. In the OpenSCAP Capsule list, select the Capsule with OpenSCAP enabled that you want to use.
  5. On the Puppet ENC tab, add the foreman_scap_client Puppet class.
  6. Optional: Configure any Puppet Class Parameters.
  7. Click Submit to save your changes.

9.6. Deploying a policy on a host using Puppet

After you deploy a compliance policy on a host using Puppet, the Puppet agent installs the SCAP client and configures OpenSCAP scans on the host on the next Puppet run according to the selected compliance policy.

The SCAP content in your compliance policy might require remote resources. For more information, see Section 9.1, “Inclusion of remote SCAP resources”.

Prerequisites

  • You have enabled OpenSCAP on your Capsule. For more information, see Enabling OpenSCAP on Capsule Servers in Installing Capsule Server.
  • Repositories for the operating system version of the host are synchronized on Satellite Server and enabled on the host.

    • Red Hat Enterprise Linux 9 BaseOS and Appstream RPMs repositories
    • Red Hat Enterprise Linux 8 BaseOS and Appstream RPMs repositories
    • Red Hat Enterprise Linux 7 Server and Extras RPMs repositories
  • Red Hat Satellite Client 6 repository for the operating system version of the host is synchronized on Satellite Server, available in the content view and the lifecycle environment of the host, and enabled for the host. For more information, see Changing the repository sets status for a host in Satellite in Managing content. This repository is required for installing the SCAP client.
  • You have created a compliance policy with the Puppet deployment option.

Procedure

  1. In the Satellite web UI, navigate to Hosts > All Hosts, and select Edit on the host you want to configure for OpenSCAP reporting.
  2. From the Environment list, select the Puppet environment that contains the foreman_scap_client and foreman_scap_client::params Puppet classes.
  3. From the OpenSCAP Capsule list, select the Capsule with OpenSCAP enabled that you want to use.
  4. On the Puppet ENC tab, add the foreman_scap_client Puppet class.
  5. Optional: Configure any Puppet Class Parameters.
  6. Click the Hosts breadcrumbs link to navigate back to the host index page.
  7. Select the host or hosts to which you want to add the policy.
  8. Click Select Action.
  9. Select Assign Compliance Policy from the list.
  10. In the Assign Compliance Policy window, select Remember hosts selection for the next bulk action.
  11. Select the required policy from the list of available policies and click Submit.
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.