Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 4. Managing compliance policies
A compliance policy is a scheduled audit that checks the specified hosts for compliance against a specific XCCDF profile from a SCAP content. Before you can deploy compliance policies to scan your hosts, you must define these policies on Satellite.
4.1. Configuring compliance policy deployment methods
Before you can start creating compliance policies, choose your preferred method of deploying compliance policies. Some of these methods require you to configure your Satellite Server to enable them.
4.1.1. Deployment options for compliance policies
With Satellite, multiple methods are available for compliance policy deployment.
You can use one of the following methods to deploy compliance policies:
- Ansible deployment
- You use an Ansible role to configure hosts for compliance scans.
- Puppet deployment
- You use a Puppet class and the OpenVox agent to configure hosts for compliance scans.
- Manual deployment
You manually configure hosts for compliance scans.
For the manual deployment method, no additional Satellite configuration is required.
4.1.2. Configuring Satellite for Ansible compliance policy deployment
If you want to use Ansible to deploy compliance policies, configure Satellite for Ansible compliance policy deployment.
Procedure
Import the
theforeman.foreman_scap_clientAnsible role.For more information, see Managing configurations by using Ansible integration.
-
Assign the created policy and the
theforeman.foreman_scap_clientAnsible role to a host or host group. To trigger the deployment, run the Ansible role on the host or host group either manually, or set up a recurring job by using remote execution for regular policy updates.
For more information, see Configuring and setting up remote jobs in Managing hosts.
4.1.3. Configuring Satellite for Puppet compliance policy deployment
If you want to use Puppet to deploy compliance policies, configure Satellite for Puppet compliance policy deployment.
Procedure
- Ensure Puppet is enabled.
- Ensure the OpenVox agent is installed on hosts.
Import the Puppet environment that contains the
foreman_scap_clientPuppet module.For more information, see Managing configurations by using Puppet integration.
Assign the created policy and the
foreman_scap_clientPuppet class to a host or host group.Puppet triggers the deployment on the next regular run or you can run Puppet manually. Puppet runs every 30 minutes by default.
4.2. Creating a compliance policy
By creating a compliance policy, you can define and plan your security compliance requirements, and ensure that your hosts remain compliant to your security policies.
Prerequisites
- You have configured Satellite for your selected compliance policy deployment method.
You have available SCAP contents, and eventually tailoring files, in Satellite.
- To verify what SCAP contents are available by using Satellite web UI, see Section 3.1, “Listing available SCAP contents using Satellite web UI”.
- To verify what SCAP contents are available by using CLI, see Section 3.2, “Listing available SCAP contents using CLI”.
- To upload SCAP contents and tailoring files, see Chapter 3, Configuring SCAP contents for compliance policies in Satellite.
-
Your user account has a role assigned that has the
view_policiesandcreate_policiespermissions.
Procedure
- In the Satellite web UI, navigate to Hosts > Compliance > Policies.
- Click New Policy or New Compliance Policy.
- Select the deployment method: Ansible, Puppet, or Manual. Then click Next.
- Enter a name for this policy, a description (optional), then click Next.
Select the SCAP Content and XCCDF Profile to be applied, then click Next.
Note that Satellite does not detect whether the selected XCCDF profile contains any rules. An empty XCCDF profile, such as the
Default XCCDF Profile, will return empty reports.- Optional: To customize the XCCDF profile, select a Tailoring File and a XCCDF Profile in Tailoring File, then click Next.
Specify the scheduled time when the policy is to be applied. Select Weekly, Monthly, or Custom from the Period list. The Custom option allows for greater flexibility in the policy’s schedule.
- If you select Weekly, also select the desired day of the week from the Weekday list.
- If you select Monthly, also specify the desired day of the month in the Day of month field.
- If you select Custom, enter a valid Cron expression in the Cron line field.
- Select the locations to which to apply the policy, then click Next.
- Select the organizations to which to apply the policy, then click Next.
- Optional: Select the host groups to which to assign the policy.
- Click Submit.
4.3. Viewing a compliance policy
You can preview the rules which will be applied by specific OpenSCAP content and profile combination. This is useful when you plan policies.
Prerequisites
-
Your user account has a role assigned that has the
view_policiespermission.
Procedure
- In the Satellite web UI, navigate to Hosts > Compliance > Policies.
- In the Actions column of the required policy, click Show Guide or select it from the list.
4.4. Editing a compliance policy
You can change the attributes of a compliance policy by editing it in the Satellite web UI.
OpenVox agent applies an edited policy to the host on the next run. By default, this occurs every 30 minutes. If you use Ansible, you must run the Ansible role manually again or have configured a recurring remote execution job that runs the Ansible role on hosts.
Prerequisites
-
Your user account has a role assigned that has the
view_policiesandedit_policiespermissions.
Procedure
- In the Satellite web UI, navigate to Hosts > Compliance > Policies.
- Click the name of the required policy.
- Edit the necessary attributes.
- Click Submit.
4.5. Deleting a compliance policy
In the Satellite web UI, you can delete existing compliance policies. Deleting a compliance policy removes it from your Satellite Server.
Prerequisites
-
Your user account has a role assigned that has the
view_policiesanddestroy_policiespermissions.
Procedure
- In the Satellite web UI, navigate to Hosts > Compliance > Policies.
- In the Actions column of the required policy, select Delete from the list.
- Click OK in the confirmation message.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}