Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

此内容没有您所选择的语言版本。

Chapter 6. Configuring SCAP contents

You can upload SCAP data streams and tailoring files to define compliance policies.

6.1. Loading the default SCAP contents
复制链接

By loading the default SCAP contents on Satellite Server, you ensure that the data streams from the SCAP Security Guide (SSG) are loaded and assigned to all organizations and locations.

SSG is provided by the operating system of Satellite Server and installed in /usr/share/xml/scap/ssg/content/. Note that the available data streams depend on the operating system version on which Satellite runs. You can only use this SCAP content to scan hosts that have the same minor RHEL version as your Satellite Server. For more information, see Section 6.2, “Getting supported SCAP contents for RHEL”.

Important

The default SCAP contents on Satellite Server get updated with new patch versions of Satellite. They might not contain the latest available version of security policies but only the version that was available when the patch version was built. If the policy files in /usr/share/xml/scap/ssg/content/ were updated after a new patch version became available, follow the procedure below to load them into Satellite.

Prerequisites

  • Your user account has a role assigned that has the create_scap_contents permission.

Procedure

  • Use the following Hammer command on Satellite Server: 

    $ hammer scap-content bulk-upload --type default
    Copy to Clipboard Toggle word wrap

6.2. Getting supported SCAP contents for RHEL
复制链接

You can get the latest SCAP Security Guide (SSG) for Red Hat Enterprise Linux on the Red Hat Customer Portal. You have to get a version of SSG that is designated for the minor RHEL version of your hosts.

Procedure

  1. Access the SCAP Security Guide in the package browser.
  2. From the Version menu, select the latest SSG version for the minor version of RHEL that your hosts are running. For example, for RHEL 8.6, select a version named *.el8_6.
  3. Download the package RPM.

  4. Extract the data-stream file (*-ds.xml) from the RPM. For example: 

    $ rpm2cpio scap-security-guide-0.1.69-3.el8_6.noarch.rpm \
| cpio -iv --to-stdout ./usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml \
> ssg-rhel-8.6-ds.xml
    Copy to Clipboard Toggle word wrap

  5. Upload the data stream to Satellite. For more information, see the following sections:

Additional resources

You can upload additional SCAP content into Satellite Server, either content created by yourself or obtained elsewhere. Note that Red Hat only provides support for SCAP content obtained from Red Hat.

Prerequisites

  • Your user account has a role assigned that has the create_scap_contents permission.
  • You have acquired a SCAP data-stream file.

Procedure

  1. In the Satellite web UI, navigate to Hosts > Compliance > SCAP contents.
  2. Click Upload New SCAP Content.
  3. Enter a title in the Title text box, such as My SCAP Content.
  4. In Scap File, click Choose file, navigate to the location containing a SCAP data-stream file and click Open.
  5. On the Locations tab, select locations.
  6. On the Organizations tab, select organizations.
  7. Click Submit.

Verification

  • If the SCAP content file is loaded successfully, a message similar to Successfully created My SCAP Content is displayed.

6.4. Uploading additional SCAP content using CLI
复制链接

You can upload additional SCAP content into Satellite Server, either content created by yourself or obtained elsewhere. Note that Red Hat only provides support for SCAP content obtained from Red Hat.

Prerequisites

  • Your user account has a role assigned that has the create_scap_contents permission.
  • You have acquired a SCAP data-stream file.

Procedure

  1. Place the SCAP data-stream file to a directory on your Satellite Server, such as /usr/share/xml/scap/my_content/.

  2. Run the following Hammer command on Satellite Server: 

    $ hammer scap-content bulk-upload --type directory \
--directory /usr/share/xml/scap/my_content/ \
--location "My_Location" \
--organization "My_Organization"
    Copy to Clipboard Toggle word wrap

Verification

6.5. Tailoring XCCDF profiles
复制链接

You can customize existing XCCDF profiles by using tailoring files without editing the original SCAP content. A single tailoring file can contain customizations of multiple XCCDF profiles.

You can create a tailoring file by using the SCAP Workbench tool. For more information on using the SCAP Workbench tool, see Customizing SCAP Security Guide for your use case.

Then you can assign a tailoring file to a compliance policy to customize an XCCDF profile in the policy.

6.6. Uploading a tailoring file
复制链接

After uploading a tailoring file, you can apply it in a compliance policy to customize an XCCDF profile.

Prerequisites

  • Your user account has a role assigned that has the create_tailoring_files permission.

Procedure

  1. In the Satellite web UI, navigate to Hosts > Compliance > Tailoring Files and click New Tailoring File.
  2. Enter a name in the Name text box.
  3. Click Choose File, navigate to the location containing the tailoring file and select Open.
  4. Click Submit to upload the chosen tailoring file.
返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat