Homelab<\/h2>\n
We have Katello installed on a CentOS 7 server:<\/p>\n
katello.hl.local (10.11.1.4) \u2013 see here<\/a> for installation instructions<\/p>\n See the image below to identify the homelab part this article applies to.<\/p>\n The Security Content Automation Protocol (SCAP) enables the definition of configuration and security policies, also the means of auditing for compliance with those policies. In Foreman, SCAP is implemented with the tools provided by the OpenSCAP project.<\/p>\n The OpenSCAP plugin enables Foreman to receive automated vulnerability assessment and security compliance audits from Foreman hosts. We can upload SCAP compliance contents, create compliance policies out of them and assign the policies to hosts or hostgroups.<\/p>\n Detailed installation instructions can be found on the Foreman website. See references for a weblink.<\/p>\n We need to install the following:<\/p>\n # foreman-installer –enable-foreman-plugin-openscap<\/p>\n # foreman-installer –enable-foreman-proxy-plugin-openscap<\/p>\n If you want to, you can modify \/etc\/foreman-proxy\/settings.d\/openscap.yml with custom settings.<\/p>\n After installing smart_proxy_openscap on the proxy, refresh features of the proxy so it will register with OpenSCAP feature on the Foreman.<\/p>\n This puppet module will automatically install foreman_scap_client and configure the client with all parameters needed for the operation of foreman_scap_client.<\/p>\n # puppet module install theforeman-foreman_scap_client –environment homelab
After installing the module, import new Puppet classes via Katello WebUI:<\/p>\n Configure > Puppet Classes > Import environments from katello.hl.local<\/p>\n Starting with puppet-foreman_scap_client 0.3.14 shipped with Foreman 1.14 the Foreman plugins yum repo can be set up if you define at least Foreman\u2019s major release version. This repository is needed to install foreman_scap_client, which will fail otherwise. <\/p>\n Note that packages are not signed.<\/p>\n Create a new repository and sync it:<\/p>\n # hammer repository create
Add the new repository to the content view:<\/p>\n # hammer content-view add-repository
Publish a new version of the content view that includes the Foreman plugins repository:<\/p>\n # hammer content-view publish
Let us see the version number that we want to promote:<\/p>\n # hammer content-view version list<\/p>\n Promote content view version to our \u201cstable\u201d lifecycle environment:<\/p>\n # hammer content-view version promote
At this point the new repository should be available to clients.<\/p>\n This following will search for scap-security-guide SCAP contents and create SCAP content on the Foreman.<\/p>\n # foreman-rake foreman_openscap:bulk_upload:default
Open Katello WebUI and navigate to the following:<\/p>\n Hosts > Compliance > Policies > New Compliance Policy<\/p>\n Create a new policy and provide the following details:<\/p>\n The result should look something like this:<\/p>\n This will assign the policy to the specified hostgroup. All hosts which belong to the hostgroup will automatically be assigned to the policy, and the Puppet class will be included.<\/p>\n Open Katello WebUI, edit Host Group and specify OpenSCAP Proxy:<\/p>\n Make sure that all hosts that are assigned to the hostgroup have OpenSCAP Proxy assigned.<\/p>\n Hosts will get foreman_scap_client automatically installed and configured on the next Puppet agent run. There will be a cron file created \/etc\/cron.d\/foreman_scap_client_cron that runs according to the schedule that was chosen when creating the policy.<\/p>\n Check the content of the cron file on a host you want to run the client on (we use db1.hl.local):<\/p>\n [db1]# cat \/etc\/cron.d\/foreman_scap_client_cron
Copy the line from the file and run:<\/p>\n [db1]# \/usr\/bin\/foreman_scap_client 1
Reports can be found here: Hosts > Compliance > Reports<\/p>\n Default SCAP policies may not suit your needs and can therefore be edited. SCAP Workbench is a graphical utility that offers an easy way of doing that.<\/p>\n Workbench allows you to modify an XCCDF profile in an easy way without changing the respective XCCDF file. The tool provides a graphical way to enable or disable XCCDF elements. Your changes can be stored as an XCCDF tailoring file.<\/p>\n https:\/\/www.theforeman.org\/plugins\/foreman_openscap\/0.8\/index.html<\/a><\/p>\n https:\/\/www.open-scap.org\/tools\/scap-workbench\/<\/a><\/p>\n![\"\"](\"https:\/\/www.lisenet.com\/wp-content\/uploads\/2018\/04\/lisenet-homelab-diagram_katello.png\")
<\/p>\nOpenSCAP<\/h2>\n
Installation<\/h2>\n
\n
Install foreman_openscap<\/h3>\n
Install smart_proxy_openscap<\/h3>\n
Install Puppet Module puppet-foreman_scap_client<\/h3>\n
\nNotice: Preparing to install into \/etc\/puppetlabs\/code\/environments\/homelab\/modules …
\nNotice: Downloading from https:\/\/forgeapi.puppet.com …
\nNotice: Installing — do not interrupt …
\n\/etc\/puppetlabs\/code\/environments\/homelab\/modules
\n\u2514\u2500\u252c theforeman-foreman_scap_client (v0.3.18)
\n \u2514\u2500\u2500 puppetlabs-stdlib (v4.24.0)<\/p>\nSetup Foreman Plugins Repository<\/h3>\n
\n –product “el7_repos”
\n –name “foreman-plugins-117”
\n –label “foreman-plugins-117”
\n –content-type “yum”
\n –download-policy “on_demand”
\n –url “https:\/\/yum.theforeman.org\/plugins\/1.17\/el7\/x86_64\/”
\n# hammer repository synchronize
\n –name “foreman-plugins-117”
\n –product “el7_repos”<\/p>\n
\n –name “el7_content”
\n –product “el7_repos”
\n –repository “foreman-plugins-117”<\/p>\n
\n –name “el7_content”
\n –description “Publishing foreman plugins 1.17”<\/p>\n
\n –content-view “el7_content”
\n –version “11.0”
\n –to-lifecycle-environment “stable”
\n –description “Publishing foreman plugins 1.17”<\/p>\nUsage<\/h2>\n
Create Default SCAP Content<\/h3>\n
\nSaved \/usr\/share\/xml\/scap\/ssg\/content\/ssg-centos6-ds.xml as Red Hat centos6 default content
\nSaved \/usr\/share\/xml\/scap\/ssg\/content\/ssg-centos7-ds.xml as Red Hat centos7 default content
\nSaved \/usr\/share\/xml\/scap\/ssg\/content\/ssg-firefox-ds.xml as Red Hat firefox default content
\nSaved \/usr\/share\/xml\/scap\/ssg\/content\/ssg-jre-ds.xml as Red Hat jre default content
\nSaved \/usr\/share\/xml\/scap\/ssg\/content\/ssg-rhel6-ds.xml as Red Hat rhel6 default content
\nSaved \/usr\/share\/xml\/scap\/ssg\/content\/ssg-rhel7-ds.xml as Red Hat rhel7 default content<\/p>\nCreate Policy Wizard<\/h3>\n
![\"\"](\"https:\/\/www.lisenet.com\/wp-content\/uploads\/2018\/07\/lisenet-openscap-policy.png\")
<\/p>\n\n
![\"\"](\"https:\/\/www.lisenet.com\/wp-content\/uploads\/2018\/07\/lisenet-openscap-policy-done.png\")
<\/p>\n![\"\"](\"https:\/\/www.lisenet.com\/wp-content\/uploads\/2018\/07\/lisenet-openscap-puppet-class.png\")
<\/p>\n![\"\"](\"https:\/\/www.lisenet.com\/wp-content\/uploads\/2018\/07\/lisenet-openscap-proxy.png\")
<\/p>\nHow to Run foreman_scap_client Manually<\/h3>\n
\n# DO NOT EDIT THIS FILE MANUALLY
\n# IT IS MANAGED BY PUPPET
\n
\n# foreman_scap_client cron job
\n
\n# Runs foreman_scap_client 1
\n0 1 * * 0 root \/usr\/bin\/foreman_scap_client 1 > \/dev\/null<\/p>\n
\n[…]
\nUploading results to https:\/\/katello.hl.local:9090\/compliance\/arf\/1<\/p>\n![\"\"](\"https:\/\/www.lisenet.com\/wp-content\/uploads\/2018\/07\/lisenet-openscap-report.png\")
<\/p>\nSCAP Workbench and Tailoring Files<\/h3>\n
References<\/h2>\n