This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Chapter 10. Automating Compliance with Red Hat Satellite

SectionConfiguring Red Hat Satellite for OpenSCAP
Guided Exercise: Configuring Red Hat Satellite for OpenSCAP
Scan OpenSCAP Compliance with Red Hat Satellite
Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite
Customize the OpenSCAP Policy in Red Hat Satellite
Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite
Lab: Automating Compliance with Red Hat Satellite
Summary

Abstract

Goal	Automate and scale your ability to perform OpenSCAP compliance checks and remediate compliance issues using Red Hat Satellite.
Objectives	Configure an existing Red Hat Satellite to perform OpenSCAP scans of registered servers. Perform OpenSCAP scans of registered systems from the Red Hat Satellite interface and evaluate the results of those scans. Apply a tailoring file to a SCAP profile in Red Hat Satellite and use the customized SCAP policy to scan registered servers.
Sections	Configuring Red Hat Satellite for OpenSCAP (and Guided Exercise) Scan OpenSCAP Compliance with Red Hat Satellite (and Guided Exercise) Customize OpenSCAP Policy in Red Hat Satellite (and Guided Exercise)
Lab	Automating Compliance with Red Hat Satellite

Configuring Red Hat Satellite for OpenSCAP

Objectives

After completing this section, students should be able to configure an existing Red Hat Satellite to perform OpenSCAP scans of registered servers.

Security Compliance Management with Red Hat Satellite

A security administrator manages security compliance by defining security policies and auditing hosts for compliance based on the policies defined. Any noncompliant hosts are remediated based on the organization's compliance requirements. These compliance policies need to be flexible, because an organization's policy might vary depending on the services provided by the host or the industry to which the organization belongs.

Red Hat Satellite is a systems management tool that can be used to configure new systems and provide software updates from Red Hat Network. It serves as a local repository of software content and a central point of management for Red Hat entitlements. Red Hat Satellite also performs provisioning and configuration management of systems to adhere to predefined standard operating environments.

One of the major benefits of Red Hat Satellite is that it can scale effectively to meet the demands of large enterprises. With the correct design, Red Hat Satellite delivers solid performance in the face of increasing workloads, even across a geographically distributed environment.

Several options are available for administering and using a Satellite Server. A web browser can be used to manage the Satellite Server through its web interface. A command-line interface is also available. Administrators with programming experience can use an API to create custom workflows or task automation.

Red Hat Satellite 6 can use the Security Content Automation Protocol (SCAP) to define security policies and monitor Satellite clients for policy compliance. You can use the Satellite Server to schedule recurring compliance auditing and reporting on all registered hosts. This allows security administrators to use a single interface to manage, monitor, and remediate groups of hosts based on the organization's compliance requirements.

Integrating OpenSCAP with Red Hat Satellite

Red Hat Satellite provides default SCAP content based on the version of Red Hat Enterprise Linux using the scap-security-guide package. With the scap-secuirity-guide package for Red Hat Enterprise Linux 7, the SCAP content for both Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 is installed on the Satellite Server. The Satellite Server administrator can either create SCAP content or upload SCAP content from external sources. The SCAP content contains the Extensible Checklist Configuration Description Format (XCCDF) profile that defines the rules to be evaluated against a host or host group.

In Red Hat Satellite, a scheduled audit is referred to as a compliance policy. This is a scheduled task that checks the specified hosts or host groups for compliance against an XCCDF profile. The schedule is specified on the Satellite Server in the compliance policy, but the scans are performed on the hosts. On completion of a compliance scan, an Asset Reporting File (ARF) is generated in XML format and uploaded to the Satellite Server. The security administrator can then view these reports from the compliance policy dashboard.

Important

A compliance policy in the Satellite Server terminology is a named job configured on the Satellite Server that scans particular hosts for compliance on a recurring schedule using specific SCAP content and a specific XCCDF profile.

Installing the OpenSCAP Plug-in for Red Hat Satellite

You must install the OpenSCAP plug-in on your Red Hat Satellite Server in order to integrate OpenSCAP support. The OpenSCAP plug-in provides OpenSCAP controls from the Satellite web interface. These controls are located under the Hosts menu in the Compliance section.

The default installation of Red Hat Satellite enables the OpenSCAP plug-in.

Uploading OpenSCAP Content to the Satellite Server

After configuring the plug-in, but before you create a compliance policy and apply it to a host, you must upload the default OpenSCAP content to your Satellite Server. You can also upload custom SCAP content provided by other sources. The uploaded SCAP content is independent of the operating systems used by your registered hosts.

Ensure that the scap-security-guide package is installed. You must run the following command on your Satellite Server to upload the default OpenSCAP content to it.

[root@satellite ~]# foreman-rake foreman_openscap:bulk_upload:default
Saved /usr/share/xml/scap/ssg/content/ssg-firefox-ds.xml as Red Hat firefox default content
Saved /usr/share/xml/scap/ssg/content/ssg-jre-ds.xml as Red Hat jre default content
Saved /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml as Red Hat rhel6 default content
Saved /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml as Red Hat rhel7 default content

To view the SCAP content uploaded to the Satellite Server using the web UI:

Log in to the Satellite web UI.
Navigate to Hosts → SCAP contents. The SCAP Contents page lists the default SCAP contents.

Figure 10.1: Default SCAP contents in Satellite Server

Use the hammer scap-content list command to list the SCAP contents.

[root@satellite ~]# hammer scap-content list
---|--------------------------------
ID | TITLE
---|--------------------------------
1  | Red Hat firefox default content
2  | Red Hat jre default content
3  | Red Hat rhel6 default content
4  | Red Hat rhel7 default content
---|--------------------------------

You can use the Satellite Server web UI to upload an individual SCAP DataStream file as SCAP content. To upload your own SCAP content to the Satellite Server web UI:

Log in to the Satellite Server web UI.
Navigate to Hosts → SCAP contents.
Click Upload New SCAP Content. On the File Upload tab, click Browse to upload a SCAP DataStream file.
Click Submit.

Preparing Satellite Clients for OpenSCAP Scans

Red Hat Satellite currently uses Puppet to manage compliance policies on its clients. When you create a new Satellite compliance policy, the clients' Puppet agents update the clients on their next run. They ensure that the OpenSCAP software and content is installed locally, and schedule the scan on the client as a Cron job. When you edit a Satellite compliance policy, the clients update it on the next run of their Puppet agent.

This means that you also need to import the foreman_scap_client Puppet module into your Satellite Server, so that you can make sure that the Satellite Server's registered clients are configured with Puppet agents and have the module installed.

Importing an OpenSCAP Puppet Module into Satellite Server

The OpenSCAP plug-in also provides the Puppet classes required to set up hosts to perform OpenSCAP scans and creates the Cron jobs for automated compliance scanning. Each Puppet environment associated with hosts or host groups to be audited using OpenSCAP needs to import the foreman_scap_client Puppet module. The foreman_scap_client Puppet module provides the client script that runs the OpenSCAP scan and uploads the result to the Satellite Server. The module is also executed by the cron jobs for automated compliance scanning.

The following process describes how to import Puppet modules into Red Hat Satellite and to associate the foreman_scap_client module with the host groups that you want to audit with OpenSCAP.

In the Satellite web UI, navigate to Configure → Environments.
The puppet-foreman_scap_client package provides the Puppet modules required to set up clients to perform compliance scans. The package is installed when the OpenSCAP plug-in is enabled during the Satellite Server installation. After installation, the Satellite Server detects all the Puppet environments and Puppet modules contained on the Puppet master, and imports them.
Click Import, then Import environments from SATELLITE_HOST_FQDN. This ensures the foreman_scap_client Puppet module is imported into the Satellite Server.
Assign the Puppet environment that contains the foreman_scap_client Puppet module and OpenSCAP capsule. Navigate to Configure → Host groups. Select the host group to edit. Ensure that the following fields are set correctly for your host group.
- Puppet Environment: The imported Puppet environment which contains the foreman_scap_client Puppet module.
- Puppet Master: The Puppet master containing the foreman_scap_client Puppet module. By default, the Satellite Server functions as a Puppet master unless an external Puppet master is used.
- Puppet CA: The certificate authority to use for signing client's certificate for securing Puppet communication. By default, the Satellite Server functions as the Puppet CA.
- OpenSCAP Capsule: The server responsible for distributing SCAP content to client systems and uploading ARF reports from client systems to the Satellite Server. By default, the Satellite Server servers as an OpenSCAP capsule unless an external server provide this as a federated service.
On the Puppet Classes tab, click the + to add the foreman_scap_client Puppet class listed under the foreman_scap_client Puppet module.
Click Submit.

Initiating a Puppet Agent Run on a Host

When the client's Puppet agent checks in, it imports the foreman_scap_client Puppet module and uses it to configure the OpenSCAP components locally. The foreman_scap_client Puppet module installs the rubygem-foreman_scap_client package and its dependencies. It also configures the /etc/foreman_scap_client/config.yaml file on the host with parameters that are needed to run scans and upload results to the Satellite Server.

A Puppet agent run can be initiated manually using any of the following methods:

As part of the client's initial registration, download the bootstrap.py script from the Satellite Server and run it, either automatically by Kickstart or manually. This will register the client with Satellite and run the Puppet agent for the first time.
You can manually run the Puppet agent with the puppet agent --test command on each host.
You can use the remote execution feature of Satellite to run the Puppet agent on an individual host or all hosts in a host group.

The bootstrap.py script provided by the Satellite Server is used to register a system as both a host and a content host. The following is the list of options used with the bootstrap.py script:

Table 10.1. Common Options Used with the bootstrap.py Script

Option	Description
`-l`	The user name to use to access Satellite Server.
`-s`	The Satellite Server FQDN
`-o`	The organization name that the client host is to be associated with.
`-L`	The location that the client host is to be associated with.
`-a`	The activation key that the client host is to be associated with.
`-g`	The host group that the client host is to be associated with.
`--force`	Force registration of the client host by erasing the old configuration.

During the execution of the bootstrap.py script, the Puppet agent is also executed on the host to install all the imported Puppet modules. Use the following command to register a system using the bootstrap.py script.

[root@demo ~]# wget https://satellite.lab.example.com/pub/bootstrap.py \
> --no-check-certificate
[root@demo ~]# chmod a+x bootstrap.py
[root@demo ~]# ./bootstrap.py -l admin -s satellite.lab.example.com \
> -o 'org-example' -L 'Default Location' -a serverkey -g org-hostgroup1 --force

Use the puppet agent --test --verbose command to run the Puppet agent on an individual host.

[root@demo ~]# puppet agent --test --verbose
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for serverd.lab.example.com
Info: Applying configuration version '1532692309'
Notice: /Stage[main]/Foreman_scap_client/File[foreman_scap_client]/content:
--- /etc/foreman_scap_client/config.yaml 2018-07-27 17:18:11.279676375 +0530
+++ /tmp/puppet-file20180727-2630-gep1op 2018-07-27 17:21:50.652457820 +0530
...output omitted...

Initiating a Puppet Agent Run using Remote Execution

The following process describes how to initiate Puppet agent run from the Satellite Server interface.

Ensure that SSH key-based authentication is configured between the Satellite Server and hosts where you want to run the Puppet agent.
From the Satellite web UI, navigate to Hosts → All hosts. Select the hosts in the Hosts page on which the Puppet agent will be executed.
Choose Schedule Remote Job from the Select Action list.
On the Job invocation page, choose Puppet from the Job category list. Ensure that for Schedule, Execute now is selected. Click Submit.
In the Overview tab, wait until you see succeeded with the 100% Success message. Click the host in the Hosts tab to see the output of the Puppet agent run.

Figure 10.2: Puppet agent run using remote execution

When the Puppet agent is configured on the client, it automatically runs periodically to check with the Satellite Server for updates. By default, this occurs every thirty minutes.

References

For more information, refer to the Managing Security Compliance chapter in the Administering Red Hat Satellite at https://access.redhat.com/documentation/en-us/red_hat_satellite/6.3/html-single/administering_red_hat_satellite/#chap-Red_Hat_Satellite-Administering_Red_Hat_Satellite-Security_Compliance_Management

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c