RH415 - ch10s03

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

SectionSection 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Scan OpenSCAP Compliance with Red Hat Satellite

Objectives

After completing this section, students should be able to perform OpenSCAP scans of registered systems from the Satellite Server web UI and evaluate the results of those scans.

Performing OpenSCAP Scans using Red Hat Satellite

You can configure Red Hat Satellite as an easy way to centrally manage, run, and analyze OpenSCAP scans for all hosts in a Satellite host group. Your basic workflow might look like this:

Assign roles to users of the Satellite Server which grant them permission to manage compliance policies, run OpenSCAP scans, create OpenSCAP reports, and/or view OpenSCAP reports.
Create a compliance policy for the host group, specifying the SCAP content and XCCDF profile to use, and the compliance policy's schedule.
Run the first OpenSCAP scan manually, or wait for the automatic scan to complete on all hosts.
Use the Satellite Server web UI to review the results of the scan in the compliance policy dashboard, and to investigate detailed reports for any noncompliant hosts.
Remediate issues, and periodically review the results of subsequent OpenSCAP scans in the Satellite Server web UI.

In the rest of this section, you will learn how to set up a compliance policy and review the results of OpenSCAP scans made by that compliance policy in the Red Hat Satellite web UI.

Satellite User Permissions for OpenSCAP

Compliance scans from the Satellite Server's web UI require the administrator to create users with specific roles. Roles define a set of permissions and access levels. Each role contains one or more permission filters that specify the actions allowed for the role. Red Hat Satellite provides a set of predefined roles for managing compliance.

The following table shows some of the predefined roles required for OpenSCAP scans:

Table 10.3. Predefined Roles in Satellite Server for Compliance

Role	Permissions provided by role
Compliance manager	View, create, edit, and delete SCAP content files, compliance policies, and tailoring files. View compliance reports.
Compliance viewer	View compliance reports.
Create ARF report	Create compliance reports.
Remote Execution Manager	A role with full remote execution permissions, including modifying job templates. This is role is required to manually run an OpenSCAP scan from the Satellite Server.

Managing Compliance Policies

In Red Hat Satellite, a compliance policy is a scheduled task to scan a host or host group for compliance with a particular XCCDF profile from SCAP content. The compliance policy is configured on the Satellite Server by users with appropriate role, but the scan is actually performed locally by each host. After a host runs the compliance scan, it uploads the scan results to the Satellite Server in Asset Reporting File (ARF) format, using the foreman_scap_client command.

A user with the Create ARF report role can create the scan report and upload it to the Satellite Server. A user with the Compliance manager or Compliance viewer role can view reports from the compliance report dashboard. Only the user with the Compliance manager role can manage compliance policies and SCAP content.

Creating Compliance Policies

You can use the Satellite Server web UI to define a compliance policy. A compliance policy includes:

The SCAP content to use
The XCCDF profile from the SCAP content
The host groups that should comply with this policy
The scheduled interval at which the audit shall occur

The following steps describe the process for creating a compliance policy on the Satellite Server:

In the Satellite Server web UI, log in as a user with a Compliance manager role. Navigate to Hosts → Policies. Click New Policy.
On the Create policy tab, enter a name for the policy, an optional description, and then click Next.
On the SCAP content tab, choose the SCAP Content and XCCDF Profile to apply, and then click Next.
On the Schedule tab, choose from the following list for Period:
- Weekly: Allows you to choose the desired day of the week.
- Monthly: Allows you to choose the desired day of the month.
- Custom: Allows you to choose the desired time based on the Cron job.
Click Next.
On the Locations tab, select the default location to move it to the Selected item list box. Click Next.
On the Organizations tab, select the organization to move it to the Selected items list box. Click Next.
In the Hostgroups tab, select the host group to move it to the Selected items list box. Click Submit.

Important

A newly created or modified compliance policy is applied to a host or host group when the Puppet agent running on the hosts checks for updates from the Satellite Server. By default the Puppet agent run occurs every 30 minutes. The Puppet agent run can be initiated from the hosts by using the remote execution feature of the Satellite Server interface.

Running Compliance Scans

When Puppet agent updates the compliance policy, it ensures that the OpenSCAP client has been installed, SCAP content is downloaded, and a Cron job is scheduled to periodically run the scan.

The SCAP content is downloaded to the /var/lib/openscap/content directory on each host. The Puppet agent creates a Cron file, /etc/cron.d/foreman_scap_client_cron, which configures the scan to run according to the specified schedule. It also creates the /etc/foreman_scap_client/config.yaml configuration file, which contains policy information to be applied to the host. The foreman_scap_client command uses this configuration file.

The /etc/foreman_scap_client/config.yaml configuration file defines the Satellite Server to be used for uploading the compliance report. The file also defines the compliance policy ID on the Satellite and the XCCDF profile that is used for compliance scans.

# DO NOT EDIT THIS FILE MANUALLY
# IT IS MANAGED BY PUPPET

# Foreman proxy to which reports should be uploaded
:server: 'satellite.lab.example.com'
:port: 9090
...output omitted...
# policy (key is id as in Foreman)
1:
:profile: 'xccdf_org.ssgproject.content_profile_common'
:content_path: '/var/lib/openscap/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d.xml'
# Download path
# A path to download SCAP content from proxy
:download_path: '/compliance/policies/1/
content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d'
:tailoring_path: ''
:tailoring_download_path: ''

In the above /etc/foreman_scap_client/config.yaml file, the scan results will be uploaded to satellite.lab.example.com. The compliance policy ID is 1 and the xccdf_org.ssgproject.content_profile_common XCCDF profile is applied to the host based on the OpenSCAP content stored in the /var/lib/openscap/content directory.

Running an OpenSCAP Scan Manually

You do not have to run the compliance policy's OpenSCAP scan manually. The compliance policy runs automatically based on its Cron job. However, you might want to run it manually for a host if you want an immediate compliance report for that host.

Use the compliance policy ID defined in the /etc/foreman_scap_client/config.yaml file to execute the OpenSCAP scan manually on a host. Use the foreman_scap_client command from a root shell on the host or the remote execution feature of the Satellite Server to execute the OpenSCAP scan.

Running an OpenSCAP Scan on a Client

The following steps outline the process for running an OpenSCAP scan using the foreman_scap_client command:

On the client host as root, use the following command to run the Puppet agent to fetch the changes to the compliance policy:
```
[user@demo ~]$ sudo -i
[root@demo ~]# puppet agent --test --verbose
...output omitted...
```
The Puppet agent ensures that the compliance policy is correctly configured on the host.
Open the /etc/foreman_scap_client/config.yaml SCAP client configuration file and note the compliance policy ID.

Execute the foreman_scap_client command with the compliance policy ID as an argument. In the following example, the compliance policy ID is 1.

[root@demo ~]# foreman_scap_client 1
File /var/lib/openscap/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d.xml is missing.
Downloading it from proxy.
Download SCAP content xml from: https://satellite.lab.example.com:9090/compliance/policies/1/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d
DEBUG: running: oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_common
--results-arf /tmp/d20180727-2719-ois40f/results.xml /var/lib/openscap/
content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d.xml
WARNING: This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.
WARNING: Skipping https://learn.spidernet.pl/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from XCCDF content
DEBUG: running: /usr/bin/bzip2 /tmp/d20180727-2719-ois40f/results.xml
Uploading results to https://satellite.lab.example.com:9090/compliance/arf/1

This command runs an OpenSCAP scan, archives the scan results, and uploads the results to the Satellite Server.

Reviewing OpenSCAP Scan Results in Satellite Server

Red Hat Satellite enables centralized compliance monitoring for all the hosts using the compliance policy dashboard. The compliance policy dashboard provides an overview of the number of compliant hosts and details for each host based on the rules passed or failed during the scan. You can use this to evaluate the risks presented by the host and can take corrective action to bring the host into compliance.

Red Hat Satellite assumes that different users may have different roles in the compliance scanning process. If a particular Satellite user should be able to view compliance reports, you need to assign them the Compliance viewer role. If they need to work with SCAP content and tailoring files, configure compliance policies, and view the compliance reports, you need to assign them the Compliance manager role.

Viewing the Compliance Policy Dashboard

To view the compliance policy dashboard in the Satellite web UI, navigate to Hosts → Policies. Click the compliance policy for which you want to view the dashboard.

The dashboard provides the following information:

The Host Breakdown Chart chart shows the number of compliant and noncompliant hosts, based on the compliance policy.
A statistical breakdown which lists the number of hosts that are compliant, noncompliant, have inconclusive results, or that have never been audited.
A statistical breakdown of the number of rules passed or failed for each host, in a tabular format.

Figure 10.3: An example compliance policy dashboard in Red Hat Satellite

Evaluating OpenSCAP Reports

You can access the OpenSCAP reports for every host that is scanned by the compliance policy from the compliance report dashboard. You can use this to determine and prioritize remediation efforts for any hosts that the scans report are noncompliant.

Performing an OpenSCAP scan using the Satellite UI

Viewing Compliance Reports

A compliance report is an OpenSCAP report in ARF format, uploaded to the Satellite Server after an OpenSCAP scan on the host. To list all the available reports from the Satellite web UI, navigate to Hosts → Reports. The compliance report dashboard lists the total number of rules passed or failed during the scan. The detailed report for a particular host can also be viewed from the compliance report dashboard.

Figure 10.4: An example compliance report in Red Hat Satellite

Viewing the Compliance Reports in Satellite Server

The following steps outline the process for viewing the compliance report in the Satellite web UI:

Log in to the Satellite web UI as a user with either the Compliance manager or Compliance viewer role.
Navigate to Hosts → Reports.
To open the latest report, click the link in the Reported At column to view the number of rules passed or failed for the latest scan.
Click View full report to view the detailed report.

The compliance report for each system is essentially the same information that you could get by running oscap xccdf eval manually on each machine. The big advantage of using a Red Hat Satellite compliance policy to manage these scans is the scalability and central coordination it provides. You can set up and manage scans for many systems from one central interface. You can go to one central interface to review the results of any system's scan. You can delegate authority to auditors to view the results of the latest scans. Finally, you can compare scans more easily to look for patterns of misconfiguration or common issues.

References

For more information, refer to the Managing Security Compliance chapter in the Administering Red Hat Satellite at https://access.redhat.com/documentation/en-us/red_hat_satellite/6.3/html-single/administering_red_hat_satellite/#chap-Red_Hat_Satellite-Administering_Red_Hat_Satellite-Security_Compliance_Management

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-b847083