Red Hat Security: Linux in Physical, Virtual, and Cloud
- Section Configuring Red Hat Satellite for OpenSCAP
- Guided Exercise: Configuring Red Hat Satellite for OpenSCAP
- Scan OpenSCAP Compliance with Red Hat Satellite
- Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite
- Customize the OpenSCAP Policy in Red Hat Satellite
- Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite
- Lab: Automating Compliance with Red Hat Satellite
- Summary
Abstract
| Goal |
Automate and scale OpenSCAP compliance checks by using Red Hat Satellite. |
| Sections |
|
| Lab |
|
A security administrator manages security compliance by defining security policies and auditing hosts for compliance based on the defined policies. Any noncompliant hosts are remediated based on the organization's compliance requirements. These compliance policies need to be flexible, because an organization's policy might vary depending on the services that are provided by the host or the industry to which the organization belongs.
Red Hat Satellite is a systems management solution that provisions systems and provides software updates from Red Hat Customer Portal and other sources. Satellite serves as a local repository of software content and a central point of management for Red Hat entitlements. Red Hat Satellite also provisions and manages system configuration to adhere to predefined standard operating environments.
One of the major benefits of Satellite is that it can scale effectively to meet the demands of large enterprises. With the correct design, Satellite delivers solid performance even with increasing workloads and across geographically distributed environments.
Several options are available for administering Satellite Server. You can manage Satellite by using a web interface, command-line interface, and API. You can use API to create custom workflows or task automation.
Red Hat Satellite Server can use the Security Content Automation Protocol (SCAP) to define security policies and monitor Satellite clients for policy compliance. You can use Satellite to schedule recurring compliance auditing and reporting on all registered hosts. SCAP enables security administrators to use a single interface to manage, monitor, and remediate groups of hosts based on the organization's compliance requirements.
Red Hat Satellite provides default SCAP content for registered hosts based on the Red Hat Enterprise Linux version. The Satellite administrator can either create SCAP content or upload SCAP content from external sources. The SCAP content contains the Extensible Checklist Configuration Description Format (XCCDF) profile that defines the rules to be evaluated against a host or host group.
In Red Hat Satellite, a scheduled audit is referred to as a compliance policy. A compliance policy is a scheduled task that verifies the specified hosts or host groups for compliance against an XCCDF profile. The schedule is specified in the compliance policy on Satellite Server, but the scans are performed on the hosts. Upon completion of a compliance scan, an Asset Reporting File (ARF) is generated in XML format and uploaded to Satellite Server. The security administrator can then view these reports from the compliance policy dashboard.
You must install the OpenSCAP plug-in on your Red Hat Satellite Server to integrate OpenSCAP support. The OpenSCAP plug-in provides OpenSCAP controls from the Satellite web interface. These controls are located under the menu in the section.
The default installation of Red Hat Satellite enables the OpenSCAP plug-in.
After configuring the plug-in, but before you create a compliance policy and apply it to a host, you must upload the default OpenSCAP content to your Satellite Server. You can also upload custom SCAP content that is provided by other sources. Note that the available data streams depend on the operating system version on which Satellite runs.
You must run the following command on your Satellite Server to upload the default OpenSCAP content to it.
[root@satellite ~]# hammer scap-content bulk-upload --type default
Errors:
Uploaded Scap Contents:
Scap Contents uploaded.Use the hammer scap-content list command to list the SCAP contents.
[root@satellite ~]# hammer scap-content list --fields Id,Title
---|--------------------------------
ID | TITLE
---|--------------------------------
1 | Red Hat firefox default content
2 | Red Hat rhel6 default content
3 | Red Hat rhel7 default content
4 | Red Hat rhel8 default content
---|--------------------------------To view the SCAP content that is uploaded to Satellite Server by using the web UI, follow these steps:
Log in to the Satellite web UI.
Navigate to → . The page lists the default SCAP contents.
You can use the Satellite web UI to upload an individual SCAP data stream file as SCAP content. To upload your own SCAP content to the Satellite web UI, follow these steps:
Log in to the Satellite web UI.
Navigate to → .
Click .
On the tab, click to upload a SCAP data stream file.
Click .
Red Hat Satellite Server uses Ansible and Puppet to manage compliance policies on its clients. This course focuses on Ansible Automation Platform for managing compliance policies. Ansible is enabled by default on Satellite Server.
In Satellite, you import Ansible roles to help automate routine tasks.
You must import the theforeman.foreman_scap_client Ansible role to prepare Satellite Server.
You mush also import the Ansible variables that are associated with the theforeman.foreman_scap_client Ansible role.
Use the hammer ansible roles import command to import the Ansible role:
[root@satellite ~]# hammer ansible roles import --organization 'Operations' \
--role-names 'theforeman.foreman_scap_client' --proxy-id 1
Result:
The following ansible roles were changed
Imported:
1) theforeman.foreman_scap_clientYou can also use the Satellite web UI to import the Ansible role.
Select the appropriate and .
Then click → → .
Click and then select the
theforeman.foreman_scap_clientAnsible role.Click .
Use the hammer ansible variables import command to import the Ansible variables:
[root@satellite ~]# hammer ansible variables import --organization 'Operations' \
--proxy-id 1
Result:
The following ansible variables were changed
Imported:
1) foreman_scap_client_state
2) foreman_scap_client_package
3) foreman_scap_client_server
4) foreman_scap_client_port
5) foreman_scap_client_policies
6) foreman_scap_client_oval_policies
7) foreman_scap_client_ca_cert_path
8) foreman_scap_client_host_cert_path
9) foreman_scap_client_host_private_key_path
10)foreman_scap_client_release
11)foreman_scap_client_repo_url
12)foreman_scap_client_apt_repo_url
13)foreman_scap_client_repo_state
14)foreman_scap_client_repo_key
15)foreman_scap_client_repo_gpg
16)foreman_scap_client_cron_template
17)foreman_scap_client_cron_splay_seed
18)foreman_scap_client_cron_splay
19)foreman_scap_client_fetch_remote_resources
20)foreman_scap_client_http_proxy_server
21)foreman_scap_client_http_proxy_port
22)foreman_scap_client_timeout
23)foreman_scap_client_ciphersYou can view the imported Ansible variables in the Satellite web UI.
Select the appropriate and .
Then click → → to view the list of imported Ansible variables.
References
For more information, refer to the Managing Security Compliance chapter in the Administering Red Hat Satellite guide at https://access.redhat.com/documentation/en-us/red_hat_satellite/6.11/html/administering_red_hat_satellite/managing_security_compliance_admin
