RH415 - ch11s03

You can configure Red Hat Satellite to centrally manage, run, and analyze OpenSCAP scans for all hosts in a Satellite host group. A basic workflow might include the following steps:

Assign roles to the users of Satellite Server to grant them permission to manage compliance policies, run OpenSCAP scans, create OpenSCAP reports, and view OpenSCAP reports.
Create a compliance policy for the host group that specifies which SCAP content and XCCDF profile to use.
Create a schedule for when the compliance policy runs.
Run the first OpenSCAP scan manually, or wait for the automatic scan to complete on all hosts.
Use the Satellite Server web UI to review the results of the scan in the compliance policy dashboard, and to investigate detailed reports for any noncompliant hosts.
Remediate issues and periodically review the results of subsequent OpenSCAP scans in the Satellite Server web UI.

Satellite User Permissions for OpenSCAP

Compliance scans from the Satellite Server web UI require the administrator to create users with specific roles. Roles define a set of permissions and access levels. Each role contains one or more permission filters that specify the actions that are allowed for the role. Red Hat Satellite provides a set of predefined roles for managing compliance.

The following table describes some predefined roles that are required for OpenSCAP scans:

Table 11.2. Predefined Roles in Satellite Server

Role	Permissions provided by role
Compliance manager	View, create, edit, and delete SCAP content files, compliance policies, and tailoring files. View compliance reports.
Compliance viewer	View compliance reports.
Create ARF report	Create compliance reports.
Remote Execution Manager	A role with full remote execution permissions, including modifying job templates. This role is required to manually run an OpenSCAP scan from Satellite Server.

Managing Compliance Policies

In Red Hat Satellite, a compliance policy is a scheduled task to scan a host or host group for compliance with a specific XCCDF profile from SCAP content. The compliance policy is configured on Satellite Server by users with appropriate roles, but the scan is performed locally by each host. After a host runs the compliance scan, it uploads the scan results to Satellite Server in Asset Reporting File (ARF) format by using the foreman_scap_client command.

A user with the Create ARF report role can instruct a host to create a scan report and transfer it to Satellite Server. A user with the Compliance manager or Compliance viewer role can view reports from the compliance report dashboard. Only the user with the Compliance manager role can manage compliance policies and SCAP content.

Creating Compliance Policies

You can use the Satellite Server web UI to define a compliance policy. A compliance policy includes the following parameters:

The SCAP content to use
The XCCDF profile from the SCAP content
The host groups that should comply with this policy
The scheduled interval at which the audit shall occur

The following steps describe the process for creating a compliance policy on Satellite Server.

In the Satellite Server web UI, log in as a user with a Compliance manager role. From the Organizations list, select the organization for which you are creating the new policy.
Note
At some resolutions, the Organizations list displays in a sidebar menu. If the Organizations list does not display at the top of the UI, then navigate to Organizations → Operations from the sidebar menu.
Navigate to Hosts → Compliance → Policies. Click New Policy.
On the Deployment Options tab, select Ansible as the deployment option, and then click Next.
On the Policy Attributes tab, enter a name for the policy, an optional description, and then click Next.
On the SCAP content tab, choose the SCAP content and the XCCDF profile to apply, and then click Next.
On the Schedule tab, choose from the following list for Period:
- Weekly: Enables you to choose the desired day of the week.
- Monthly: Enables you to choose the desired day of the month.
- Custom: Enables you to choose the desired time based on the cron job.
Click Next.
On the Locations tab, select the default location to move it to the Selected items list. Click Next.
On the Organizations tab, select the organization to move it to the Selected items list. Click Next.
On the Hostgroups tab, select the host group to move it to the Selected items list.
Click Submit.

Running Compliance Scans

Red Hat recommends that you deploy compliance policies by using Ansible. The compliance policy runs automatically based on its cron job.

In some situations, such as when testing a custom policy or verifying a newly added host, you might need to manually deploy a policy.

Use this procedure to deploy a policy on a specific host:

Override the foreman_scap_client_fetch_remote_resources Ansible variable with the true value:

Navigate to Configure → Ansible → Variables.
Click Override to enable editing of the variable value.
Set the foreman_scap_client_fetch_remote_resources variable to the true value and click Submit.

Deploy the policy on the host by using the Ansible role.

Navigate to Hosts → Hosts → All Hosts and select the checkbox of the host that you want to deploy the policy.
Click Select Action and select Assign Compliance Policy from the list.
Select Remember hosts selection for the next bulk action.
Select which policy to deploy and click Submit.
Click Select Action and select Run all Ansible roles from the list.
Verify the results of the role execution.

Reviewing OpenSCAP Scan Results in Satellite

Red Hat Satellite enables centralized compliance monitoring for all the hosts that it manages through a compliance policy dashboard. The compliance policy dashboard provides an overview of the number of compliant hosts and details for each host based on the rules that passed or failed during the scan. You can use this dashboard to evaluate the risks that are presented by the host, and then take corrective action to bring the host into compliance.

Red Hat Satellite assumes that different users might have different roles in the compliance scanning process. If a particular Satellite user needs to view compliance reports, then you must assign the Compliance viewer role to that user. If a user must work with SCAP content and tailoring files, configure compliance policies, and view the compliance reports, then you must assign the Compliance manager role.

Viewing the Compliance Policy Dashboard

To view the compliance policy dashboard in the Satellite web UI, navigate to Hosts → Compliance → Policies. In the Actions column, click Dashboard for the compliance policy that you want to verify.

The dashboard provides the following information:

The Host Breakdown Chart shows the number of compliant and noncompliant hosts, based on the compliance policy.
A statistical breakdown that lists the number of hosts that are compliant, noncompliant, have inconclusive results, or that have never been audited.
A statistical breakdown of the number of rules that passed or failed for each host, in a tabular format.

Figure 11.1: Compliance policy dashboard in Red Hat Satellite

Evaluating OpenSCAP Reports

You can access the OpenSCAP reports for every scanned host from the compliance report dashboard. You can use this report to determine and prioritize remediation efforts for any noncompliant hosts.

Viewing Compliance Reports

A compliance report is an OpenSCAP report in ARF format that is uploaded to Satellite Server after an OpenSCAP scan on the host. To list all the available reports from the Satellite web UI, navigate to Hosts → Reports. The compliance report dashboard lists the total number of rules that passed or failed during the scan. You can also view the detailed report for a particular host from the compliance report dashboard.

Figure 11.2: Compliance report in Red Hat Satellite

Viewing Compliance Reports in Satellite Server

The following steps outline the process for viewing the compliance report in the Satellite web UI:

Log in to the Satellite web UI as a user with either the Compliance manager or Compliance viewer role.
Navigate to Hosts → Reports.
To open the latest report, click the link in the Reported At column to view the number of rules that passed or failed for the latest scan.
Click View full report to view the detailed report.

The compliance report for each system offers the same information that you get by running the oscap xccdf eval command manually on each machine. The advantage of using a Red Hat Satellite compliance policy to manage these scans is the scalability and the central coordination that Satellite provides. You can set up and manage scans for many systems from one central interface. You can use one central interface to review the results of any system's scan. You can delegate authority to auditors to view the results of the latest scans. Finally, you can compare scans to look for patterns of misconfiguration or common issues.

References

For more information, refer to the Managing Security Compliance guide at https://access.redhat.com/documentation/en-us/red_hat_satellite/6.14/html-single/managing_security_compliance/index

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299

Red Hat Security: Linux in Physical, Virtual, and Cloud

Scan OpenSCAP Compliance with Red Hat Satellite

Objectives

Performing OpenSCAP Scans with Red Hat Satellite