Red Hat Security: Linux in Physical, Virtual, and Cloud

Bookmark this page
P123456789101112
PreviousNext

Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Use Red Hat Satellite to perform an OpenSCAP scan of one of your servers, and evaluate the results.

Outcomes

  • Create a Red Hat Satellite compliance policy for centralized OpenSCAP scans.

  • Manually trigger a compliance policy scan on a Red Hat Satellite client.

  • Evaluate the compliance report for that scan in the Red Hat Satellite web UI.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start compliance-scan

Instructions

  1. On the serverd machine, install the scap-security-guide package to get the supported SCAP content for RHEL 9.

    1. Log in to the serverd machine as the student user. Change to the root user. Use student as the password.

      [student@workstation ~]$ ssh student@serverd
[student@serverd ~]$ sudo -i
[sudo] password for student: student
[root@serverd ~]#

    2. Install the scap-security-guide package on the serverd machine.

      [root@serverd ~]# dnf install scap-security-guide
...output omitted...
Install  6 Packages

Total download size: 3.2 M
Installed size: 100 M
Is this ok [y/N]: y
...output omitted...

    3. Return to the workstation machine.

      [root@serverd ~]# logout
[student@serverd ~]$ logout
Connection to serverd closed.
[student@workstation ~]$

    4. Copy the /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml file from the serverd machine to the Desktop directory on the workstation machine.

      [student@workstation ~]$ scp \
  serverd:/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml \
  Desktop/ssg-rhel9-ds.xml
...output omitted..

  2. Upload the supported SCAP content for RHEL 9 to Satellite.

    1. Log in to the satellite machine as the student user. Change to the root user. Use student as the password.

      [student@workstation ~]$ ssh student@satellite
[student@satellite ~]$ sudo -i
[sudo] password for student: student
[root@satellite ~]#

    2. Create the /usr/share/xml/scap/custom directory. Copy the Desktop/ssg-rhel9-ds.xml file from the workstation machine to the /usr/share/xml/scap/custom directory.

      [root@satellite ~]# mkdir -p /usr/share/xml/scap/custom
[root@satellite ~]# scp student@workstation:Desktop/ssg-rhel9-ds.xml \
  /usr/share/xml/scap/custom/
student@workstation's password: student
...output omitted...

    3. From the satellite machine, use the hammer command to upload the SCAP content.

    [root@satellite ~]# hammer scap-content bulk-upload --type directory \
  --organization 'Operations' \
  --directory /usr/share/xml/scap/custom
...output omitted...
Scap Contents uploaded.

  3. Log out of the satellite machine.

    [root@satellite ~]# logout
[student@satellite ~]$ logout
Connection to satellite closed.
[student@workstation ~]$

  4. On the workstation machine, open a browser and connect to the Satellite web UI at https://satellite.lab.example.com. If required, accept the self-signed certificate and log in as the admin user with redhat as the password.

  5. In the Satellite web UI, select the Operations organization.

    1. Select Operations from the Organizations list.

      Note

      At some resolutions, the Organizations list displays in a sidebar menu. If the Organizations list does not display at the top, then navigate to OrganizationsOperations from the sidebar menu.

  6. In the Satellite web UI, create a compliance policy named OpenSCAP-Policy1 by using the default RHEL 9 SCAP content. Configure the policy to run every 10 minutes.

    1. Navigate to HostsCompliancePolicies and click New Policy.

    2. Select Ansible as the deployment option, and then click Next.

    3. On the Policy Attributes tab, enter OpenSCAP-Policy1 as the name of the policy. The policy description is optional. Click Next.

    4. On the SCAP Content tab, select rhel9 content from the SCAP Content list. For XCCDF Profile, select [DRAFT] DISA STIG for Red Hat Enterprise Linux 9. Click Next.

    5. On the Schedule tab, select Custom for Period. Enter */10 * * * * in the Cron line field to run the scan every 10 minutes. Click Next.

    6. On the Locations tab, verify that Default Location is on the Selected items list. Click Next.

    7. On the Organizations tab, ensure that Operations is the selected organization. Click Next.

    8. On the Hostgroups tab, select org-hostgroup1 to move it to the Selected items list. Click Submit to create the compliance policy.

  7. Execute the Ansible roles to set up the host for OpenSCAP revisions.

    1. Return to HostsHostsAll Hosts and select the serverd.lab.example.com host checkbox.

    2. Click Select Action and select Run all Ansible roles from the list.

    3. Verify the results of the role execution.

  8. Run an OpenSCAP scan for the serverd host.

    1. Navigate to HostsHostsAll Hosts.

    2. Select the checkbox for the serverd host.

    3. Click Select ActionSchedule Remote Job.

    4. Select the OpenSCAP job category and the Run OpenSCAP scans job template, and then click Run on selected hosts.

  9. View the results of the OpenSCAP-Policy1 OpenSCAP scan.

    1. Navigate to HostsCompliancePolicies.

    2. Click Dashboard for the OpenSCAP-Policy1 policy.

    3. Click View Report for the serverd host.

    4. Browse through the scan results.

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish compliance-scan

PreviousNext
Revision: rh415-9.2-a821299