Red Hat Security: Linux in Physical, Virtual, and Cloud
Apply a tailoring file to a SCAP profile in Red Hat Satellite, and use the customized SCAP profile to scan registered servers.
Organizations sometimes need to adjust a standard security policy, making it stricter or more lenient based on its actual compliance requirements. SCAP tailoring files enable compliance managers to customize a profile without writing new SCAP content. You can create these tailoring files in SCAP Workbench and save them as XCCDF profiles.
Red Hat Satellite 6.3 introduced support for tailoring files. This feature enables users to upload a tailoring file to customize a compliance policy. You can assign the uploaded tailoring file to an existing SCAP profile when creating or updating a compliance policy.
Important
Red Hat Satellite does not have an interface to create or edit tailoring files. A compliance manager should create the tailoring file in SCAP Workbench, and then upload the file to Satellite Server.
After you create a tailoring file in SCAP Workbench, save it in XCCDF Customization format. Then, upload the file to the Red Hat Satellite Server that manages the compliance policy for your scans. You should have already installed the corresponding XCCDF profile for the tailoring file on Satellite Server.
Uploading a Tailoring File to Red Hat Satellite
The following steps outline the process for uploading a tailoring file to Satellite Server:
Log in to the Satellite Server web UI as a user with the
Compliance managerrole.Navigate to → and then click .
On the page, enter a name in the field. Click to upload the tailoring file.
Click .
A tailoring file contains one or more XCCDF profiles. You can assign only one tailoring file to a compliance policy. Any change to a compliance policy propagates to each client when its agent connects to Satellite Server.
Assigning a Tailoring File by using the Satellite Web Interface
The following steps outline the process for assigning a tailoring file to a compliance policy on Satellite Server:
Log in to the Satellite web UI as a user with the
Compliance managerrole.Navigate to → → . Click the name of the policy that you wish to edit.
Alternatively, click or to create a compliance policy.
On the tab, choose the required tailoring file from the list.
Select
XCCDF Profile in Tailoring Filefrom the list. Click .
The agent that runs on each host that is managed by Satellite fetches the change in the compliance policy.
The /etc/foreman_scap_client/config.yaml file contains information about the tailoring file and the XCCDF profile that OpenSCAP uses for the compliance scan.
# DO NOT EDIT THIS FILE MANUALLY # IT IS MANAGED BY ANSIBLE # ANY MANUAL CHANGES WILL BE LOST ON THE NEXT ANSIBLE EXECUTION ...output omitted... # policy (key is id as in Foreman)1::profile: xccdf_com.example_profile_mycustom-rhel9:content_path: /var/lib/openscap/content/c7ec...4395.xml # Download path # A path to download SCAP content from proxy :download_path: /compliance/policies/1/content/c7ec...4395:tailoring_path: /var/lib/openscap/tailoring/5013...5164.xml:tailoring_download_path: /compliance/policies/1/tailoring/5013...5164
In the previous output, the xccdf_com.example_profile_mycustom-rhel9 profile is the XCCDF tailoring profile.
The tailoring_path variable defines the location of the tailoring file on the SCAP client.
The tailoring_download_path variable defines the download location of the tailoring file from Satellite Server.
The compliance scan runs based on the cron job that is defined in the compliance policy.
To run the scan manually, you can either use remote execution from Satellite Server or use the foreman_scap_client command.
The agent uploads the result of the scan to Satellite Server.
References
For more information, refer to the Configuring SCAP Contents chapter in the Managing Security Compliance guide at https://access.redhat.com/documentation/en-us/red_hat_satellite/6.14/html-single/managing_security_compliance/index#Configuring_SCAP_Contents_security-compliance
