Red Hat Security: Linux in Physical, Virtual, and Cloud

Bookmark this page
P123456789101112
PreviousNext

Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Use a tailoring file to customize the compliance policy, re-scan your hosts by using the Red Hat Satellite web UI, and evaluate the results.

Outcomes

  • Upload a tailoring file to Satellite Server.

  • Assign the tailoring file to a compliance policy.

  • Perform compliance scans by using a compliance policy that is customized with a tailoring file.

  • View and download the results of a compliance scan.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start compliance-customize

Instructions

  1. On the workstation machine, open a web browser and navigate to https://satellite.lab.example.com. Log in as the admin user with redhat as the password. Use the Operations organization as the default organization.

    1. From the workstation machine, open a web browser and navigate to https://satellite.lab.example.com. Accept the self-signed certificate and log in as the admin user with redhat as the password.

    2. Set Satellite Server to use the Operations organization. Navigate to Organization and select Operations.

      Note

      At some resolutions, the Organizations list displays in a sidebar menu. If the Organizations list does not display at the top, then navigate to OrganizationsOperations from the sidebar menu.

  2. Add the /home/student/RH415-tailoring.xml file to Satellite. Name the tailoring file compliance-customize in Satellite.

    1. In the Satellite Server web UI, navigate to HostsComplianceTailoring Files. Click New Tailoring File to add a new tailoring file.

    2. On the Upload new Tailoring File page, enter compliance-customize for the Name. Click Browse to upload the /home/student/RH415-tailoring.xml tailoring file, and then click Submit.

  3. Create the compliance-customize compliance policy and use the compliance-customize tailoring file. Use the rhel9 content SCAP content. Use a monthly period with the first day of the month. Enable the scan for the org-hostgroup1 hostgroup.

    1. Navigate to HostsCompliancePolicies.

    2. Click New Compliance Policy.

    3. Select the Ansible radio button and click Next.

    4. Enter compliance-customize in the Name field and click Next.

    5. Select the rhel9 content value for SCAP Content and the compliance-customize value for Tailoring File, and then click Next.

    6. Select the Monthly value for Period, select the 1 value for Day of Month, and then click Next.

    7. Verify that the Default Location value is selected and click Next.

    8. Verify that the Operations value is selected and click Next.

    9. Select the org-hostgroup1 hostgroup and click Submit.

  4. Execute the Ansible roles to set up the host for OpenSCAP revisions.

    1. Return to HostsHostsAll Hosts and select the serverd.lab.example.com host checkbox.

    2. Click Select Action and select Run all Ansible roles from the list.

    3. Verify the results of the role execution.

  5. Run an OpenSCAP scan for the serverd host.

    1. Navigate to HostsHostsAll Hosts.

    2. Select the checkbox for the serverd host.

    3. Click Select ActionSchedule Remote Job.

    4. Select the OpenSCAP job category and the Run OpenSCAP scans job template, then click Run on selected hosts.

  6. View and download the results of the compliance-customize OpenSCAP scan.

    1. Navigate to HostsCompliancePolicies.

    2. Click Dashboard for the compliance-customize policy.

    3. Click View Report for the serverd host.

    4. Browse through the results to find which rules the serverd machine is compliant with.

    5. Click Download XML in bzip to download the results.

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish compliance-customize

PreviousNext
Revision: rh415-9.2-a821299