Installing and Configuring OpenScap on Red Hat Satellite 6

Satellite Server Console
1. Satellite Server Requirements
  1. # satellite-installer --enable-foreman-plugin-openscap
  2. # foreman-rake foreman_openscap:bulk_upload:default
  3. # yum -y install puppet-foreman_scap_client
2. OpenSCAP Content Requirements
  1. # yum -y install scap-security-guide
Satellite Server Web UI
1. 1. Set the Organization/Location tab to Any Context
2. 2. Select Configure > Environments
3. 3. Click on Import from <satellite_server> button, "Select the Puppet Environment as per the Openscap modules" and click Update.
4. 4. Click to open newly imported Puppet Environments, then assign to your Locations and Organizations
Satellite Server Web UI
1. Create a Hostgroup
  1. > Satellite Web UI: Configure > Host Groups > Click New Host Group
2. Host Group Tab
  1. 1. Name: OpenSCAP_Clients_Demo
  2. 2. Lifecycle Environment: (leave blank)
  3. 3. Content View: (leave blank)
  4. 4. Puppet Environment: Select OpenSCAP_RHEL7
  5. 5. Content Source: satellite.example.com
  6. 6. Puppet CA: satellite.example.com
  7. 7. Puppet Master: satellite.example.com
  8. 8. Openscap Capsule: satellite.example.com
  9. 9. Click Submit BEFORE advancing to the next tab. This takes you back to the Host Groups page.
  10. 10. From the Host Groups page, select OpenSCAP_Clients_Demo to modify this Host Group
  11. 11. Puppet Classes Tab:
    1. 12. Click to expand foreman_scap_client and select both foreman_scap_client and foreman_scap_client::params
  12. 13. Locations and Organizations tab, select to suit.
  13. 14. Click Submit to complete the update
Satellite Server Web UI
1. Create Compliance Policy
  1. > Satellite Web UI: Hosts > Compliance > Policies
2. New Compliance Policy
  1. Enter a name (Description optional)
  2. SCAP Content tab:
    1. SCAP Content: ssg-rhel7
    2. XCCDF Profile: Common Profile for General-Purpose Systems
    3. XCCDF Profile: Common Profile for General-Purpose Systems
  3. Schedule tab :
    1. Period: Custom
    2. Cron line: */1 * * * * (this will allow the demo to run every minute for demonstration only. Change to appropriate frequency once demo is completed)
  4. Click Next, then select Locations and Organizations to suit
  5. Hostgroups tab:
    1. Use the newly created host group OpenSCAP_Clients_Demo
  6. Click Submit to complete.
Satellite Server Web UI
1. Assign Policy To Host(s)
  1. 1. Satellite Web UI: Hosts > All Hosts > Select one or more hosts from the list of Hosts
  2. 2. Once we have the host(s) selected, a Select Action button appears above the list of hosts.
  3. 3. Select Change Group from the Select Action options
  4. 4. Select OpenSCAP_Clients_Demo from the list of host groups, then Submit
RHEL Client
1. Install and Configure Puppet on Client
  1. # yum -y install puppet
  2. # echo " server = <your_satellite_server>" >> /etc/puppet/puppet.conf
  3. # echo " environment = OpenSCAP_RHEL7" >> /etc/puppet/puppet.conf
  4. systemctl start puppet && systemctl enable puppet
  5. puppet agent -t
    1. Exiting; no certificate found and waitforcert is disabled
2. Go to next step to sign certificate (Sign Certificate on Capsule)
  1. Satellite Web UI: Infrastructure > Capsule
  2. On the Actions column, click on the available actions and select Certificates (For this demo, we only have the all-in-one Satellite/Capsule/Puppet Master)
  3. Click Sign to sign the certificate
  4. A scan will run base on the "Cron line:" setting in the earlier step. Monitor /var/log/messages on the client to see activities.
3. Run "puppet agent -t" again on the client.
Satellite Server Web UI
1. View Scan Results
  1. 1. Satellite Web UI: Hosts > Policies > (Select your policy)
  2. 2. In the table "Latest reports for policy: ...", click on View Report button
  3. 3. Latest_reports_for_policy
Fuente
1. https://access.redhat.com/solutions/3145861