This plugin enables Foreman to receive automated vulnerability assessment and security compliance audits from Foreman hosts. You can upload SCAP compliance contents, create compliance policies out of them and assign the policies to hosts or hostgroups. foreman_openscap plugin provides three default SCAP contents, so you could start testing security compliance on RHEL6/7 and Fedora.
OpenSCAP reports (aka ARF reports) will help you find vulnerabilities on your hosts and also suggest remediation plan to fix those vulnerabilities.
Foreman OpenSCAP plugin is made of 5 components:
There are three basic concepts (entities) in OpenSCAP plug-in: SCAP Contents, Compliance Policies and ARF Reports.
SCAP Content represents SCAP DataStream XML file as defined by SCAP 1.2 standard. DataStream file contains implementation of compliance, configuration or security baselines. Users are advised to acquire examplary baseline by installing scap-security-guide package. DataStream file usualy contains multiple XCCDF Profiles. Each for different security target. The content of DataStream file can be inspected by oscap tool from openscap-scanner package. (XCCDF = Extensible Configuration Checklist Description Format, XCCDF profile = A checklist which audit specific security target)
Compliance Policy is high level concept of a baseline applied to the infrastructure. Compliance policy is defined by user on web interface. Users may assign following information to the policy:
ARF Report is XML output of single scan occurrence per single host. Asset Reporting File format is defined by SCAP 1.2 standard. Foreman plug-in stores the ARF Reports in database for later inspections.
foreman_openscap has two versions: 0.3.4 for Foreman 1.7 and 0.4.x for 1.8+.
Both versions’ functionality is the same, the changes only affect to the way it communicates with Foreman and Smart-Proxy APIs
Foreman version | Plugin version | Proxy version | Client version |
---|---|---|---|
= 1.7 | 0.3.4 | 0.3.1 | 0.1.1 |
>= 1.8 | 0.4.1 | 0.4.0 | 0.1.1 |
There are a few components to install:
Foreman OpenSCAP (foreman_openscap), Smart Proxy OpenSCAP (smart_proxy_openscap), foreman_scap_client and puppet-foreman_scap_client.
On the Foreman server:
> yum install tfm-rubygem-foreman_openscap
> service httpd reload
If your distribution does not provide openscap package recent enough, you can get it from https://copr.fedorainfracloud.org/coprs/isimluk/OpenSCAP/
Please refer the Foreman plugin manual for more information about installing Foreman plugins.
On the Smart-Proxy server:
> yum install rubygem-smart_proxy_openscap
Edit openscap.yml
with the appropriate settings
---
:enabled: true
puppet module install isimluk-foreman_scap_client
This puppet module will automatically install foreman_scap_client (if not installed) and will configure the client’s /etc/foreman_scap_client/config.yaml
with parameters which are needed for the operation of foreman_scap_client.
foreman_scap_client to run scans and upload results to the Smart Proxy.
This chapter covers features that you can use in terms of Foreman and OpenSCAP integration. Everything described below assumes you’ve sucessfully installed foreman_openscap, smart_proxy_openscap and puppet-foreman_scap_client is available on your puppetmaster and Foreman.
You would usually start with uploading SCAP contents, then create policies of those SCAP contents and assign the policy to hosts or hostgroups.
The puppet module will install foreman_scap_client
and configure it with the needed policy information. The puppet module also adds a cron line,
which runs the scap client at the schedule select when creating the policy.
foreman_openscap comes with default scap content provided by scap-security-guide.
The default SCAP content is available for RHEL 6, RHEL 7 and Fedora.
Besides the default SCAP content, you can also upload your own SCAP content.
Access SCAP contents - Hosts -> Compliance -> SCAP Contents
Create SCAP Content - You can upload any valid OpenSCAP DataStream file
You can assign a policy in two ways:
You can access the generated reports via Hosts -> Compliance -> Reports Clicking on “View Report” will lead you to the actual security audit report, with detailed information on the host’s security check and suggested remediation.
/api/compliance/policies/\<policy_id\>/content
)https://\<proxy_url\>/compliance/policies/\<policy_id\>/content
will fetch the xml from https://\<foreman_url\>/api/compliance/policies/\<policy_id\>/content
)Please follow our standard procedures and contacts.
If you find a bug, please file it in Redmine.
See the troubleshooting section in the Foreman manual for more info.
Follow the same process as Foreman for contributing.
Foreman 3.13.0 has been released! Follow the quick start to install it.
Foreman 3.12.1 has been released! Follow the quick start to install it.