This plugin enables Foreman to receive automated vulnerability assessment and security compliance audits from Foreman hosts. You can upload SCAP compliance contents, create compliance policies out of them and assign the policies to hosts or hostgroups. foreman_openscap plugin provides three default SCAP contents, so you could start testing security compliance on RHEL6/7 and Fedora.
OpenSCAP reports (aka ARF reports) will help you find vulnerabilities on your hosts and also suggest remediation plan to fix those vulnerabilities.
Foreman OpenSCAP plugin is made of 5 components:
There are three basic concepts (entities) in OpenSCAP plug-in: SCAP Contents, Compliance Policies and ARF Reports.
SCAP Content represents SCAP DataStream XML file as defined by SCAP 1.2 standard. DataStream file contains implementation of compliance, configuration or security baselines. Users are advised to acquire examplary baseline by installing scap-security-guide package. DataStream file usualy contains multiple XCCDF Profiles. Each for different security target. The content of DataStream file can be inspected by oscap tool from openscap-scanner package. (XCCDF = Extensible Configuration Checklist Description Format, XCCDF profile = A checklist which audit specific security target)
Compliance Policy is high level concept of a baseline applied to the infrastructure. Compliance policy is defined by user on web interface. Users may assign following information to the policy:
ARF Report is XML output of single scan occurrence per single host. Asset Reporting File format is defined by SCAP 1.2 standard. Foreman plug-in stores the ARF Reports in database for later inspections.
foreman_openscap has two versions: 0.4.x for 1.8+, 0.5.x for 1.11+
Both versions’ functionality is the same, the changes only affect to the way it communicates with Foreman and Smart-Proxy APIs
Foreman version | Plugin version | Proxy version | Client version |
---|---|---|---|
= 1.7 | 0.3.4 | 0.3.1 | 0.1.1 |
>= 1.8 | 0.4.1 | 0.4.0 | 0.1.1 |
>= 1.11 | 0.5.0 | 0.5.0 | 0.1.2 |
There are a few components to install:
The easiest and recommended way is using foreman-installer. It’s as easy as running this command
> foreman-installer --enable-foreman-plugin-openscap
If you prefer the manual way, you can install it from package like this:
> yum install tfm-rubygem-foreman_openscap
> foreman-rake db:migrate
> foreman-rake db:seed
> service httpd reload
If your distribution does not provide openscap package recent enough, you can get it from https://copr.fedorainfracloud.org/coprs/isimluk/OpenSCAP/
Please refer to the Foreman plugin manual for more information about installing Foreman plugins.
The easiest and recommended way is using foreman-installer. It’s as easy as running this command
> foreman-installer --enable-foreman-proxy-plugin-openscap
If you run Smart-Proxy with Foreman on the same host you can combine it with –enable-foreman-plugin-openscap option.
If you prefer the manual way, install this package on the Smart-Proxy server:
> yum install rubygem-smart_proxy_openscap
Edit /etc/foreman-proxy/settings.d/openscap.yml
with the appropriate settings
---
:enabled: true
# Log file for the forwarding script.
:openscap_send_log_file: /var/log/foreman-proxy/openscap-send.log
# Directory where OpenSCAP audits are stored
# before they are forwarded to Foreman
:spooldir: /var/spool/foreman-proxy/openscap
# Directory where OpenSCAP content XML are stored
# So we will not request the XML from Foreman each time
:contentdir: /var/lib/openscap/content
# Directory where OpenSCAP report XML are stored
# So Foreman can request arf xml reports
:reportsdir: /usr/share/foreman-proxy/openscap/reports
# Directory where OpenSCAP report XML are stored
# In case sending to Foreman succeeded, yet failed to save to reportsdir
:failed_dir: /usr/share/foreman-proxy/openscap/failed
puppet module install isimluk-foreman_scap_client
This puppet module will automatically install foreman_scap_client (if not installed) and will configure the client’s /etc/foreman_scap_client/config.yaml
with parameters which are needed for the operation of foreman_scap_client. The module is used by Foreman to automate the configuration and triggering of foreman_openscap_client, so you should install it in all puppet environments that your hosts use.
As with any Foreman plugin, the recommended upgrade path is done via yum upgrade
. This will ensure that all of the packages are with the right version, dependencies
and data migrations.
Note: ARF reports are not automatically migrated and need a manual step
ARF reports in 0.5.x and Foreman > 1.11 are now part of Foreman’s reports (Reports STI), and the physical ARF report XML is now saved at the Smart-Proxy.
This requires a special migration, which needs both Foreman and Smart-Proxy up and running, with latest respective OpenSCAP plugins installed.
Since we cannot assure this during upgrade, migration of ARF reports has moved to a rake task which should be performed after upgrading.
To upgrade ARF reports from 0.4.x to 0.5.x:
foreman-rake db:migrate
to ensure all other data has been migratedforeman-rake foreman_openscap:migrate[<proxy_id>]
(Where <proxy_id>
is the id of the Smart-Proxy with OpenSCAP feature).Notes: to find out your Smart-Proxy id you can either run hammer proxy list
or pick the Smart-Proxy’s id from the url in web UI. please note it should be inside the square brackets
Process: During the ARF reports migration, the old ARF reports are fetched from the Foreman database, sent to the Smart-Proxy for re-processing and saving and are sent back to the Foreman in their new format - while keeping their original data.
Once the old ARF report has successfully migrated, it is deleted from the old table.
This chapter covers features that you can use in terms of Foreman and OpenSCAP integration. Everything described below assumes you’ve sucessfully installed foreman_openscap, smart_proxy_openscap and puppet-foreman_scap_client is available on your Puppet master and Foreman.
Please note: smart_proxy_openscap is required for the normal operation of foreman_openscap
You would usually start with uploading SCAP contents, then create policies of those SCAP contents and assign the policy to hosts or hostgroups.
The puppet module will install foreman_scap_client
and configure it with the needed policy information. The puppet module also adds a cron line,
which runs the SCAP client at the schedule select when creating the policy.
When installing foreman_openscap from RPM, we also add default SCAP content provided by scap-security-guide.
In previous versions, the default SCAP content was added via seed task.
In version >= 0.5.x, we are processing all of OpenSCAP content and reports in the Proxy.
And we are unsure if during installation the smart_proxy_openscap plugin is installed and enabled, so we can not seed the default SCAP content
Instead of auto-generating default SCAP content when installing foreman_openscap, you can now accomplish that with a rake task.
Creating default SCAP content
foreman-rake foreman_openscap:bulk_upload:default
This will search for scap-security-guide SCAP contents and create SCAP content on the Foreman.
Besides the default SCAP content, you can also upload your own SCAP content.
Access SCAP contents - Hosts -> Compliance -> SCAP Contents
Create SCAP Content - You can upload any valid OpenSCAP DataStream file
(After upload, SCAP content is validated at the Smart-Proxy and SCAP profiles are extracted)
You can assign a policy in two ways:
You can access the generated reports via Hosts -> Compliance -> Reports Clicking on “View Report” will lead you to the actual security audit report, with detailed information on the host’s security check and suggested remediation.
/api/compliance/policies/\<policy_id\>/content
)https://\<proxy_url\>/compliance/policies/\<policy_id\>/content
will fetch the xml from https://\<foreman_url\>/api/compliance/policies/\<policy_id\>/content
)Please follow our standard procedures and contacts.
If you find a bug, please file it in Redmine.
See the troubleshooting section in the Foreman manual for more info.
Follow the same process as Foreman for contributing.
Foreman 3.13.0 has been released! Follow the quick start to install it.
Foreman 3.12.1 has been released! Follow the quick start to install it.