Installing and Configuring OpenScap on Red Hat Satellite 6

Installing and Configuring
OpenScap on Red Hat Satellite 6
Satellite Server
Satellite Server Requirements
# satellite-installer --enable-foreman-plugin-openscap
# foreman-rake foreman_openscap:bulk_upload:default
# yum -y install puppet-foreman_scap_client
OpenSCAP Content Requirements
# yum -y install scap-security-guide
Satellite Server
Web UI
1. Set the Organization/Location tab to Any Context
2. Select Configure > Environments
3. Click on Import from <satellite_server> button, "Select the Puppet Environment as per the Openscap modules" and click Update.
4. Click to open newly imported Puppet Environments, then assign to your Locations and Organizations
Satellite Server
Web UI
Create a Hostgroup
> Satellite Web UI: Configure > Host Groups > Click New Host Group
Host Group Tab
1. Name: OpenSCAP_Clients_Demo
2. Lifecycle Environment: (leave blank)
3. Content View: (leave blank)
4. Puppet Environment: Select OpenSCAP_RHEL7
5. Content Source:
6. Puppet CA:
7. Puppet Master:
8. Openscap Capsule:
9. Click Submit BEFORE advancing to the next tab.
This takes you back to the Host Groups page.
10. From the Host Groups page, select OpenSCAP_Clients_Demo to modify this Host Group
11. Puppet Classes Tab:
12. Click to expand foreman_scap_client and select both foreman_scap_client and foreman_scap_client::params
13. Locations and Organizations tab, select to suit.
14. Click Submit to complete the update
Satellite Server
Web UI
Create Compliance Policy
> Satellite Web UI: Hosts > Compliance > Policies
New Compliance Policy
Enter a name (Description optional)
SCAP Content tab:
SCAP Content: ssg-rhel7
XCCDF Profile: Common Profile for General-Purpose Systems
XCCDF Profile: Common Profile for General-Purpose Systems
Schedule tab :
Period: Custom
Cron line: */1 * * * * (this will allow the demo to run every minute for demonstration only. Change to appropriate frequency once demo is completed)
Click Next, then select Locations and Organizations to suit
Hostgroups tab:
Use the newly created host group OpenSCAP_Clients_Demo
Click Submit to complete.
Satellite Server
Web UI
Assign Policy To Host(s)
1. Satellite Web UI: Hosts > All Hosts > Select one or more hosts from the list of Hosts
2. Once we have the host(s) selected, a Select Action button appears above the list of hosts.
3. Select Change Group from the Select Action options
4. Select OpenSCAP_Clients_Demo from the list of host groups, then Submit
RHEL Client
Install and Configure Puppet on Client
# yum -y install puppet
# echo " server = <your_satellite_server>" >> /etc/puppet/puppet.conf
# echo " environment = OpenSCAP_RHEL7" >> /etc/puppet/puppet.conf
systemctl start puppet && systemctl enable puppet
puppet agent -t
Exiting; no certificate found and waitforcert is disabled
Go to next step to sign certificate
(Sign Certificate on Capsule)
Satellite Web UI: Infrastructure > Capsule
On the Actions column, click on the available actions and select Certificates
(For this demo, we only have the all-in-one Satellite/Capsule/Puppet Master)
Click Sign to sign the certificate
A scan will run base on the "Cron line:" setting in the earlier step. Monitor /var/log/messages on the client to see activities.
Run "puppet agent -t" again on the client.
Satellite Server
Web UI
View Scan Results
1. Satellite Web UI: Hosts > Policies > (Select your policy)
2. In the table "Latest reports for policy: ...", click on View Report button
3. Latest_reports_for_policy