On OpenSCAP and Foreman


tl;dr – install foreman_openscap to run automated vulnerability audits on your foreman hosts.


The Foreman-OpenSCAP gem suite enables Foreman to receive automated vulnerability assessment and security compliance audits from Foreman hosts.
You can upload SCAP compliance contents, create compliance policies out of them and assign the policies to hosts or hostgroups. The  foreman_openscap plugin provides three default SCAP contents, so you can start testing security compliance on RHEL6/7 and Fedora.

OpenSCAP reports (aka ARF reports) will help you find vulnerabilities on your hosts and also suggest a remediation plan to fix those vulnerabilities. OpenScap report

The Foreman OpenSCAP suite is made up of 5 components (gems):

  • Scaptimony – Rails engine which creates and persists SCAP content, compliance policy and ARF report objects
  • foreman_openscap – UI to display the Scaptimony engine (which actually connects to OpenSCAP)
  • smart_proxy_openscap – Smart-Proxy plugin which distributes SCAP content to hosts and post ARF reports from client hosts to Foreman
  • foreman_scap_client – A client script which runs OpenSCAP scan and uploads the scan report to the Smart-Proxy
  • puppet-foreman_scap_client – A puppet module which configures foreman_scap_client



Pretty easy (I think 🙂 ):
On Foreman:

yum install ruby193-rubygem-foreman_openscap

restart foreman

On the Proxy:

yum install rubygem-smart_proxy_openscap

restart foreman-proxy

On puppet master:

puppet module install isimluk-foreman_scap_client

That was pretty easy, no?
Please note that foreman_openscap will install scaptimony engine with it, and the puppet module will install foreman_scap_client on the client hosts.

OpenSCAP basic concepts

There are three basic concepts (entities) in the OpenSCAP plug-in: SCAP Contents, Compliance Policies and ARF Reports.

SCAP Content – A file which contains SCAP DataStream XML.
The DataStream contains the compliance, configuration or security baselines. Meaning, in this file there are the SCAP security guidelines and policies in a form called XCCDF (Extensible Configuration Checklist Description Format) where the XCCDF profile is the checklist which audits the specific security target.

Compliance Policy- in Foreman, you can create a compliance policy   and assign it to a host / hostgroup. The important part is to choose which XCCDF profile you wish to test on that policy. A compliance policy is made of:

  • SCAP Content
  • XCCDF Profile from particular SCAP Content
  • Hostgroups that should comply with the policy
  • Schedule – the period in which the audit shall occur

ARF Report – When a Compliance policy is run on the selected host(s) – they result is an ARF report which is uploaded back to foreman and generates a report where you can learn about your host’s security vulnerabilities and security issues.

Using foreman_openscap

Import foreman_scap_client puppet module into Foreman.
In the menu: Configure -> Puppet classesImport from <your puppet master>

The menu for using SCAP is set under: Hosts -> Compliance

Creating SCAP content.
Please note that in the latest foreman_openscap, we provide RedHat default SCAP content for RHEL 6, RHEL 7 and Fedora. However, you can also upload your own SCAP content.

New SCAP Content

Now that we have some SCAP contents (which contains one or more XCCDF profiles) we can create policies.
A policy is the mapping of which XCCDF profile to run on which host(groups) at what time.

Creating a Policy

To create a policy, go to Hosts -> Policies and choose “New Compliance Policy” and follow the wizard’s steps:

  • Name your policy
  • Choose which SCAP content & SCAP profile to apply
  • Choose schedule when to run this policy
  • Select to which locations / orgaginations this policy belongs to, if enabled
  • Choose to which hostgroup you wish apply this policy

In the final part, the policy will be applied to each host which belongs to the selected hostgroup.
Another method to assign a policy to a host is via the hosts index “select action” button:

Assign Hosts

** In the background, foreman_scap_client is configuring which Proxy will serve openscap and which policies to apply to the client hosts. When ‘puppet agent’ will run on the client it will install “foreman_scap_client” and configure the policies and the proxy to upload the scan reports. The puppet module will also set a cron line to run the policy on its selected schedule.

And finally, reports from our hosts are starting to get in….

ARF reports

as soon as the client is running it generates reports which are uploaded back to Foreman (via the Smart Proxy).

To access reports: Hosts -> Reports

ARF reports index

The reports index shows a brief status of how many tests have passed / failed on that report.
To view the detailed report, click on “View Report”

ARF report
In the detailed report, you could find which tests have passed, and more important which tests have failed and do not comply with the security standard. On each failed test you could also find a remediation procedure which will help you eliminate the failing test (and make your host more secure!)