tl;dr – install foreman_openscap to run automated vulnerability audits on your foreman hosts.
The Foreman-OpenSCAP gem suite enables Foreman to receive automated vulnerability assessment and security compliance audits from Foreman hosts.
You can upload SCAP compliance contents, create compliance policies out of them and assign the policies to hosts or hostgroups. The foreman_openscap plugin provides three default SCAP contents, so you can start testing security compliance on RHEL6/7 and Fedora.
OpenSCAP reports (aka ARF reports) will help you find vulnerabilities on your hosts and also suggest a remediation plan to fix those vulnerabilities.
The Foreman OpenSCAP suite is made up of 5 components (gems):
- Scaptimony – Rails engine which creates and persists SCAP content, compliance policy and ARF report objects
- foreman_openscap – UI to display the Scaptimony engine (which actually connects to OpenSCAP)
- smart_proxy_openscap – Smart-Proxy plugin which distributes SCAP content to hosts and post ARF reports from client hosts to Foreman
- foreman_scap_client – A client script which runs OpenSCAP scan and uploads the scan report to the Smart-Proxy
- puppet-foreman_scap_client – A puppet module which configures foreman_scap_client
Pretty easy (I think 🙂 ):
yum install ruby193-rubygem-foreman_openscap
On the Proxy:
yum install rubygem-smart_proxy_openscap
On puppet master:
puppet module install isimluk-foreman_scap_client
That was pretty easy, no?
Please note that foreman_openscap will install scaptimony engine with it, and the puppet module will install foreman_scap_client on the client hosts.
OpenSCAP basic concepts
There are three basic concepts (entities) in the OpenSCAP plug-in: SCAP Contents, Compliance Policies and ARF Reports.
SCAP Content – A file which contains SCAP DataStream XML.
The DataStream contains the compliance, configuration or security baselines. Meaning, in this file there are the SCAP security guidelines and policies in a form called XCCDF (Extensible Configuration Checklist Description Format) where the XCCDF profile is the checklist which audits the specific security target.
Compliance Policy- in Foreman, you can create a compliance policy and assign it to a host / hostgroup. The important part is to choose which XCCDF profile you wish to test on that policy. A compliance policy is made of:
- SCAP Content
- XCCDF Profile from particular SCAP Content
- Hostgroups that should comply with the policy
- Schedule – the period in which the audit shall occur
ARF Report – When a Compliance policy is run on the selected host(s) – they result is an ARF report which is uploaded back to foreman and generates a report where you can learn about your host’s security vulnerabilities and security issues.
Import foreman_scap_client puppet module into Foreman.
In the menu: Configure -> Puppet classes. Import from <your puppet master>
The menu for using SCAP is set under: Hosts -> Compliance
Creating SCAP content.
Please note that in the latest foreman_openscap, we provide RedHat default SCAP content for RHEL 6, RHEL 7 and Fedora. However, you can also upload your own SCAP content.
Now that we have some SCAP contents (which contains one or more XCCDF profiles) we can create policies.
A policy is the mapping of which XCCDF profile to run on which host(groups) at what time.
Creating a Policy
To create a policy, go to Hosts -> Policies and choose “New Compliance Policy” and follow the wizard’s steps:
- Name your policy
- Choose which SCAP content & SCAP profile to apply
- Choose schedule when to run this policy
- Select to which locations / orgaginations this policy belongs to, if enabled
- Choose to which hostgroup you wish apply this policy
In the final part, the policy will be applied to each host which belongs to the selected hostgroup.
Another method to assign a policy to a host is via the hosts index “select action” button:
** In the background, foreman_scap_client is configuring which Proxy will serve openscap and which policies to apply to the client hosts. When ‘puppet agent’ will run on the client it will install “foreman_scap_client” and configure the policies and the proxy to upload the scan reports. The puppet module will also set a cron line to run the policy on its selected schedule.
And finally, reports from our hosts are starting to get in….
as soon as the client is running it generates reports which are uploaded back to Foreman (via the Smart Proxy).
To access reports: Hosts -> Reports
The reports index shows a brief status of how many tests have passed / failed on that report.
To view the detailed report, click on “View Report”
In the detailed report, you could find which tests have passed, and more important which tests have failed and do not comply with the security standard. On each failed test you could also find a remediation procedure which will help you eliminate the failing test (and make your host more secure!)