On Foreman/Katello 3.3/4.5 and been testing OpenSCAP scanning for some test hosts.
As far as I can understand, there is no way to assign a OpenSCAP policy to an individual host, only to host groups and a host can only be part of one host group. So I created 3 policies and linked them with 3 hosts groups. Each host group had the same parent.
parent1/policy_host_group_1
parent1/policy_host_group_2
parent1/policy_host_group_3
I now added the host to group 1, performed a scan, changed host group again to group 2 and performed a new scan and then again changed it to group 3 and performed a scan.
To my surprise, when I moved the host from group 1 to 2, the scap policy from group 1 was not removed. So after I changed it to group 3, I ended up with a host with 3 scap policies. Also shown when I click dashboard on each policy that the same host is in each policy. When I perform a scan, it scans the same host 3 times with different policies generating 3 reports!
Is this really they way it should work?
How do I even add/remove a policy to/from a host without using host groups?
Has it got to do with the usage of the parent1 group? I have not added the parent1 host group to any of the policies so assumed the parrent1 group should never give a policy to a host.
I am so confused 