Changing SCAP content in Policy

Problem:

  • Upload now SCAP content (Hosts -> SCAP content -> Upload New SCAP content)
  • Edit already existing Policy and switch content to newly uploaded SCAP content
  • On remote host delete pre-downloaded content (/usr/share/xml/scap/ssg/…) and try re-run /usr/bin/foreman_scap_client
  • Old SCAP content is downloaded again and executed

Expected outcome:

New SCAP content is downloaded and executed

Foreman and Proxy versions:

foreman 1.22
foreman_openscap 0.12.3
rubygem-foreman_scap_client 0.4.6.1.el7

This should work out of the box. foreman_scap_client downloads the SCAP content file if it does not have local cache already. We use digests so new version of SCAP content should get a new name. Did you run puppet to reconfigure /etc/foreman_scap_client/config.yml with the new content file name (based on the new digest)? How did/do you configure foreman_scap_client?

Thanks for response. In this case is client not configured by puppet but manually. Anyway it is not clear to me what parameter should be changed.

# policy (key is id as in Foreman)
4:
  :profile: xccdf_etn-osg_profile_v2
  :content_path: "/usr/share/xml/scap/ssg/etn/4.xml"
  # Download path
  # A path to download SCAP content from proxy
  :download_path: /compliance/policies/4/content
#  :tailoring_path: /var/lib/openscap/4.xml
#  :tailoring_download_path: /compliance/policies/4/tailoring

id, download_path -> depend on Policy ID and policy is still the same
profile -> in my case did not change (in new version of content id still same profile names)

or i miss something in config?

Ah, now it makes sense. You use the old configuration which still works with newer versions. If you are able to generate ENC for that host, see the new configuration values, namely for content_path (IIRC). That should change with every SCAP content upload. New version of openscap plugin should expose API if you want to automate that. Also it has builtin support for configuring using ansible for (re)configuration and it doesn’t force users to have puppet configured at all.

thanks a lot. I didn’t notice this change.