Running Foreman/Katello 3.12/4.14 and noticed what for a new host, “Content source” is set by default to the proxy used when the host was registered.
However the default value of “OpenSCAP Proxy” remains unset. So when running a SCAP scan on a host, I see this error:
Uploading results to https::9090/compliance/arf/59
Upload failed: Failed to open TCP connection to :9090 (Cannot assign requested address - connect(2) for nil port 9090)
If I manually set the “OpenSCAP Proxy” to the “Content source” proxy, rerun the scap ansible role, rerun the OpenSCAP scan, it work and the report is uploaded sucessfully.
Uploading results to https://fmproxy.internal:9090/compliance/arf/59
Report uploaded, report id: 9115
One workaround is to create host groups for each proxy and set the correct “OpenSCAP Proxy” value in each host group. This however is not really optimal since I do not want the host groups to not be tied to a specific proxy.
I would much rather the “OpenSCAP Proxy” is set to the Content source, if it is not set in the host group.
So I guess the question is:
Is it possible to automatically set the “OpenSCAP Proxy” value to “Content source” when I register a new host without using host groups?
If not, is it possible to implement a change so it is possible to set a default value for the “OpenSCAP Proxy” to “Content source”?
An option could also be to make it possible to set the “OpenSCAP Proxy” to a value in the location settings. This could make sense since at least for me, since each of my locations has it’s own proxy.
To solve this annoying issue I just created a small script called set_openscap_proxy.sh that runs once a day from crontab. Adding it here, maybe helpful for someone else running OpenSCAP.
#!/bin/bash
#Script to make sure OpenSCAP Proxy is the same as Content source for all new hosts.
#Runs once a day using crontab.
homedir=/root/scripts
logfile=$homedir/set_openscap_proxy.log
exec >> $logfile 2>&1
echo $(date +"%F %T") Checking hosts registered the last 2 days...
HOSTS=$(hammer --no-headers --csv host list --search "registered_at > $(date -d '2 days ago' +%Y-%m-%dT%H:%M:%S)" --fields name)
for HOST in $HOSTS; do
echo $(date +"%F %T") "Checking host: $HOST"
IFS=',' read -r OPENSCAP_ID CONTENT_ID< <(hammer --no-headers --csv host info --name "$HOST" --fields "Content information/content source/id,Openscap proxy")
if [[ "$CONTENT_ID" != "$OPENSCAP_ID" ]]; then
echo $(date +"%F %T") "Content source is $CONTENT_ID and OpenSCAP Proxy is $OPENSCAP_ID for host $HOST!"
echo $(date +"%F %T") "IDs differ - setting OpenSCAP Proxy to $CONTENT_ID for host $HOST"
hammer host update --name "$HOST" --openscap-proxy-id "$CONTENT_ID"
fi
done
This script assume all hosts currently in Foreman has the OpenSCAP Proxy set and is the correct proxy. If you suspect this is not the case, just change the “date -d ‘2 days ago’” to like “date -d ‘10 years ago’” and run the script once and it will check and fix all hosts.
