Foreman_openscap plugin fails on puppet code execution on host

We Installed the openSCAP plugin for foreman using the below guide on foreman 3.5.3 with puppet version 6.

After which we created a hostgroup with the appropriate options to use the openscap proxy and we selected the correct puppet classes
We do see an error stating that some classes are unavailable which should not be the case since we selected both the scap client and the stdlib classes.

[root@vslr8sit001 ~] puppet agent -t
Info: Using environment 'testing'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Resource type not found: Stdlib::Host (file: /usr/share/puppet/modules/foreman_scap_client/manifests/init.pp, line: 99, column: 3) on node
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

We checked the stdlib module from puppetlabs and the version we have installed is v5.2.0 which should have stdlib::host .

What do we need to add or change to solve this?

Which version of the module did you use? I opened Release on Puppet forge is quite old · Issue #72 · theforeman/puppet-foreman_scap_client · GitHub so we should get a new version released soon, but until that I would recommend the version 0.4.1 from git. This version at least worked for me, when updating our training material.

We have found that there was a stdlib version 4.1.0 installed which was not compatible.
When we updated it to version 8.6.0 the issue was solved however now there is a new issue when doing the puppet run when it tries to install the rubygem-foreman_scap_client it fails since it is not able to find the package in the repos.

We have checked the puppet code of the module and see that it should add a Repo which is not the case.
I am wondering will this If statement also matches on a Rocky Linux server or do we need to supply something else for it to add the repo?

This should also work for other EL distributions like Rocky Linux, did you set any value for foreman_repo_rel which enables the repository management? I typically do not use this part as I manage repositories globally/manually.

If you did and it is not working, can you post the resulting repository configuration (should be in /etc/yum.repos.d/foreman-client.repo) and the output from the command dnf -y install rubygem-foreman_scap_client (Puppet is suppressing the standard and error output).

I have tried to add the parameter foreman_repo_rel with the version number of the foreman but does not add the repo.

What value would need to be entered since the foreman version does not work even though it is present on the yum repo if i browse to it using a browser.

(Host) Parameters are given to Puppet as global variables in the ENC, you need to configure this via Smart Class Parameter (“Configure > Smart Class Parameters”, then selecting “foreman_repo_rel” from the list, check “Override” and set “Default value” from undef to 3.5 and press “Submit”), then it should work.


I have configured the global variable as you described and this did add the repo.
Thank you very much for your assistance.

1 Like

Hi Dirk,

Now the puppet run works fine.
However we created one compliance policy and assigned it to a test host group with one vm.
The scan is performed but the result is empty;


These are the default settings;

Do we need to select anything different or extra ?
The guide is not clear about this…

There is however also a warning in the host group that we can’t seem to figure out why.
Maybe it’s related, idk…

Any way to check or follow up why it’s not performing the audit properly ?

Try the profile “Standard System Security Profile”, the default one will not work as far as I remember but this one worked in our training. But it will require fetch_remote_resources set to true as it will download the oval data for checking for updates, making it not suitable for every environment.

The other error should be unrelated, but indicates a module not being available in the environment assigned to the host. Mostly this happens because puppet module works with the production environment by default, so other stages get forgotten or simply are not imported into foreman as an refresh afterwards. If you look at Configure > Classes you can see next to the class name which environment it is known to exist by Foreman. If this is not matching your expectation click on the import button above the list. If it is not available to import, check the filesystem.