Openscap Ansible client fails to populate /etc/foreman_scap_client/config.yaml

Support
, , , ,
1

Problem:
I am building a completely new test Foreman/Katello system on Centos-7 and a Centos-8 client using Ansible playbooks. Everything works as expected with the exception of the creation of the /etc/foreman_scap_client/config.yaml which contains no policy profile regardless of running any of the ansible roles or tasks from the foreman console. I have found a way to create this entry (please see below)

Expected outcome:
The /etc/foreman_scap_client/config.yaml is populated with a policy section e.g.

# policy (key is id as in Foreman)
1:
  :profile: 'xccdf_org.ssgproject.content_profile_pci-dss'
  :content_path: '/var/lib/openscap/content/4/4_3ac4491c71a3b7e6372ec7cdb031ff6e598a5837891ac875b48ae6650bda7486.xml'
  # Download path
  # A path to download SCAP content from proxy
  :download_path: '/compliance/policies/1/content/4_3ac4491c71a3b7e6372ec7cdb031ff6e598a5837891ac875b48ae6650bda7486'
  :tailoring_path: ''
  :tailoring_download_path: ''

Foreman and Proxy versions:
Version 2.3.2 © 2009-2021 Paul Kelly and Ohad Levy

System Information

CentOS Linux release 7.9.2009 (Core)
Version 2.3.2 © 2009-2021 Paul Kelly and Ohad Levy

Foreman and Proxy plugin versions:
Installed Packages
ansible-collection-theforeman-foreman-1.4.0-1.el7.noarch
ansiblerole-foreman_scap_client-0.1.0-1.el7.noarch
candlepin-3.1.22-1.el7.noarch
candlepin-selinux-3.1.22-1.el7.noarch
foreman-2.3.2-1.el7.noarch
foreman-bootloaders-redhat-202005201200-1.el7.noarch
foreman-bootloaders-redhat-tftpboot-202005201200-1.el7.noarch
foreman-cli-2.3.2-1.el7.noarch
foreman-console-2.3.2-1.el7.noarch
foreman-debug-2.3.2-1.el7.noarch
foreman-dynflow-sidekiq-2.3.2-1.el7.noarch
foreman-ec2-2.3.2-1.el7.noarch
foreman-installer-2.3.2-1.el7.noarch
foreman-installer-katello-2.3.2-1.el7.noarch
foreman-libvirt-2.3.2-1.el7.noarch
foreman-postgresql-2.3.2-1.el7.noarch
foreman-proxy-2.3.2-1.el7.noarch
foreman-release-2.3.2-1.el7.noarch
foreman-selinux-2.3.2-1.el7.noarch
foreman-service-2.3.2-1.el7.noarch
foreman.test.com-apache-1.0-1.noarch
foreman.test.com-foreman-client-1.0-1.noarch
foreman.test.com-foreman-proxy-1.0-1.noarch
foreman.test.com-foreman-proxy-client-1.0-1.noarch
foreman.test.com-puppet-client-1.0-1.noarch
foreman.test.com-qpid-broker-1.0-1.noarch
foreman.test.com-qpid-client-cert-1.0-1.noarch
foreman.test.com-qpid-router-client-1.0-1.noarch
foreman.test.com-qpid-router-server-1.0-1.noarch
katello-3.18.1-1.el7.noarch
katello-certs-tools-2.7.3-1.el7.noarch
katello-client-bootstrap-1.7.5-1.el7.noarch
katello-common-3.18.1-1.el7.noarch
katello-debug-3.18.1-1.el7.noarch
katello-default-ca-1.0-1.noarch
katello-repos-3.18.1-1.el7.noarch
katello-selinux-3.5.0-1.el7.noarch
katello-server-ca-1.0-1.noarch
pulp-admin-client-2.21.5-1.el7.noarch
pulp-client-1.0-1.noarch
pulp-deb-plugins-1.10.2-1.el7.noarch
pulp-docker-plugins-3.2.8-1.el7.noarch
pulp-katello-1.0.3-1.el7.noarch
pulp-puppet-plugins-2.21.5-1.el7.noarch
pulp-puppet-tools-2.21.5-1.el7.noarch
pulp-rpm-plugins-2.21.5-1.el7.noarch
pulp-selinux-2.21.5-1.el7.noarch
pulp-server-2.21.5-1.el7.noarch
pulpcore-selinux-1.2.3-2.el7.x86_64
puppet-foreman_scap_client-0.4.0-1.el7.noarch
python-gofer-qpid-2.12.5-3.el7.noarch
python-pulp-bindings-2.21.5-1.el7.noarch
python-pulp-client-lib-2.21.5-1.el7.noarch
python-pulp-common-2.21.5-1.el7.noarch
python-pulp-deb-common-1.10.2-1.el7.noarch
python-pulp-docker-common-3.2.8-1.el7.noarch
python-pulp-oid_validation-2.21.5-1.el7.noarch
python-pulp-puppet-common-2.21.5-1.el7.noarch
python-pulp-repoauth-2.21.5-1.el7.noarch
python-pulp-rpm-common-2.21.5-1.el7.noarch
python-pulp-streamer-2.21.5-1.el7.noarch
python2-qpid-1.37.0-5.el7.noarch
python2-qpid-proton-0.33.0-1.el7.x86_64
python2-qpid-qmf-1.39.0-1.el7.x86_64
python3-pulp-2to3-migration-0.6.0-2.el7.noarch
python3-pulp-certguard-1.0.3-1.el7.noarch
python3-pulp-container-2.1.0-1.el7.noarch
python3-pulp-deb-2.7.0-1.el7.noarch
python3-pulp-file-1.3.0-1.el7.noarch
python3-pulp-rpm-3.7.0-1.el7.noarch
python3-pulpcore-3.7.3-1.el7.noarch
qpid-cpp-client-1.39.0-1.el7.x86_64
qpid-cpp-client-devel-1.39.0-1.el7.x86_64
qpid-cpp-server-1.39.0-1.el7.x86_64
qpid-cpp-server-linearstore-1.39.0-1.el7.x86_64
qpid-dispatch-router-1.14.0-1.el7.x86_64
qpid-proton-c-0.33.0-1.el7.x86_64
qpid-qmf-1.39.0-1.el7.x86_64
qpid-tools-1.39.0-1.el7.noarch
rubygem-foreman_maintain-0.7.1-1.el7.noarch
rubygem-foreman_scap_client-0.4.7-1.el7.noarch
tfm-rubygem-actioncable-6.0.3.4-1.el7.noarch
tfm-rubygem-actionmailbox-6.0.3.4-1.el7.noarch
tfm-rubygem-actionmailer-6.0.3.4-1.el7.noarch
tfm-rubygem-actionpack-6.0.3.4-1.el7.noarch
tfm-rubygem-actiontext-6.0.3.4-1.el7.noarch
tfm-rubygem-actionview-6.0.3.4-1.el7.noarch
tfm-rubygem-activejob-6.0.3.4-1.el7.noarch
tfm-rubygem-activemodel-6.0.3.4-1.el7.noarch
tfm-rubygem-activerecord-6.0.3.4-1.el7.noarch
tfm-rubygem-activerecord-import-1.0.0-2.el7.noarch
tfm-rubygem-activerecord-session_store-1.1.1-4.el7.noarch
tfm-rubygem-activestorage-6.0.3.4-1.el7.noarch
tfm-rubygem-activesupport-6.0.3.4-1.el7.noarch
tfm-rubygem-addressable-2.6.0-2.el7.noarch
tfm-rubygem-algebrick-0.7.3-7.el7.noarch
tfm-rubygem-amazing_print-1.1.0-1.el7.noarch
tfm-rubygem-ancestry-3.0.7-1.el7.noarch
tfm-rubygem-anemone-0.7.2-17.el7.noarch
tfm-rubygem-angular-rails-templates-1.1.0-1.el7.noarch
tfm-rubygem-ansi-1.5.0-2.el7.noarch
tfm-rubygem-apipie-bindings-0.4.0-1.el7.noarch
tfm-rubygem-apipie-dsl-2.3.0-1.el7.noarch
tfm-rubygem-apipie-params-0.0.5-4.el7.noarch
tfm-rubygem-apipie-rails-0.5.17-3.el7.noarch
tfm-rubygem-audited-4.9.0-3.el7.noarch
tfm-rubygem-bcrypt-3.1.12-3.el7.x86_64
tfm-rubygem-builder-3.2.4-1.el7.noarch
tfm-rubygem-bundler_ext-0.4.1-5.el7.noarch
tfm-rubygem-clamp-1.1.2-6.el7.noarch
tfm-rubygem-concurrent-ruby-1.1.6-2.el7.noarch
tfm-rubygem-concurrent-ruby-edge-0.6.0-2.fm2_1.el7.noarch
tfm-rubygem-connection_pool-2.2.2-2.el7.noarch
tfm-rubygem-crass-1.0.6-1.el7.noarch
tfm-rubygem-css_parser-1.4.7-4.el7.noarch
tfm-rubygem-daemons-1.2.3-6.el7.noarch
tfm-rubygem-deacon-1.0.0-4.el7.noarch
tfm-rubygem-deep_cloneable-3.0.0-3.el7.noarch
tfm-rubygem-deface-1.5.3-2.el7.noarch
tfm-rubygem-domain_name-0.5.20160310-4.el7.noarch
tfm-rubygem-dynflow-1.4.7-1.fm2_3.el7.noarch
tfm-rubygem-erubi-1.9.0-1.el7.noarch
tfm-rubygem-excon-0.76.0-1.el7.noarch
tfm-rubygem-facter-2.4.0-7.el7.x86_64
tfm-rubygem-faraday-0.17.3-1.el7.noarch
tfm-rubygem-fast_gettext-1.4.1-4.el7.noarch
tfm-rubygem-ffi-1.12.2-1.el7.x86_64
tfm-rubygem-fog-aws-3.6.5-1.el7.noarch
tfm-rubygem-fog-core-2.1.0-3.el7.noarch
tfm-rubygem-fog-json-1.2.0-3.el7.noarch
tfm-rubygem-fog-libvirt-0.7.0-2.el7.noarch
tfm-rubygem-fog-xml-0.1.2-8.el7.noarch
tfm-rubygem-foreman-tasks-3.0.3-1.fm2_3.el7.noarch
tfm-rubygem-foreman-tasks-core-0.3.4-1.fm2_1.el7.noarch
tfm-rubygem-foreman_ansible-6.1.1-1.fm2_3.el7.noarch
tfm-rubygem-foreman_ansible_core-4.0.0-1.fm2_3.el7.noarch
tfm-rubygem-foreman_bootdisk-17.0.2-2.fm2_2.el7.noarch
tfm-rubygem-foreman_openscap-4.1.2-1.fm2_3.el7.noarch
tfm-rubygem-foreman_remote_execution-4.2.2-1.fm2_3.el7.noarch
tfm-rubygem-foreman_remote_execution-cockpit-4.2.2-1.fm2_3.el7.noarch
tfm-rubygem-foreman_remote_execution_core-1.4.0-1.el7.noarch
tfm-rubygem-formatador-0.2.1-12.el7.noarch
tfm-rubygem-friendly_id-5.3.0-1.el7.noarch
tfm-rubygem-fx-0.5.0-1.el7.noarch
tfm-rubygem-get_process_mem-0.2.1-4.el7.noarch
tfm-rubygem-gettext_i18n_rails-1.8.0-2.el7.noarch
tfm-rubygem-gitlab-sidekiq-fetcher-0.6.0-1.el7.noarch
tfm-rubygem-globalid-0.4.2-1.el7.noarch
tfm-rubygem-graphql-1.8.14-2.el7.noarch
tfm-rubygem-graphql-batch-0.3.10-2.el7.noarch
tfm-rubygem-gssapi-1.2.0-7.el7.noarch
tfm-rubygem-hammer_cli-2.3.0-1.el7.noarch
tfm-rubygem-hammer_cli_foreman-2.3.0-1.el7.noarch
tfm-rubygem-hammer_cli_foreman_ansible-0.3.2-1.fm2_1.el7.noarch
tfm-rubygem-hammer_cli_foreman_bootdisk-0.3.0-1.el7.noarch
tfm-rubygem-hammer_cli_foreman_docker-0.0.7-1.el7.noarch
tfm-rubygem-hammer_cli_foreman_openscap-0.1.12-1.fm2_3.el7.noarch
tfm-rubygem-hammer_cli_foreman_remote_execution-0.2.1-1.fm2_3.el7.noarch
tfm-rubygem-hammer_cli_foreman_tasks-0.0.15-1.fm2_2.el7.noarch
tfm-rubygem-hammer_cli_katello-0.24.2-1.el7.noarch
tfm-rubygem-hashie-3.6.0-2.el7.noarch
tfm-rubygem-highline-1.7.8-5.el7.noarch
tfm-rubygem-http-cookie-1.0.2-4.el7.noarch
tfm-rubygem-i18n-1.8.2-1.el7.noarch
tfm-rubygem-ipaddress-0.8.0-12.el7.noarch
tfm-rubygem-jwt-2.2.1-2.el7.noarch
tfm-rubygem-kafo-6.1.2-1.el7.noarch
tfm-rubygem-kafo_parsers-1.1.0-3.el7.noarch
tfm-rubygem-kafo_wizards-0.0.1-4.el7.noarch
tfm-rubygem-katello-3.18.1-1.el7.noarch
tfm-rubygem-ldap_fluff-0.4.7-5.el7.noarch
tfm-rubygem-little-plugger-1.1.4-2.el7.noarch
tfm-rubygem-locale-2.0.9-14.el7.noarch
tfm-rubygem-logging-2.3.0-1.el7.noarch
tfm-rubygem-loofah-2.4.0-1.el7.noarch
tfm-rubygem-mail-2.7.1-1.el7.noarch
tfm-rubygem-marcel-0.3.3-1.el7.noarch
tfm-rubygem-method_source-0.9.2-2.el7.noarch
tfm-rubygem-mime-types-3.2.2-4.el7.noarch
tfm-rubygem-mime-types-data-3.2018.0812-4.el7.noarch
tfm-rubygem-mimemagic-0.3.5-1.el7.noarch
tfm-rubygem-mini_mime-1.0.2-1.el7.noarch
tfm-rubygem-mini_portile2-2.4.0-1.el7.noarch
tfm-rubygem-multi_json-1.14.1-2.el7.noarch
tfm-rubygem-multipart-post-2.0.0-2.el7.noarch
tfm-rubygem-mustermann-1.0.2-4.el7.noarch
tfm-rubygem-net-ldap-0.16.1-2.el7.noarch
tfm-rubygem-net-ping-2.0.1-4.el7.noarch
tfm-rubygem-net-scp-1.2.1-4.el7.noarch
tfm-rubygem-net-ssh-4.2.0-2.el7.noarch
tfm-rubygem-netrc-0.11.0-5.el7.noarch
tfm-rubygem-nio4r-2.5.4-1.el7.x86_64
tfm-rubygem-nokogiri-1.10.9-1.el7.x86_64
tfm-rubygem-oauth-0.5.4-4.el7.noarch
tfm-rubygem-openscap-0.4.9-4.el7.noarch
tfm-rubygem-paint-0.8.7-9.el7.noarch
tfm-rubygem-parse-cron-0.1.4-4.fm2_1.el7.noarch
tfm-rubygem-pg-1.1.4-3.el7.x86_64
tfm-rubygem-polyglot-0.3.5-2.el7.noarch
tfm-rubygem-powerbar-2.0.1-2.el7.noarch
tfm-rubygem-promise.rb-0.7.4-2.el7.noarch
tfm-rubygem-public_suffix-3.0.3-2.el7.noarch
tfm-rubygem-pulp_2to3_migration_client-0.5.0-1.el7.noarch
tfm-rubygem-pulp_ansible_client-0.4.2-1.el7.noarch
tfm-rubygem-pulp_certguard_client-1.0.3-1.el7.noarch
tfm-rubygem-pulp_container_client-2.1.0-1.el7.noarch
tfm-rubygem-pulp_deb_client-2.7.0-1.el7.noarch
tfm-rubygem-pulp_file_client-1.3.0-1.el7.noarch
tfm-rubygem-pulp_rpm_client-3.7.0-1.el7.noarch
tfm-rubygem-pulpcore_client-3.7.1-1.el7.noarch
tfm-rubygem-puma-4.3.6-1.el7.x86_64
tfm-rubygem-puma-plugin-systemd-0.1.5-1.el7.noarch
tfm-rubygem-rabl-0.14.3-1.el7.noarch
tfm-rubygem-rack-2.2.3-1.el7.noarch
tfm-rubygem-rack-cors-1.0.2-2.el7.noarch
tfm-rubygem-rack-jsonp-1.3.1-9.el7.noarch
tfm-rubygem-rack-protection-2.0.3-4.el7.noarch
tfm-rubygem-rack-test-1.1.0-4.el7.noarch
tfm-rubygem-rails-6.0.3.4-1.el7.noarch
tfm-rubygem-rails-dom-testing-2.0.3-6.el7.noarch
tfm-rubygem-rails-html-sanitizer-1.3.0-1.el7.noarch
tfm-rubygem-rails-i18n-6.0.0-2.el7.noarch
tfm-rubygem-railties-6.0.3.4-1.el7.noarch
tfm-rubygem-rainbow-2.2.1-3.el7.noarch
tfm-rubygem-rb-inotify-0.9.7-5.el7.noarch
tfm-rubygem-record_tag_helper-1.0.1-3.el7.noarch
tfm-rubygem-redfish_client-0.5.2-1.el7.noarch
tfm-rubygem-redis-4.1.2-2.el7.noarch
tfm-rubygem-responders-3.0.0-3.el7.noarch
tfm-rubygem-rest-client-2.0.2-3.el7.noarch
tfm-rubygem-rkerberos-0.1.5-19.el7.x86_64
tfm-rubygem-roadie-3.4.0-3.el7.noarch
tfm-rubygem-roadie-rails-2.1.1-2.el7.noarch
tfm-rubygem-robotex-1.0.0-21.el7.noarch
tfm-rubygem-rsec-0.4.3-4.el7.noarch
tfm-rubygem-ruby-libvirt-0.7.1-1.el7.x86_64
tfm-rubygem-ruby2ruby-2.4.2-3.el7.noarch
tfm-rubygem-ruby_parser-3.10.1-3.el7.noarch
tfm-rubygem-rubyipmi-0.10.0-6.el7.noarch
tfm-rubygem-runcible-2.13.1-1.el7.noarch
tfm-rubygem-safemode-1.3.6-1.el7.noarch
tfm-rubygem-scoped_search-4.1.9-1.el7.noarch
tfm-rubygem-sd_notify-0.1.0-1.el7.noarch
tfm-rubygem-secure_headers-6.3.0-2.el7.noarch
tfm-rubygem-sequel-5.7.1-3.el7.noarch
tfm-rubygem-server_sent_events-0.1.2-1.el7.noarch
tfm-rubygem-sexp_processor-4.10.0-6.el7.noarch
tfm-rubygem-sidekiq-5.2.7-3.el7.noarch
tfm-rubygem-sinatra-2.0.3-4.el7.noarch
tfm-rubygem-smart_proxy_ansible-3.0.1-6.fm2_2.el7.noarch
tfm-rubygem-smart_proxy_dynflow-0.3.0-2.fm2_3.el7.noarch
tfm-rubygem-smart_proxy_dynflow_core-0.3.2-1.fm2_3.el7.noarch
tfm-rubygem-smart_proxy_openscap-0.7.4-1.fm2_2.el7.noarch
tfm-rubygem-smart_proxy_pulp-2.1.0-3.fm2_2.el7.noarch
tfm-rubygem-smart_proxy_remote_execution_ssh-0.3.1-1.fm2_3.el7.noarch
tfm-rubygem-sprockets-4.0.2-1.el7.noarch
tfm-rubygem-sprockets-rails-3.2.1-6.el7.noarch
tfm-rubygem-sqlite3-1.3.13-6.el7.x86_64
tfm-rubygem-sshkey-1.9.0-4.el7.noarch
tfm-rubygem-statsd-instrument-2.1.4-3.el7.noarch
tfm-rubygem-stomp-1.4.9-1.el7.noarch
tfm-rubygem-thor-1.0.1-2.el7.noarch
tfm-rubygem-thread_safe-0.3.6-5.el7.noarch
tfm-rubygem-tilt-2.0.8-4.el7.noarch
tfm-rubygem-tzinfo-1.2.6-1.el7.noarch
tfm-rubygem-unf-0.1.3-8.el7.noarch
tfm-rubygem-unf_ext-0.0.7.2-3.el7.x86_64
tfm-rubygem-unicode-0.4.4.4-3.el7.x86_64
tfm-rubygem-unicode-display_width-1.0.5-4.el7.noarch
tfm-rubygem-validates_lengths_from_database-0.5.0-7.el7.noarch
tfm-rubygem-webpack-rails-0.9.8-5.el7.noarch
tfm-rubygem-websocket-driver-0.7.1-1.el7.x86_64
tfm-rubygem-websocket-extensions-0.1.5-1.el7.noarch
tfm-rubygem-will_paginate-3.1.7-3.el7.noarch
tfm-rubygem-wirb-1.0.3-6.el7.noarch
tfm-rubygem-xmlrpc-0.3.0-2.el7.noarch
tfm-rubygem-zeitwerk-2.2.2-1.el7.noarch
tfm-runtime-6.1-4.el7.x86_64

Distribution and version:
CentOS Linux release 7.9.2009 (Core) - Foreman server
CentOS Linux release 8.3.2011 - Foreman-client

Other relevant data:

My temporary solution is to:

hammer scap-content list

—|---------------------------------|-----------------------------------------------------------------

ID TITLE DIGEST
6 Centos7-ds-1.2 3ac4491c71a3b7e6372ec7cdb031ff6e598a5837891ac875b48ae6650bda7486
7 Centos8-ds-1.2 e8b11b49ae494dda415930223b45d05c52ca1c9272ff8de4043b90b3a8355833
1 Red Hat firefox default content 654f841b9386f771d3999f855f28bfed01e2be4036774103e822950c1e4230aa
2 Red Hat jre default content fe93f99c14251cc76e92b9da71c351c8ba45fbd3639a2cd55911ef6f7db1b650
3 Red Hat rhel6 default content 6298742afc45309f86ac467c0c9a3e433ff505dd3d237dd8cbf72be1a02937bb
4 Red Hat rhel7 default content 96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d
5 Red Hat rhel8 default content b7772a4001f865517e30762c406dee80fdab2100ecc010f4408519a979665f6e
— --------------------------------- -----------------------------------------------------------------

hammer scap-content info --id 7

Id: 7
Title: Centos8-ds-1.2
Digest: e8b11b49ae494dda415930223b45d05c52ca1c9272ff8de4043b90b3a8355833
Created at: 2021-02-15 11:36:16 UTC
Original filename: ssg-centos8-ds-1.2.xml
SCAP content profiles:
Id: 43
Profile id: xccdf_org.ssgproject.content_profile_pci-dss
Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
Id: 44
Profile id: xccdf_org.ssgproject.content_profile_standard
Title: Standard System Security Profile for Red Hat Enterprise Linux 8
Locations:
Amsterdam
Organisations:
test

[root@foreman ~]# ll /var/lib/foreman-proxy/openscap/content
total 0
drwxr-xr-x. 2 foreman-proxy foreman-proxy 84 Feb 16 13:57 4

[root@foreman ~]# ll /var/lib/foreman-proxy/openscap/content/4
total 0
-rw-r–r--. 1 foreman-proxy foreman-proxy 0 Feb 16 13:57 4_3ac4491c71a3b7e6372ec7cdb031ff6e598a5837891ac875b48ae6650bda7486.xml

Manually appended: on client:

# policy (key is id as in Foreman)
1:
  :profile: 'xccdf_org.ssgproject.content_profile_pci-dss'
  :content_path: '/var/lib/openscap/content/4/4_3ac4491c71a3b7e6372ec7cdb031ff6e598a5837891ac875b48ae6650bda7486.xml'
  # Download path
  # A path to download SCAP content from proxy
  :download_path: '/compliance/policies/1/content/4_3ac4491c71a3b7e6372ec7cdb031ff6e598a5837891ac875b48ae6650bda7486'
  :tailoring_path: ''
  :tailoring_download_path: ''

Once I have created this entry I can run:

root@test ~]# foreman_scap_client 1
DEBUG: running: oscap xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_pci-dss  --results-arf /tmp/d20210216-225844-n9w6uz/results.xml /var/lib/openscap/content/4/4_3ac4491c71a3b7e6372ec7cdb031ff6e598a5837891ac875b48ae6650bda7486.xml
Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml ... ok
DEBUG: running: /usr/bin/env bzip2 /tmp/d20210216-225844-n9w6uz/results.xml
Uploading results to https://foreman.cloudboxservices.com:9090/compliance/arf/1
Report uploaded, report id: 67

My question is: Why do I have to Manually update the file and is there a way of making the server automatically push this config?

2

@Ondrej_Prazak have you seen this before? Could it be wrong versions combination?

@techietubby could you please share the log from the ansible run that deploys the foreman_scap_client? Does it at least create the file?

3

Seems like the same problem as in Running OpenSCAP on CentOS 7/8 System

4

Marek/Ondrej,
I managed to get this to work using an Ansible playbook. I am busy today but hope to extract and share the logfiles and Ansible code but I am busy until this evening.
Regards,
Andrew

5

I just found an update for the Centos-8-ds xml files and so loaded the new files into foreman:

# cat /etc/yum.repos.d/openscapmaint-openscap-latest-epel-8.repo
[copr:copr.fedorainfracloud.org:openscapmaint:openscap-latest]
name=Copr repo for openscap-latest owned by openscapmaint
baseurl=https://download.copr.fedorainfracloud.org/results/openscapmaint/openscap-latest/epel-8-$basearch/
type=rpm-md
skip_if_unavailable=True
gpgcheck=1
gpgkey=https://download.copr.fedorainfracloud.org/results/openscapmaint/openscap-latest/pubkey.gpg
repo_gpgcheck=0
enabled=1
enabled_metadata=1

# yum update -y

You now have two new xml filles that you can update/upload to Satellite/Foreman:

/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml
/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml

You can upload them as follows:

# hammer scap-content create --organization MyOrg --location MyLoc--scap-file /usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml --title ssg-centos8-ds-1.2
hammer scap-content create --organization MyOrg--location MyLoc--scap-file /usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml --title Centos-8-ds

Note: You can also use update instead of create if they already exist.

To them make them available to the client(s). Open a Host’s page and select: “Schedule Remote Job:” “Run Ansible roles” then “Run scan for all OpenSCAP policies on host”

 1:
File /var/lib/openscap/content/bf72568b8c9f215620f5c73f37d9f6491c075e22386c6a1ef5274b137abe469c.xml is missing. Downloading it from proxy.
   2:
Download SCAP content xml from: https://foreman.test.com:9090/compliance/policies/1/content/bf72568b8c9f215620f5c73f37d9f6491c075e22386c6a1ef5274b137abe469c
   3:
DEBUG: running: oscap xccdf eval    --results-arf /tmp/d20210223-393387-uhxera/results.xml /var/lib/openscap/content/bf72568b8c9f215620f5c73f37d9f6491c075e22386c6a1ef5274b137abe469c.xml
   4:
WARNING: This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.
   5:
WARNING: Skipping https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml file which is referenced from XCCDF content
   6:
DEBUG: running: /usr/bin/env bzip2 /tmp/d20210223-393387-uhxera/results.xml
   7:
Uploading results to https://foreman.test.com:9090/compliance/arf/1
   8:
Report uploaded, report id: 444
   9:
Exit status: 0

It is the (re)running of the “Ansible Roles” that fixes the client’s: /etc/foreman_scap_client/config.yaml

6

Perhaps we should suggest or add a button to trigger the Ansible run on associated host groups for ansible based policies.

7

This could be a nice idea, however I think the biggest priority is update the documentation in order to make it clear that the scan won’t work until you have executed all the steps I listed above. I realise it costs a lot of time to maintain docs but the product is changing very quickly at the moment and there are a lot of things in the docs that no longer work as expected.

8

Has anyone managed to fix OpenSCAP Centos 8.3 scanning yet? Since the latest update of the OS everything says N/A. I heard that it was something to do with /etc/redhat-release or /etc/issue?

9

I can’t agree more. Contribution are more than welcome, please open a PR against this file to update our manual theforeman.org/index.md at gh-pages · theforeman/theforeman.org · GitHub

1 Like