OpenSCAP ARF reports re-architecture

We are trying to evaluate how to best create OpenSCAP reports (aka ARF
reports) on Foreman.

The desired reports should be searchable, scalable, and be part of Foreman
reports mechanism.

We've got some questions we are not sure about and we would love your
answers <snip>Dmitri, Dominic, Ohad</snit>

Current status:
A report is generated on the client which runs ‘foreman_scap_client’

··· -

(ArfReport is embedded as iframe and we have no control over the HTML, or
the content.)

Desired reports


Scalable (not big xml file saved to db)

Part of Foreman’s report mechanism

Shows remediation (happens today, too)

New design proposal

XML file is parsed on the proxy, which tearsdown all the results as

proxy posts arf_report (json?) to Foreman

arf_report is hooked to Foreman report

  arf_report is part of Foreman report (*new*) mechanism 

Hooking into Foreman Report: User stories

  • As a developer I want to have global host state with developer API
    allowing me to change it easily.
  • As a developer I want to register new host status type and define
    mapping between it and host global state.
  • As a plugin developer I want to register new report type.
  • As a plugin developer I want to register new report importer for a
    given specific.
  • As a user I want to search hosts based on report type and its specific
  • As a user I want to have be able to set different report permissions
    per report types. (implies report STI)
  • As a user I want to see the overall host status derived from all
    report types statuses.

As a user I want to be able to search based on host global status.

Mapping of ARF report to Foreman report


Arf Report


Rule Result







  • Remediation


Breakdown view




How do we parse reports on the smart proxy? Do we save reports on the
proxy and ship to foreman?

How do we store reports on smart proxy? persistent storage / File system?

Will smart proxy have some background processing support so it’s not
blocking on long running tasks (parsing and uploading reports)

Scaptimony on Smart proxy as parser?

Is there a benefit of keeping openscap generated html report or can we
move to Foreman built-in reports