We are architecturing a new design to foreman openscap.
We have two goals in the new architecture:
Solve the SCAP content distribution to host clients, and
Handle reports correctly.
In this email, We’d like to focus on how to solve the distribution of SCAP
content to the host clients.
SCAP Content: A file uploaded by the user on Foreman.
Policy: A policy is created by the user. When creating a policy, the
user chooses which SCAP content to use, and of this SCAP content which SCAP
policy to test. The user also chooses when to run the policy and he may
associate the policy to a hostgroup.
Once a policy is created a puppet module configures foreman_scap_client on
the client host with the data of the policy.
In the current architecture, when creating / editing a policy - the user is
prompted to save the SCAP content in the path that is configured by the
Please take a look at the puppet module
and the overrides created
when creating a policy.
So, at this point the user is supposed to do one of two:
If the SCAP content is the content provided by scap-security-guide
https://github.com/OpenSCAP/scap-security-guide RPM, and that RPM is
installed on the client, he may copy / create a symlink from the
scap-security-guide xml to /var/lib/openscap/content/.xml
This is an easier part to solve and a suggested issue has been created (
The toughest part to solve is when the user has his own SCAP content or
a modified SCAP content (which apparently happens in most cases). The user
needs to manually copy the SCAP content to each of his hosts.
The proposed solutions are meant to solve the ^ pain:
We thought of using one of the following solutions in order to solve the
content distribution problem, and we would love to hear your opinion,
comments and thoughts (and help us think which is the best solution).
Solution A: Pulp with an RPM per each SCAP content. Create an RPM per
each SCAP content, and use Pulp (+ Katello’s content views ?) to distribute
the RPM to the hosts.
Solution B: Pulp with SCAP content. Create a plugin for pulp which
supports SCAP content as content for distribution.
Solution C: (which may be better for a “thin” Foreman). Foreman -> Smart
Proxy -> Host: Use Smart Proxy’s API to upload SCAP content to the Smart
proxy, provide a download url from the smart proxy (via the puppet module).
The foreman_scap_client will download the SCAP content and use it.
** Note on those solutions:
There is an OpenSCAP plugin for Smart Proxy.
Currently we assume that the puppet proxy is also the one to serve OpenSCAP
requests (for uploading the reports and sending them to Foreman, for
There is a work in progress
so you could choose which Smart Proxy will serve host / hostgroup.
The purpose for each of the solutions is that when a user uploads an SCAP
content it will be distributed to the hosts (either selected hosts or via
Looking forward hearing your comments and insights