Problem:
Openscap scanning is not working in my katello. I tried both puppet and ansible way. Both are failing
Expected outcome:
Scanning should execute
Foreman and Katello versions:
2.2.5 and 3.17
Distribution and version:
RHEL 7.7
Other relevant data:
These are the errors after assigning policy to the host.
it seems that the foreman-scap-client is not installed on your target system
do you get something like that if you search for it:
rpm -qa | grep scap
openscap-1.2.17-13.el7_9.x86_64
openscap-scanner-1.2.17-13.el7_9.x86_64
rubygem-foreman_scap_client-0.4.6-2.el7.noarch
You can get the package from the client repo: Index of /client/2.2/el7/x86_64
openscap-1.2.17-13.el7_9.x86_64
perl-Pod-Escapes-1.04-299.el7_9.noarch
tfm-rubygem-foreman_openscap-4.0.5-1.fm2_2.el7.noarch
tfm-rubygem-openscap-0.4.9-3.el7.noarch
scap-security-guide-0.1.54-7.el7_9.noarch
puppet-foreman_scap_client-0.4.0-1.el7.noarch
tfm-rubygem-hammer_cli_foreman_openscap-doc-0.1.11-1.fm2_2.el7.noarch
openscap-scanner-1.2.17-13.el7_9.x86_64
tfm-rubygem-smart_proxy_openscap-0.7.4-1.fm2_2.el7.noarch
tfm-rubygem-hammer_cli_foreman_openscap-0.1.11-1.fm2_2.el7.noarch
ansiblerole-foreman_scap_client-0.0.6-1.el7.noarch
No, it is the client which should be scanned. The scan is a local execution of the foreman_scap_client command which is part of the rubygem-foreman_scap_client (Red Hat family) or ruby_scap_client (Debian family, if I remember correct).
Target system is the system where you want to have your compliance checked and then sent to your katello/foreman.
I have installed foreman_scap_client in my client machine
[root@localhost ~]# rpm -qa | grep scap
rubygem-foreman_scap_client-0.4.7-1.el7.noarch
perl-Pod-Escapes-1.07-395.el8.noarch
openscap-scanner-1.3.3-6.el8_3.x86_64
openscap-1.3.3-6.el8_3.x86_64
scap-security-guide-0.1.50-16.el8_3.noarch
And after running the openscap scan from my foreman server, this is the error Iām facing now
Hi,
now you have the openscap-client on your client machine, but it has no configuration.
When you add an openscap policy in your foreman, you can distribute it via ansible, puppet or manual and select the target hostgroup.
If you chose Ansible or Puppet (you need to install the correct role/module on your katello), you can trigger a puppet run or an ansible-role-execution and then your client should be configured and then it should be able to upload a report.
I added ansible role to the host and ran the ansible role to the client machine and that generated the config file. After that I ran the openscap from the foreman server and I am getting this error
You have not set the variables for Ansible.
If you imported the role and variables, you have to set:
foreman_scap_client_server to the URL of your katello
foreman_scap_client_port - i think the default in the scap-plugin is 9090
foreman_scap_client_policies (type array) to: ā<%= @host.policies_enc %>ā
there are other variables available but you need to configure those 3 at least
but your screenshot tries to download the policy from an url without hostname (https::8080/ā¦) so somewhere it is misconfigured
Is your client registered via subscription-manager?
Now it is a certificate issue, probably that the ca is not trusted?
Maybe also something you have to configure via Ansible? (I never had to configure something there)
I have never changed this variable, so you should not need to change it.
So the certificate/ca your katello uses is trusted on your client?
Could you try to curl the URL from your client?
[root@localhost ~]# curl https://ingbtcpic6vl232.code1.emi.com/
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
so i think you have to trust your certificate (chain) on the client, that this works or try to ignore the certificates - but this is not openscap-related