Problem:
Openscap scanning is not working in my katello. I tried both puppet and ansible way. Both are failing Expected outcome:
Scanning should execute Foreman and Katello versions:
2.2.5 and 3.17 Distribution and version:
RHEL 7.7 Other relevant data:
These are the errors after assigning policy to the host.
No, it is the client which should be scanned. The scan is a local execution of the foreman_scap_client command which is part of the rubygem-foreman_scap_client (Red Hat family) or ruby_scap_client (Debian family, if I remember correct).
now you have the openscap-client on your client machine, but it has no configuration.
When you add an openscap policy in your foreman, you can distribute it via ansible, puppet or manual and select the target hostgroup.
If you chose Ansible or Puppet (you need to install the correct role/module on your katello), you can trigger a puppet run or an ansible-role-execution and then your client should be configured and then it should be able to upload a report.
I added ansible role to the host and ran the ansible role to the client machine and that generated the config file. After that I ran the openscap from the foreman server and I am getting this error
You have not set the variables for Ansible.
If you imported the role and variables, you have to set:
foreman_scap_client_server to the URL of your katello
foreman_scap_client_port - i think the default in the scap-plugin is 9090
foreman_scap_client_policies (type array) to: ā<%= @host.policies_enc %>ā
there are other variables available but you need to configure those 3 at least
[root@localhost ~]# curl https://ingbtcpic6vl232.code1.emi.com/
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
so i think you have to trust your certificate (chain) on the client, that this works or try to ignore the certificates - but this is not openscap-related