Running Foreman/Katello 3.3/4.5 and trying to get this OpenSCAP scanning to work.
I have added the “theforeman.foreman_scap_client” ansible role, added SCAP contents, created a policy with ansible deployment, added the ansible role to the host groups. Ran the ansible role on a host and indeed it setup the host for SCAP.
162:
TASK [Apply roles] *************************************************************
163:
164:
TASK [theforeman.foreman_scap_client : Configure plugins repository (yum)] *****
165:
ok: [sees-example.example.com]
166:
167:
TASK [theforeman.foreman_scap_client : Configure plugins repository (apt)] *****
168:
skipping: [sees-example.example.com]
169:
170:
TASK [theforeman.foreman_scap_client : Set facts for deb-based OS] *************
171:
skipping: [sees-example.example.com]
172:
173:
TASK [theforeman.foreman_scap_client : Set facts for rpm-based OS] *************
174:
ok: [sees-example.example.com]
175:
176:
TASK [theforeman.foreman_scap_client : Install the foreman_scap_client package] ***
177:
changed: [sees-example.example.com]
178:
179:
TASK [theforeman.foreman_scap_client : Get certificate paths] ******************
180:
ok: [sees-example.example.com]
181:
182:
TASK [theforeman.foreman_scap_client : Set facts for rh certs] *****************
183:
ok: [sees-example.example.com]
184:
185:
TASK [theforeman.foreman_scap_client : Create cron in /etc/cron.d/] ************
186:
changed: [sees-example.example.com]
187:
188:
TASK [theforeman.foreman_scap_client : Create config.yaml in /etc/foreman_scap_client] ***
189:
changed: [sees-example.example.com]
190:
191:
TASK [theforeman.foreman_scap_client : Ensure cron and config are present] *****
192:
ok: [sees-example.example.com] => (item=/etc/cron.d/foreman_scap_client_cron)
193:
ok: [sees-example.example.com] => (item=/etc/foreman_scap_client/config.yaml)
194:
PLAY RECAP *********************************************************************
195:
sees-example.example.com : ok=10 changed=3 unreachable=0 failed=0 skipped=2 rescued=0 ignored=0
196:
Exit status: 0
I now tried to run a scan and got this error:
1: File /var/lib/openscap/content/0585c2ce58c4ccca948093bbcd97e56e2db9e8869414222994dad4cf5c47303b.xml is missing. Downloading it from proxy.
2: Download SCAP content xml from: https://foremanproxy.example.com:9090/compliance/policies/1/content/0585c2ce58c4ccca948093bbcd97e56e2db9e8869414222994dad4cf5c47303b
3: Unable to load certs
4: Neither PUB key nor PRIV key
5: Exit status: 3
Did I miss anything?
This is by the way a hardened machine that I get this error on. I have one AlmaLinux 9 VM that is not hardened and of course the scap scanning works fine on that one.
On the hardened machine this looks exactly the same as on the non-hardened. Same contents, identical katello-server-ca.pem file, same permissions as below so why it tells me it can not load the certs, I really have no clue yet. Been digging logs and shutting down fapolicyd, setting selinux on permissive but so far nothing.
[root@sees-almatest ~]# more /etc/foreman_scap_client/config.yaml
# DO NOT EDIT THIS FILE MANUALLY
# IT IS MANAGED BY ANSIBLE
# ANY MANUAL CHANGES WILL BE LOST ON THE NEXT ANSIBLE EXECUTION
# Foreman proxy to which reports should be uploaded
:server: foremanproxy.example.com
:port: 9090
# Timeout for sending reports to proxy
:timeout: 60
# Should --fetch-remote-resources be added to `oscap xccdf eval` command
:fetch_remote_resources: false
# HTTP proxy server for downloading remote resources
:http_proxy_server:
:http_proxy_port:
## SSL specific options ##
# Client CA file.
# It could be any valid certificate that is accepted by foreman-proxy, such as Puppet CA certificate (e.g., '/var/lib/puppet/ssl/certs/ca.pem')
# Or (recommended for client reporting to Katello) subscription manager CA file, (e.g., '/etc/rhsm/ca/katello-server-ca.pem')
:ca_file: /etc/rhsm/ca/katello-server-ca.pem
# Client host certificate.
# It could be Puppet agent host certificate (e.g., '/var/lib/puppet/ssl/certs/myhost.example.com.pem')
# Or (recommended for client reporting to Katello) consumer certificate (e.g., '/etc/pki/consumer/cert.pem')
:host_certificate: /etc/pki/consumer/cert.pem
# Client private key
# It could be Puppet agent private key (e.g., '/var/lib/puppet/ssl/private_keys/myhost.example.com.pem')
# Or (recommended for client reporting to Katello) consumer private key (e.g., '/etc/pki/consumer/key.pem')
:host_private_key: /etc/pki/consumer/key.pem
# policy (key is id as in Foreman)
1:
:profile: xccdf_org.ssgproject.content_profile_cui
:content_path: /var/lib/openscap/content/0585c2ce58c4ccca948093bbcd97e56e2db9e8869414222994dad4cf5c47303b.xml
# Download path
# A path to download SCAP content from proxy
:download_path: /compliance/policies/1/content/0585c2ce58c4ccca948093bbcd97e56e2db9e8869414222994dad4cf5c47303b
:tailoring_path:
:tailoring_download_path:
# OVAL policies
:oval:
[root@sees-almatest ~]# ls -laZ /etc/rhsm/ca/katello-server-ca.pem
-rw-r--r--. 1 root root unconfined_u:object_r:rhsmcertd_config_t:s0 2501 Aug 2 06:52 /etc/rhsm/ca/katello-server-ca.pem
[root@sees-almatest ~]# ls -laZ /etc/pki/consumer/cert.pem
-rw-r-----. 1 root root unconfined_u:object_r:cert_t:s0 2228 Aug 2 06:52 /etc/pki/consumer/cert.pem
[root@sees-almatest ~]# ls -laZ /etc/pki/consumer/key.pem
-rw-r-----. 1 root root unconfined_u:object_r:cert_t:s0 3272 Aug 2 06:52 /etc/pki/consumer/key.pem
[root@sees-almatest ~]# ls -laZ /etc/foreman_scap_client/config.yaml
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0 1858 Jul 31 21:33 /etc/foreman_scap_client/config.yaml
Seen this from ansible setup in /var/log/messages, looks OK to me.
Aug 2 07:19:03 sees-almatest auditd[1095]: Audit daemon rotating log files
Aug 2 07:19:04 sees-almatest ansible-ansible.legacy.setup[1568]: Invoked with gather_subset=['all'] gather_timeout=10 filter=[] fact_path=/etc/ansible/facts.d
Aug 2 07:19:08 sees-almatest ansible-yum_repository[1708]: Invoked with name=foreman-plugins-latest description=Foreman plugins repository baseurl=['https://yum.theforeman.org/client/latest/el7/x86_64'] gpgcheck=False gpgkey=['https://yum.theforeman.org/RPM-GPG-KEY-foreman'] state=absent reposdir=/etc/yum.repos.d async=True unsafe_writes=False bandwidth=None cost=None deltarpm_metadata_percentage=None deltarpm_percentage=None enabled=None enablegroups=None exclude=None failovermethod=None file=None gpgcakey=None module_hotfixes=None http_caching=None include=None includepkgs=None ip_resolve=None keepalive=None keepcache=None metadata_expire=None metadata_expire_filter=None metalink=None mirrorlist=None mirrorlist_expire=None params=None password=NOT_LOGGING_PARAMETER priority=None protect=None proxy=None proxy_password=NOT_LOGGING_PARAMETER proxy_username=None repo_gpgcheck=None retries=None s3_enabled=None skip_if_unavailable=None sslcacert=None ssl_check_cert_permissions=None sslclientcert=None sslclientkey=None sslverify=None throttle=None timeout=None ui_repoid_vars=None username=None mode=None owner=None group=None seuser=None serole=None selevel=None setype=None attributes=None
Aug 2 07:19:10 sees-almatest ansible-ansible.legacy.dnf[1799]: Invoked with name=['rubygem-foreman_scap_client\n'] state=present allow_downgrade=False autoremove=False bugfix=False cacheonly=False disable_gpg_check=False disable_plugin=[] disablerepo=[] download_only=False enable_plugin=[] enablerepo=[] exclude=[] installroot=/ install_repoquery=True install_weak_deps=True security=False skip_broken=False update_cache=False update_only=False validate_certs=True lock_timeout=30 allowerasing=False nobest=False conf_file=None disable_excludes=None download_dir=None list=None releasever=None
Aug 2 07:19:12 sees-almatest auditd[1095]: Audit daemon rotating log files
Aug 2 07:19:14 sees-almatest ansible-foreman_scap_client_facts[1898]: Invoked
Aug 2 07:19:15 sees-almatest ansible-ansible.legacy.stat[1990]: Invoked with path=/etc/cron.d/foreman_scap_client_cron follow=False get_checksum=True checksum_algorithm=sha1 get_md5=False get_mime=True get_attributes=True
Aug 2 07:19:16 sees-almatest ansible-ansible.legacy.copy[2064]: Invoked with src=/opt/fmrex/.ansible/tmp/ansible-tmp-1659424754.2593868-178165-19532517113859/source dest=/etc/cron.d/foreman_scap_client_cron owner=root group=root mode=0644 follow=False _original_basename=cron.j2 checksum=250fa2cd42f4ecf0b40b2a25e52517c65b686b90 backup=False force=True unsafe_writes=False content=NOT_LOGGING_PARAMETER validate=None directory_mode=None remote_src=None local_follow=None seuser=None serole=None selevel=None setype=None attributes=None
Aug 2 07:19:17 sees-almatest ansible-ansible.legacy.stat[2155]: Invoked with path=/etc/foreman_scap_client/config.yaml follow=False get_checksum=True checksum_algorithm=sha1 get_md5=False get_mime=True get_attributes=True
Aug 2 07:19:18 sees-almatest ansible-ansible.legacy.file[2202]: Invoked with owner=root group=root mode=0644 dest=/etc/foreman_scap_client/config.yaml _original_basename=config.yaml.j2 recurse=False state=file path=/etc/foreman_scap_client/config.yaml force=False follow=True modification_time_format=%Y%m%d%H%M.%S access_time_format=%Y%m%d%H%M.%S unsafe_writes=False _diff_peek=None src=None modification_time=None access_time=None seuser=None serole=None selevel=None setype=None attributes=None
Aug 2 07:19:18 sees-almatest auditd[1095]: Audit daemon rotating log files
Aug 2 07:19:19 sees-almatest ansible-file[2293]: Invoked with path=/etc/cron.d/foreman_scap_client_cron state=file owner=root group=root mode=0644 recurse=False force=False follow=True modification_time_format=%Y%m%d%H%M.%S access_time_format=%Y%m%d%H%M.%S unsafe_writes=False _original_basename=None _diff_peek=None src=None modification_time=None access_time=None seuser=None serole=None selevel=None setype=None attributes=None
Aug 2 07:19:20 sees-almatest ansible-file[2384]: Invoked with path=/etc/foreman_scap_client/config.yaml state=file owner=root group=root mode=0644 recurse=False force=False follow=True modification_time_format=%Y%m%d%H%M.%S access_time_format=%Y%m%d%H%M.%S unsafe_writes=False _original_basename=None _diff_peek=None src=None modification_time=None access_time=None seuser=None serole=None selevel=None setype=None attributes=None
OK so found the issue, it is called “FIPS mode”. After I disabled “FIPS mode” scanning works.
[root@sees-almatest cron.d]# fips-mode-setup --check
FIPS mode is enabled.
The current crypto policy (DEFAULT:AD-SUPPORT) neither is the FIPS policy nor is based on the FIPS policy.
Inconsistent state detected.
[root@sees-almatest cron.d]# fips-mode-setup --disable
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
FIPS mode will be disabled.
Please reboot the system for the setting to take effect.
[root@sees-almatest cron.d]# reboot
I guess I need to do my homework on FIPS but seems foreman_scap_client and FIPS do not like each other.
