Problem: policy detail missing in /etc/foreman_scap_client/config.yaml

Expected outcome: after run role theforeman.foreman_scap_client on client expect to create config.yaml file and entered policy details

Foreman and Proxy versions: 3.11.5

Foreman and Proxy plugin versions:

Distribution and version: RHEL 8.10

Other relevant data: I have foreman 3.11 with katello 4.13 environment, and I have enabled OpenSCAP into it, I tried with both method to install theforeman.foreman_scap_client role in foreman sever via dnf install as well as ansible-galaxy using at a time any one. But when I run role on client required packages get installed and cron file and config.yaml file created but policy details is missing in config.yaml file.

policy is correctly created and assign to correct hostgroup, same hostgroup mapped with client machine. but still policy details are missing.

tfm-rubygem-foreman_openscap this rpm are not install in my server and I found this plugin is missing in repo Index of /plugins/3.11/el8/x86_64 and when I am checking policy assign to any host group in foreman cli, it give me output as null

^ these two seem to be two faces of the same problem. As far as Foreman is concerned, it doesn’t consider the policy to be assigned to the host, but from what you wrote here I can’t really tell why. Until you resolve this, there won’t be any policy details deployed.

Did you assign the policy to the hostgroup and assign that hostgroup to a host or is there some hostgroup inheritance involved?

Iirc tfm-rubygem… was the package name when we still relied on software collections. You most likely have rubygem-foreman_openscap, which is in the repo.

Not that it matters here, but that’s a bit dated.

Hey @aruzicka

`these two seem to be two faces of the same problem. As far as Foreman is concerned, it doesn’t consider the policy to be assigned to the host, but from what you wrote here I can’t really tell why. Until you resolve this, there won’t be any policy details deployed.`

What I mean to say here is, while policy creation I selected correct hostgroup, and I run the theforeman.foreman_scap_client role on client. that client in the same hostgroup.

Basically after role run successfully it create config.yaml file and inside it policy details should be there, but there is no policy details. only server name and port are there. When I run the openscap scan which can result give as policy id x not found.

this rpm is install on my server

$ rpm -qa | grep -i rubygem-foreman_openscap
rubygem-foreman_openscap-8.0.2-1.fm3_11.el8.noarch

here is the content of config.yaml file

DO NOT EDIT THIS FILE MANUALLY

IT IS MANAGED BY ANSIBLE

ANY MANUAL CHANGES WILL BE LOST ON THE NEXT ANSIBLE EXECUTION

Foreman proxy to which reports should be uploaded

:server: https://my-server-name.com
:port: 9090

Timeout for sending reports to proxy

:timeout: 60

Should --fetch-remote-resources be added to oscap xccdf eval command

:fetch_remote_resources: false

HTTP proxy server for downloading remote resources

:http_proxy_server:
:http_proxy_port:

SSL specific options

Client CA file.

It could be any valid certificate that is accepted by foreman-proxy, such as Puppet CA certificate (e.g., ‘/var/lib/puppet/ssl/certs/ca.pem’)

Or (recommended for client reporting to Katello) subscription manager CA file, (e.g., ‘/etc/rhsm/ca/katello-server-ca.pem’)

:ca_file: /etc/rhsm/ca/katello-server-ca.pem

Client host certificate.

It could be Puppet agent host certificate (e.g., ‘/var/lib/puppet/ssl/certs/myhost.example.com.pem’)

Or (recommended for client reporting to Katello) consumer certificate (e.g., ‘/etc/pki/consumer/cert.pem’)

:host_certificate: /etc/pki/consumer/cert.pem

Client private key

It could be Puppet agent private key (e.g., ‘/var/lib/puppet/ssl/private_keys/myhost.example.com.pem’)

Or (recommended for client reporting to Katello) consumer private key (e.g., ‘/etc/pki/consumer/key.pem’)

:host_private_key: /etc/pki/consumer/key.pem

policy (key is id as in Foreman)

I followed the below procedure.

Install plugins

1. # foreman-installer \
   --enable-foreman-plugin-openscap \
   --enable-foreman-cli-openscap \
   --enable-foreman-proxy-plugin-openscap \
   --foreman-proxy-plugin-openscap-ansible-module true \
   --foreman-proxy-plugin-openscap-puppet-module true
   

2. Optional: Install the OpenSCAP plugin on any Smart Proxy servers:

   # foreman-installer \
   --enable-foreman-proxy-plugin-openscap \
   --foreman-proxy-plugin-openscap-ansible-module true \
   --foreman-proxy-plugin-openscap-puppet-module true
   

Install theforeman.foreman_scap_client role anyone method

Note: I used both method one by one (If first not work then tried with 2nd) but I did not get policy details in config.yaml

yum -y install ansiblerole-foreman_scap_client

ansible-galaxy -p /etc/ansible/roles install theforeman.foreman_scap_client

Creating SCAP content

# dnf install scap-security-guide  openscap-scanner

content is available /usr/share/xml/scap/ssg/content/

$ ls -l /usr/share/xml/scap/ssg/content/total 152736-rw-r–r-- 1 a1303870 iffadm     1414 Jun  5 00:40 password_expiry_policy.xmllrwxrwxrwx 1 root     root         18 Jun 16 09:17 ssg-firefox-ds-1.2.xml → ssg-firefox-ds.xml-rw-r–r-- 1 root     root     388222 Jun 16 09:16 ssg-firefox-ds.xml-rw-r–r-- 1 root     root       6768 Jun 16 09:17 ssg-rhel6-cpe-dictionary.xml-rw-r–r-- 1 root     root      93922 Jun 16 09:17 ssg-rhel6-cpe-oval.xml-rw-r–r-- 1 root     root   22934702 Jun 16 09:17 ssg-rhel6-ds-1.2.xml-rw-r–r-- 1 root     root   22935173 Jun 16 09:17 ssg-rhel6-ds.xml-rw-r–r-- 1 root     root     733916 Jun 16 09:17 ssg-rhel6-ocil.xml-rw-r–r-- 1 root     root    2335663 Jun 16 09:17 ssg-rhel6-oval.xml-rw-r–r-- 1 root     root    7439626 Jun 16 09:17 ssg-rhel6-xccdf.xml-rw-r–r-- 1 root     root       2007 Jun 16 09:17 ssg-rhel7-cpe-dictionary.xml-rw-r–r-- 1 root     root     122989 Jun 16 09:17 ssg-rhel7-cpe-oval.xml-rw-r–r-- 1 root     root   24528262 Jun 16 09:17 ssg-rhel7-ds-1.2.xml-rw-r–r-- 1 root     root   24528262 Jun 16 09:17 ssg-rhel7-ds.xml-rw-r–r-- 1 root     root    1807448 Jun 16 09:17 ssg-rhel7-ocil.xml-rw-r–r-- 1 root     root    5035445 Jun 16 09:17 ssg-rhel7-oval.xml-rw-r–r-- 1 root     root   16890650 Jun 16 09:17 ssg-rhel7-xccdf.xmllrwxrwxrwx 1 root     root         16 Jun 16 09:17 ssg-rhel8-ds-1.2.xml → ssg-rhel8-ds.xml-rw-r–r-- 1 root     root   26578488 Jun 16 09:17 ssg-rhel8-ds.xml

Creating a compliance policy

1. In the Foreman web UI, navigate to Hosts > Compliance > Policies.

2. Click New Policy or New Compliance Policy.

3. Select the deployment method: Ansible, Puppet, or Manual. Then click Next.

4. Enter a name for this policy, a description (optional), then click Next.

5. Select the SCAP Content and XCCDF Profile to be applied, then click Next.

   Note that Foreman does not detect whether the selected XCCDF profile contains any rules. An empty XCCDF profile, such as the Default XCCDF Profile, will return empty reports.

6. Optional: To customize the XCCDF profile, select a Tailoring File and a XCCDF Profile in Tailoring File, then click Next.

7. Specify the scheduled time when the policy is to be applied. Select Weekly, Monthly, or Custom from the Period list. The Custom option allows for greater flexibility in the policy’s schedule.

   • If you select Weekly, also select the desired day of the week from the Weekday list.

   • If you select Monthly, also specify the desired day of the month in the Day of month field.

   • If you select Custom, enter a valid Cron expression in the Cron line field.

8. Select the locations to which to apply the policy, then click Next.

9. Select the organizations to which to apply the policy, then click Next.

10. Select the host groups to which to assign the policy.

11. Click Submit.

Run the role on client

1. login foreman UI
2. nevigate to ansible role
3. import ansible role (theforeman.foreman_scap_client)
4. Nevigate to host (client machine)
5. run ansible role (theforeman.foreman_scap_client) open scap client install and config.yaml & cron file created
6. Run OpenSCAP scan on the same client machine.

   1. Scan get failed (policy id 5 not found)

      

Please guid me what can I do, did I am following wrong steps or doing any mistakes somewhere. help me to make it successful run.

Yes, I understood that and what I wrote earlier still applies. The root cause seems to be that for some reason, your foreman instance is not picking up the host-hostgroup-policy association.

Are those really all the steps you did?

Well, yes. If it is not in the config file, any commands referencing it will fail, that’s just a symptom of the thing not being configured.