Problem:
I am currently trying to integrate openSCAP into my katello environment. In principle, everything is set up (compliance policies and scap content set up, everything added to a host group and so on). when the ansible role is started, the client software is also installed if not already there, the policy is available and the config file is created. But the scan aborts because no --profile is specified as the :profile: in foreman_scap_client/config.yaml is empty. why?
1: DEBUG: running: oscap xccdf eval --local-files /root --results-arf /tmp/d20250521-462067-gf34za/results.xml /var/lib/openscap/content/c56829a723b093135fc41927219f9d1825a8cb4ab8b4073ba9f0d1ed3469e00d.xml
2: DEBUG: running: /usr/bin/env bzip2 /tmp/d20250521-462067-gf34za/results.xml
3: Uploading results to https://sfravm-fi-katello-46.fi-acp.priv:9090/compliance/arf/1
4: Report uploaded, report id: 246668
5: Exit status: 0
foreman_scap_client/config.yaml:
# DO NOT EDIT THIS FILE MANUALLY
# IT IS MANAGED BY ANSIBLE
# ANY MANUAL CHANGES WILL BE LOST ON THE NEXT ANSIBLE EXECUTION
# Foreman proxy to which reports should be uploaded
:server: sfravm-fi-katello-46.fi-acp.priv
:port: 9090
# Timeout for sending reports to proxy
:timeout: 60
# Should --fetch-remote-resources be added to `oscap xccdf eval` command
:fetch_remote_resources: false
# HTTP proxy server for downloading remote resources
:http_proxy_server:
:http_proxy_port:
## SSL specific options ##
# Client CA file.
# It could be any valid certificate that is accepted by foreman-proxy, such as Puppet CA certificate (e.g., '/var/lib/puppet/ssl/certs/ca.pem')
# Or (recommended for client reporting to Katello) subscription manager CA file, (e.g., '/etc/rhsm/ca/katello-server-ca.pem')
:ca_file: /etc/rhsm/ca/katello-server-ca.pem
# Client host certificate.
# It could be Puppet agent host certificate (e.g., '/var/lib/puppet/ssl/certs/myhost.example.com.pem')
# Or (recommended for client reporting to Katello) consumer certificate (e.g., '/etc/pki/consumer/cert.pem')
:host_certificate: /etc/pki/consumer/cert.pem
# Client private key
# It could be Puppet agent private key (e.g., '/var/lib/puppet/ssl/private_keys/myhost.example.com.pem')
# Or (recommended for client reporting to Katello) consumer private key (e.g., '/etc/pki/consumer/key.pem')
:host_private_key: /etc/pki/consumer/key.pem
# policy (key is id as in Foreman)
1:
:profile:
:content_path: /var/lib/openscap/content/c56829a723b093135fc41927219f9d1825a8cb4ab8b4073ba9f0d1ed3469e00d.xml
# Download path
# A path to download SCAP content from proxy
:download_path: /compliance/policies/1/content/c56829a723b093135fc41927219f9d1825a8cb4ab8b4073ba9f0d1ed3469e00d
:tailoring_path:
:tailoring_download_path:
Expected outcome:
something like: running: oscap xccdf eval --local-files /root --results-arf /tmp/d20250521-462067-gf34za/results.xml --profile xccdf_org.ssgproject.content_profile_cis_server_l1 /var/lib/openscap/content/c56829a723b093135fc41927219f9d1825a8cb4ab8b4073ba9f0d1ed3469e00d.xml
when I add the :profile: parameter by hand in the client config file then the scan works as expected
Foreman and Proxy versions:
3.14
Foreman and Proxy plugin versions:
katello 4.16
Distribution and version:
Other relevant data:
