Running OpenSCAP on CentOS 7/8 System

Support
,
1

Problem:
For Ansible Role : theforeman.foreman_scap_client I need the following package (rubygem-foreman_scap_client).
Because I’m NOT running RHEL 7 but CentOS 7 I found this package in a old version of theforeman in http://yum.theforeman.org/plugins/1.17/el7/x86_64/ but not in the latest version.

Is there another Ansible Role with other packages for CentOS ?
Why can’t we find this package anymore?
Is there already an existing solution for OpenSCAP as an ansible role with CentOS ?

Expected outcome:
N/A

Foreman and Proxy versions:
Foreman + Proxy 1.22

Distribution and version:
Satellite 6.6.2-1

2

I’m testing out the OpenScap scanner right now against CentOS 8. If the goal is to use Ansible to configure your endpoints to run OpenScap scans, the Ansible role you need to install on your Foreman server or proxy is as simple as

 yum install ansiblerole-foreman_scap_client.noarch

You will need to import the Ansible role, and then import the Ansible variables. Once done, you can configure your OpenScap policy to use Ansible as the configuration mechanism, and then apply Ansible role ‘theforeman.foreman_scap_client’ to the hostgroup or system. After that, run the Ansible role to configure the endpoint, and then you can run an adhoc OpenScap scan of the system.

Note: I’m running Foreman 1.24.2 and Katello 3.14.1. Client systems will need to have the Foreman Client repository configured. Your mileage may vary with other versions.

Hope that helps!

/Mike

3

Hi Mike, Thanks for your help.
Yes, my goal is to use Ansible to configure my endpoints CentOS Servers to run OpenScap scans. I’m using Satellite and theforman Ansible role is already running for my endpoints RHEL Server.
I’m sorry, but something’s not quite clear to me. Did you means that ansiblerole-foreman-scap_client is not the same as the theforeman.foreman_scap_client ?
Do you know from which repo can I find it? or download it?
Best regards, H

4

ansiblerole-foreman_scap_client.noarch is an RPM packaged version of theforeman.foreman_scap_client, which installs under /usr/share/ansible/roles/

It should be present in the same repositories that Foreman/Katello are packaged in (specifically foreman-plugins).

[root@foreman ssh]# yum info ansiblerole-foreman_scap_client.noarch
Installed Packages
Name        : ansiblerole-foreman_scap_client
Arch        : noarch
Version     : 0.0.3
Release     : 1.el7
Size        : 51 k
Repo        : installed
From repo   : foreman-plugins
Summary     : Packaging of the foreman_scap_client Ansible role
URL         : https://github.com/theforeman/ansible-foreman_scap_client/
License     : GPLv3
Description : This package installs the foreman_scap_client Ansibile role.
            :
            : Make sure that "/usr/share/ansible/roles" is on your Ansible role_path.

[root@foreman ssh]# rpm -ql ansiblerole-foreman_scap_client.noarch

/usr/share/ansible/roles/theforeman.foreman_scap_client
/usr/share/ansible/roles/theforeman.foreman_scap_client/.flake8
/usr/share/ansible/roles/theforeman.foreman_scap_client/.gitignore
/usr/share/ansible/roles/theforeman.foreman_scap_client/.travis.yml
/usr/share/ansible/roles/theforeman.foreman_scap_client/LICENSE
/usr/share/ansible/roles/theforeman.foreman_scap_client/README.md
/usr/share/ansible/roles/theforeman.foreman_scap_client/defaults
/usr/share/ansible/roles/theforeman.foreman_scap_client/defaults/main.yml
/usr/share/ansible/roles/theforeman.foreman_scap_client/files
/usr/share/ansible/roles/theforeman.foreman_scap_client/files/foreman_scap_client_facts.rb
/usr/share/ansible/roles/theforeman.foreman_scap_client/meta
/usr/share/ansible/roles/theforeman.foreman_scap_client/meta/main.yml
/usr/share/ansible/roles/theforeman.foreman_scap_client/meta/version.yml
/usr/share/ansible/roles/theforeman.foreman_scap_client/molecule
/usr/share/ansible/roles/theforeman.foreman_scap_client/molecule/default
/usr/share/ansible/roles/theforeman.foreman_scap_client/molecule/default/molecule.yml
/usr/share/ansible/roles/theforeman.foreman_scap_client/molecule/default/playbook.yml
/usr/share/ansible/roles/theforeman.foreman_scap_client/molecule/default/tests
/usr/share/ansible/roles/theforeman.foreman_scap_client/molecule/default/tests/test_default.py
/usr/share/ansible/roles/theforeman.foreman_scap_client/molecule/default/yaml-lint.yml
/usr/share/ansible/roles/theforeman.foreman_scap_client/requirements.txt
/usr/share/ansible/roles/theforeman.foreman_scap_client/tasks
/usr/share/ansible/roles/theforeman.foreman_scap_client/tasks/main.yml
/usr/share/ansible/roles/theforeman.foreman_scap_client/templates
/usr/share/ansible/roles/theforeman.foreman_scap_client/templates/config.yaml.j2
/usr/share/ansible/roles/theforeman.foreman_scap_client/templates/cron.j2
/usr/share/doc/ansiblerole-foreman_scap_client-0.0.3
/usr/share/doc/ansiblerole-foreman_scap_client-0.0.3/README.md

Again, it’s necessary to import the Ansible roles from the Foreman Server, and then import the Ansible Variables. After that, you should be good to go.

Hope that helps!

/Mike

5

Sorry for the delay and thanks a lot for your help.
I’ve checkout and I’ve the same version of the ansible role. Command’s output are the same. Import roles and other configurations are also ok.

The ansible role is tried to install the following package on client rubygem-foreman_scap_client and unfortunately CentOS didn’t find this package.
What do you use for your CentOS 8 test? What did you using?

Here’s the issue :

TASK [theforeman.foreman_scap_client : Install the foreman_scap_client package] ***
fatal: [w.x.y.z]: FAILED! => changed=false

msg: No package matching 'rubygem-foreman_scap_client' found available, installed or updated

rc: 126
results:

- No package matching 'rubygem-foreman_scap_client' found available, installed or updated

Thanks, H

6

You need the Foreman Client repository synced and presented to the client systems (if you are using Katello); otherwise, you need to define the upstream Foreman Client on the endpoints.

Note: CentOS 8 only has client packages in Foreman 2.0, so that’s the client repository I’m using with CentOS 8 clients, and the Foreman 1.24/Katello 3.14 master.

Foreman Client 2.0 EL8 - x86_64 | Foreman Client | yum | https://yum.theforeman.org/client/2.0/el8/x86_64/

Hope that helps!

/Mike

7

Perfect, it’s exactly what I needed. I looked in the wrong folder but know it is ok.
Thanks a lot for your help,

Best regards, H

8

I have been very busy experimenting with this function and trying to automate both the client and server side using Ansible. My test machines are Centos 7 and 8 and so I have had to do a lot of other steps in order to upload e.g.

Upload SCAP content:
# cd /usr/local
# wget http://github.com/OpenSCAP/scap-security-guide/releases/download/v0.1.51/scap-security-guide-0.1.51.zip
# unzip scap-security-guide-0.1.51.zip
# cd /usr/local/scap-security-guide-0.1.51

Upload Centos-8 SCAP profile
# hammer scap-content create --organization MyOrg --location Amsterdam --scap-file ssg-centos8-ds-1.2.xml --title ssg-centos8-ds-1.2
# hammer scap-content create --organization MyOrg --location Amsterdam --scap-file ssg-centos8-ds.xml --title ssg-centos8-ds

Upload Centos-7 SCAP profile
# hammer scap-content create --organization MyOrg–location Amsterdam --scap-file ssg-centos7-ds-1.2.xml --title ssg-centos7-ds-1.2
# hammer scap-content create --organization MyOrg–location Amsterdam --scap-file ssg-centos7-ds.xml --title ssg-centos7-ds

Ensure the Foreman-proxy can talk to the client:

# sudo -u foreman-proxy -s /bin/bash
$ ssh-keygen -R test.client.local
$ ssh-copy-id test.client.local
$ ssh root@test.client.local

You then have to assign the policy to the client.

Once the Foreman server is configured you have to install the software on the client:

# yum install openscap-scanner openscap-utils scap-security-guide -y

and then you are left with the “/etc/foreman_scap_client/config.yaml” file as this is not always correctly created. A good way to test it is:

# foreman_scap_client 4

You can also do this with Puppet but I am trying to only use Ansible for my client operations.

Does anybody know of anything I have missed or any idea of how we can make this procedure simpler to automate?

9

I should also mention that if you are a licenced RHEL-only organisation you can use RedHat-Insights: https://cloud.redhat.com. This enables you to install the insights client software on your RHEL Server and then register directly (or via Satellite) with Insights however all I want is SCAP in a close environment.

10

Could you elaborate or provide an example with what is not working for you?

You do not need to install the packages on your client. If you run theforeman.foreman_scap_client role on your client host from Foreman, then everything should get configured correctly.

Do you have any suggestions on how the flow could be improved? Or is it just that there are too many steps to get it working?

11

I have just rebuilt my test Foreman system using my Ansible automation so shall try to add a client tomorrow and document the steps and results.

12

Starting with a clean build. On the server:

  1. Configure OpenSCAP:
    `# foreman-installer --enable-foreman-plugin-openscap --enable-foreman-proxy-plugin-openscap --skip-puppet-version-check

foreman-rake foreman_openscap:bulk_upload:default`

  1. Ensure proxy is configured:
    # grep foreman_url /etc/foreman-proxy/settings.yml

  2. Install the Ansible collection
    `# yum install ansible-collection-theforeman-foreman -y

ansible-galaxy install theforeman.foreman_scap_client -p /usr/share/ansible/roles`

  1. Go to the Configure-Ansible->Roles menu and select Import: Select all the roles and click Update.
    Now select theforeman.foreman_scap_client and import-Variables.

  2. Download the latest SCAP Content

    yum install openscap-scanner openscap-utils scap-security-guide -y

    cd /usr/local/

    wget https://github.com/OpenSCAP/scap-security-guide/releases/download/v0.1.51/scap-security-guide-0.1.51.zip

    unzip scap-security-guide-0.1.51.zip

    rm scap-security-guide-0.1.51.zip

  3. Go to SCAP Contents and upload any new policy files e.g. ssg-centos8-ds-1.2.xml
    Note had to do this via my PC. Need to find a better way using Hammer

  4. Now create policies for your new content: Hosts>Policies>Create. Select Ansible and create a policy for Centos-8 scanning.

  5. Create a hostgroup and assign the client to it

  6. Assign the client to the OpenSCAP policy in the hosts menu

  7. Configure the proxy SSH key so it can reach the client

    sudo -u foreman-proxy -s /bin/bash

    $ ssh-copy-id root@client.test.com

  8. Select host/client and run-all-Ansible-roles and double-check Select OpenSCAP proxy

  9. Install the client software:
    # yum install rubygem-foreman_scap_client.noarch

13 . Follow the instructions on: Foreman :: Plugin Manuals (theforeman.org)

  1. open the host properties and select OpenSCAP scan

This fails with:
1:
Config file could not be loaded
2:
No such file or directory @ rb_sysopen - /etc/foreman_scap_client/config.yaml
3:
Exit status: 1

13

If I manually create the “/etc/foreman_scap_client/config.yaml” file on the client I can run: “foreman_scap_client 1” and partially works but I don’t know the correct path for the actual content to download.
If I run a scan from the host it obviously fails with a similar problem:
File /var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml is missing. Downloading it from proxy.
2:
Download SCAP content xml from: https://foreman.cloudboxservices.com:9090/compliance/policies/1/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e
3:
DEBUG: running: oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --results-arf /tmp/d20210212-31325-eo5e5a/results.xml /var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml

14 
hammer scap-content create --title CentOS8 --scap-file /path/to/file/ssg-rhel8-ds-1.2.xml

A couple of notes:

Step 8: Hostgroup is not needed, but creating it and adding client to it is ok

Step 9: Go to Host -> Edit and check that client has openscap proxy and theforeman.foreman_scap_client ansible role assigned, then assign policy in the hosts menu

Step 12: client package should be installed by theforeman.foreman_scap_client ansible role, so this step should not be needed when everything works correctly. The role also creates the config, I am curious why that is not happening. I’ll go over the steps myself to see if I can reproduce, but it seems like the role is not applied to the client at all for some reason.

15

Hi Ondej,

I managed to get the OpenSCAP reporting running after rejigging my Ansible Playbook. The source of the problem was that the ansiblerole-foreman_scap_client rpm was not signed and caused some of the install to fail. I modified the repo to disable signing and everything works now.

16

I am facing similar issues