It would be really useful if you could add the ability to choose a lower than 100% compliance. We use 95% as there are always some exceptions and differences e.g. Oracle does not like the nodev mount-option being set on /tmp, and some servers such as Foreman require a http server.
It would also help if you could add a field/column that shows the compliance percentage as this is the most important thing for our auditors.
I would also like to see the ability to download this screen as a PDF report.
The following screen would also be really useful if we could download it.
would be the addition of a counter showing the number of hosts failing a particular test as the only way I can find is to use the query option for all 120+ tests:
The only way to properly get 100% is to use tailoring files and create different policies depending on what kind of setup the machines has. For example I need to have one for machines running docker since that require certain configurations that break some of the default policy rules.
This is precisely what I need along with the adjustable threshold. Another way to think about this is in terms of roles such as production or database, and the policies could be adjusted according to the role.
The other real big addition is more PDF or CSV reporting so the results can be exported for presentation to auditors and management.
My point is that tailoring files can be uploaded and used with SCAP in Foreman to create custom policies so if you need it, it is already there to be used,
I already use tailoring files but the limitation is that if I want to tailor CIS Level 1 I can only do it once for this policy and have to run the Ansible roles on every client in order to update them. This takes a lot of time. What I would like is the ability to tailor my global policy, e.g. I’m not bothered about having Samba shares, and then have special tailoring for Docker or Database systems. With a role tag this would become easier to use and to administer.
I first want to say I really appreciate all your efforts and wish I had programming skills and could help more.
Another killer feature for me would be if you could download the Satellite SCAP reports as PDF files as well as being able to view them in the browser. If I could download all the reports they could be used as evidence for my security auditors.
Hey everybody, what do you all think about this? I am working on some changes to the UI. Right now, I have sorting working, pass, fail, rule and severity.
Also, if you select the solution button, the solution button, I have fix options that displays the fix. Also, ignore the launch button. It is my ghetto AAP intergration. That button will launch an AAP job with the failed hosts that only have the tag associated with that particular fix. Meaning only that fix is applied on those hosts.
That is very kind of you to say. I was struggling to get my JavaScript to
work outside of the views. My code is a mess. What you created is Foreman
art.
How did you get the fixes? Would that user have to upload the content again to add that data back to the use? Also, if you check the Ansible fixes, they have a tag that will let you know if a reboot is required.
Sorry I didin’t respond earlier, I’m located in CEST time zone
How did you get the fixes?
TL;DR: A machine will send report to the Smart Proxy, that report contains suggested fixes (can be multiple), we just parse this report and send to Foreman to store.
Would that user have to upload the content again to add that data back to the use?
Not sure I’m following the question. Could you elaborate?
Also, if you check the Ansible fixes, they have a tag that will let you know if a reboot is required
Yeah, I’ve noticed that, but Ansible fixes are not always available. And some other fixes might require a reboot as well. This information is available in the report we receive from a host, but we don’t parse it to store just yet
I guess I mean to ask where are the fixes coming from? They were not already in the database when a report is parsed. Did you also make changes to the proxy so that the fixes are added? Or are the fixes already in the database and I am blind?
