SCAP Reporting (Proposed new functionality)

Hi All,

Please correct me if this is the wrong place to post this kind of request/suggestion.

I have been doing a lot of work with SCAP reporting on RHEL7/8 and regularly use the Hosts->Policies->Dashboard screen

It would be really useful if you could add the ability to choose a lower than 100% compliance. We use 95% as there are always some exceptions and differences e.g. Oracle does not like the nodev mount-option being set on /tmp, and some servers such as Foreman require a http server.
It would also help if you could add a field/column that shows the compliance percentage as this is the most important thing for our auditors.

I would also like to see the ability to download this screen as a PDF report.

The following screen would also be really useful if we could download it.


Another great addition to the host screen

would be the addition of a counter showing the number of hosts failing a particular test as the only way I can find is to use the query option for all 120+ tests:

1 Like

All are great suggestions. We currently don’t have resources to add more features to this plugin. However we’d be very happy to help anyone who would like to contribute. The compliance threshold setting is even almost complete Fixes #31685 - Add treshold for ds policies by xprazak2 · Pull Request #519 · theforeman/foreman_openscap · GitHub

If there’s anyone willing to help, please let me know.

The only way to properly get 100% is to use tailoring files and create different policies depending on what kind of setup the machines has. For example I need to have one for machines running docker since that require certain configurations that break some of the default policy rules.

1 Like

This is precisely what I need along with the adjustable threshold. Another way to think about this is in terms of roles such as production or database, and the policies could be adjusted according to the role.
The other real big addition is more PDF or CSV reporting so the results can be exported for presentation to auditors and management.

My point is that tailoring files can be uploaded and used with SCAP in Foreman to create custom policies so if you need it, it is already there to be used,

Thanks for your suggestion.

I already use tailoring files but the limitation is that if I want to tailor CIS Level 1 I can only do it once for this policy and have to run the Ansible roles on every client in order to update them. This takes a lot of time. What I would like is the ability to tailor my global policy, e.g. I’m not bothered about having Samba shares, and then have special tailoring for Docker or Database systems. With a role tag this would become easier to use and to administer.

I am willing to help!

Hi all,

I first want to say I really appreciate all your efforts and wish I had programming skills and could help more.

Another killer feature for me would be if you could download the Satellite SCAP reports as PDF files as well as being able to view them in the browser. If I could download all the reports they could be used as evidence for my security auditors.

Many thanks,

FYI @ofedoren and @aruzicka, this thread may be good source of additional information from users. It seems the plugin may get some attention again.

Hey everybody, what do you all think about this? I am working on some changes to the UI. Right now, I have sorting working, pass, fail, rule and severity.

1 Like

Also, if you select the solution button, the solution button, I have fix options that displays the fix. Also, ignore the launch button. It is my ghetto AAP intergration. That button will launch an AAP job with the failed hosts that only have the tag associated with that particular fix. Meaning only that fix is applied on those hosts.

Hi @theredgreek,

Nice work, I hope you will be glad to know that I’ve recently started on quite similar feature: Fixes #36738 - Add remediation wizard by ofedoren · Pull Request #546 · theforeman/foreman_openscap · GitHub

There is also a short demo of how it would currently work, but I would be happy to receive some feedback from the users as well.

That is very kind of you to say. I was struggling to get my JavaScript to
work outside of the views. My code is a mess. What you created is Foreman

Louis Tiches, Red Hat Partner
Mobile: 301-667-0424

1 Like

How did you get the fixes? Would that user have to upload the content again to add that data back to the use? Also, if you check the Ansible fixes, they have a tag that will let you know if a reboot is required.


Sorry I didin’t respond earlier, I’m located in CEST time zone :slight_smile:

How did you get the fixes?

TL;DR: A machine will send report to the Smart Proxy, that report contains suggested fixes (can be multiple), we just parse this report and send to Foreman to store.

Would that user have to upload the content again to add that data back to the use?

Not sure I’m following the question. Could you elaborate?

Also, if you check the Ansible fixes, they have a tag that will let you know if a reboot is required

Yeah, I’ve noticed that, but Ansible fixes are not always available. And some other fixes might require a reboot as well. This information is available in the report we receive from a host, but we don’t parse it to store just yet :confused:

I guess I mean to ask where are the fixes coming from? They were not already in the database when a report is parsed. Did you also make changes to the proxy so that the fixes are added? Or are the fixes already in the database and I am blind?

Got it. I didn’t make any changes to the proxy just yet. Proxy parses the report and already parses fixes data. Proxy sends it to the Foreman already, I’ve just added a line to save it to the DB: Fixes #36738 - Add remediation wizard by ofedoren · Pull Request #546 · theforeman/foreman_openscap · GitHub