SCAP Reporting (Proposed new functionality)

Hi All,

Please correct me if this is the wrong place to post this kind of request/suggestion.

I have been doing a lot of work with SCAP reporting on RHEL7/8 and regularly use the Hosts->Policies->Dashboard screen

It would be really useful if you could add the ability to choose a lower than 100% compliance. We use 95% as there are always some exceptions and differences e.g. Oracle does not like the nodev mount-option being set on /tmp, and some servers such as Foreman require a http server.
It would also help if you could add a field/column that shows the compliance percentage as this is the most important thing for our auditors.

I would also like to see the ability to download this screen as a PDF report.

The following screen would also be really useful if we could download it.

Regards,
Andrew

Another great addition to the host screen

would be the addition of a counter showing the number of hosts failing a particular test as the only way I can find is to use the query option for all 120+ tests:

1 Like

All are great suggestions. We currently don’t have resources to add more features to this plugin. However we’d be very happy to help anyone who would like to contribute. The compliance threshold setting is even almost complete Fixes #31685 - Add treshold for ds policies by xprazak2 · Pull Request #519 · theforeman/foreman_openscap · GitHub

If there’s anyone willing to help, please let me know.

The only way to properly get 100% is to use tailoring files and create different policies depending on what kind of setup the machines has. For example I need to have one for machines running docker since that require certain configurations that break some of the default policy rules.

1 Like

This is precisely what I need along with the adjustable threshold. Another way to think about this is in terms of roles such as production or database, and the policies could be adjusted according to the role.
The other real big addition is more PDF or CSV reporting so the results can be exported for presentation to auditors and management.

My point is that tailoring files can be uploaded and used with SCAP in Foreman to create custom policies so if you need it, it is already there to be used,

Thanks for your suggestion.

I already use tailoring files but the limitation is that if I want to tailor CIS Level 1 I can only do it once for this policy and have to run the Ansible roles on every client in order to update them. This takes a lot of time. What I would like is the ability to tailor my global policy, e.g. I’m not bothered about having Samba shares, and then have special tailoring for Docker or Database systems. With a role tag this would become easier to use and to administer.

I am willing to help!

Hi all,

I first want to say I really appreciate all your efforts and wish I had programming skills and could help more.

Another killer feature for me would be if you could download the Satellite SCAP reports as PDF files as well as being able to view them in the browser. If I could download all the reports they could be used as evidence for my security auditors.

Many thanks,
Andrew