Workaround to use OpenSCAP for Debian and manage policies from console

Tutorials
1

Background

More than one person has expressed an interest in utilising openscap on Debian-based foreman clients, there isn’t currently a deb based package for foreman_scap_client. If you install from gem and try to assign a policy to hostgroup from the web console then puppet will still error due to missing package before creating the config and cron files on a client and the failure will turn the client red in foreman web console.

Here’s a quick workaround that satisfies the foreman client configuration routine from puppet - uses “equivs” to create a dummy package. Policies can then be managed in the foreman console and sent out to Debian-based clients with minimum of manual configuration.

I used a test VM to create the package to not pollute any of my live machines.

Watch foreman error out when configuring openscap

  • Create a policy for Debian in foreman and assign to host group containing Debian client machine

  • On client machine to be scanned install openscap
    apt install libopenscap8

  • perform a puppet run and see the package error

    puppet agent -tv

puppet agent log showing error

Info: Using configured environment ‘production’
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for myforemanclient.myfqdn.tld
Info: Applying configuration version ‘1598982269’
Error: Execution of ‘/usr/bin/apt-get -q -y -o DPkg::Options::=–force-confold install ruby-foreman-scap-client’ returned 100: Reading package lists…
Building dependency tree…
Reading state information…
E: Unable to locate package ruby-foreman-scap-client
Error: /Stage[main]/Foreman_scap_client/Package[ruby-foreman-scap-client]/ensure: change from ‘purged’ to ‘present’ failed: Execution of ‘/usr/bin/apt-get -q -y -o DPkg::Options::=–force-confold install ruby-foreman-scap-client’ returned 100: Reading package lists…
Building dependency tree…
Reading state information…
E: Unable to locate package ruby-foreman-scap-client
Notice: /Stage[main]/Foreman_scap_client/File[/etc/foreman_scap_client]: Dependency Package[ruby-foreman-scap-client] has failures: true
Warning: /Stage[main]/Foreman_scap_client/File[/etc/foreman_scap_client]: Skipping because of failed dependencies
Warning: /Stage[main]/Foreman_scap_client/File[foreman_scap_client]: Skipping because of failed dependencies
Notice: Applied catalog in 0.36 seconds

  • Install from gem as workaround
    gem install foreman_scap_client

  • perform another puppet run and see error still occurs due to missing package depedency

Build package to remediate the above

  • install equivs. There could be a number of dependencies installed as well.
    apt install equivs

  • copy the below into a file called ruby-foreman-scap-client

Section: misc
Priority: optional
Standards-Version: 3.9.2
Package: ruby-foreman-scap-client
Description: Dummy package to fake ruby-foreman-scap-client installation

or use “equivs-control ruby-foreman-scap-client” to create the file then modify as above

  • build the package
    equivs-build ruby-foreman-scap-client

  • If all is good then a package file ./ruby-foreman-scap-client_1.0_all.deb should be created. Install this on client.
    dpkg -i ./ruby-foreman-scap-client_1.0_all.deb

  • Perform another puppet run, this time the output should give a success and show /etc/foreman_scap_client/config.yaml is created.
    /etc/cron.d/foreman_scap_client_cron should also be created with entries accordingly.

    puppet agent -tv

Info: Using configured environment ‘production’
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for myforemanclient.myfqdn.tld
Info: Applying configuration version ‘1598744227’
Notice: /Stage[main]/Foreman_scap_client/File[/etc/foreman_scap_client]/ensure: created
Notice: /Stage[main]/Foreman_scap_client/File[foreman_scap_client]/ensure: defined content as ‘{md5}2f9bd05a9058bcdced978cda46e1dc9c’
Notice: Applied catalog in 0.31 seconds

  • Observe scap client running correctly and ARF file uploaded to foreman server

/opt/puppetlabs/puppet/bin/foreman_scap_client 5

DEBUG: running: oscap xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_standard --results-arf /tmp/d20200902-10780-1fd45k2/results.xml /var/lib/openscap/content/ec2ee849161fb02a90b0410304392669fcfe5cfa7413c9ff70fba462b6280a6a.xml

DEBUG: running: /usr/bin/env bzip2 /tmp/d20200902-10780-1fd45k2/results.xml
Uploading results to https://myforemanserver.mydomain.tld:8443/compliance/arf/5
Report uploaded, report id: 13657

  • View report in console
2 Likes
2

Can’t edit original post to correct missing item so adding here. After installing from gem create a symlink from /usr/bin/foreman_scap_client to location installed by gem. This satisfies the location referred to in cron configuration.

  • Install from gem as workaround
    gem install foreman_scap_client

  • Create symlink to ensure cron job operates correctly
    ln -s /opt/puppetlabs/puppet/bin/foreman_scap_client /usr/bin/foreman_scap_client

3 Likes
3

Nice! I am sure this will be helpful to other users in community.

1 Like
4

Another option is to use the same tool that Debian is using to package gems; gem2deb.

apt install gem2deb
wget https://rubygems.org/downloads/foreman_scap_client-0.4.7.gem
gem2deb foreman_scap_client-0.4.7.gem

That will result in the production of a .deb package, which you could add to a repository that you assign to your systems.

Hope that helps!

/Mike

5

P.S. It does not create the /etc/foreman_scap_client directory though, so you’ll need to handle that via Ansible or Puppet.