OpenSCAP Guide

The OpenSCAP plugin allows orcharhino to collect automated vulnerability and security compliance audits from managed hosts using SCAP. The plugin involves several basic concepts and entities: SCAP content, XCCDF profiles, tailoring files, compliance policies, and ARF reports:

  • SCAP content (Security Content Automation Protocol) refers to an .xml file in DataStream format. This format is part of the SCAP standard since version 1.2. DataStream files define a security baseline for hosts to comply with and may bundle multiple constituent parts.

  • XCCDF profiles (eXtensible Configuration Checklist Description Format) are a component part of SCAP content. XCCDF is a language to write security checklists and benchmarks. An XCCDF file contains security configuration rules for lists of managed hosts.

  • Tailoring files specify a set of modifications for existing SCAP content. They adapt SCAP content for your particular needs without changing the original SCAP content itself.

  • Compliance policies relate to the actual application of SCAP content to managed hosts using orcharhino with its OpenSCAP plugin. You can create compliance policies using the orcharhino management UI. Compliance reports require the setting of a specific XCCDF profile from a SCAP content, optionally using a tailoring file. They are associated with a schedule for running audits and can be associated with any number of host groups.

  • ARF reports (Asset Reporting Format) are the output of compliance scans on managed hosts which have a policy assigned. They list compliance criteria and whether the scanned host has passed or failed.

The OpenSCAP plugin adds four items to the host menu:

Webinar "orcharhino and OpenSCAP Policies"

OpenSCAP Prerequisites

Successful OpenSCAP plugin usage has several prerequisites:

  • The OpenSCAP plugin uses Puppet to install and configure software on managed hosts and manage OpenSCAP content on orcharhino itself. Attach your managed hosts to orcharhino’s Puppet master to use OpenSCAP.

  • Register your managed hosts as content hosts with orcharhino. SCAP content is distributed using orcharhino’s content management.

  • SCAP content, for example the scap-security-guide package. Look up the official OpenSCAP documentation on how to obtain additional SCAP content or modify existing SCAP content.

Installing the OpenSCAP Plugin

This portion of the OpenSCAP plugin guide deals with installing the plugin. The OpenSCAP plugin consists of several distinct parts, each of which needs to be installed separately. The parts are the main OpenSCAP plugin itself, the OpenSCAP plugin smart proxy functionality, the OpenSCAP client software, and finally the OpenSCAP plugin Puppet module.

  1. Install the OpenSCAP plugin on your orcharhino:

    # foreman-installer --enable-foreman-plugin-openscap
  2. Install the OpenSCAP plugin smart proxy functionality:

    # foreman-installer --enable-foreman-proxy-plugin-openscap

    Perform this command on both your orcharhino and any attached orcharhino proxies.

  3. Optional: Upload SCAP content using hammer.

    1. Install Hammer CLI OpenSCAP plugin:

      # yum install -y tfm-rubygem-hammer_cli_foreman_openscap
    2. Upload SCAP content:

      # hammer scap-content bulk-upload \
          --directory /usr/share/xml/scap/ssg/content/ \
          --type directory \
          --organization-id 42 \
          --location-id 3

      SCAP content in /usr/share/xml/scap/ssg/content/ is part of the scap-security-guide package.

  4. Install the OpenSCAP plugin Puppet module:

    # yum install -y puppet-foreman_scap_client
  5. Import the Puppet module into orcharhino:

    1. Navigate to Configure > Puppet Classes.

    2. Click Import environments from <orcharhino FQDN>.

Puppet installs and configures the OpenSCAP client software. Don’t install the OpenSCAP client manually.

Using OpenSCAP

Usage of the OpenSCAP plugin can be subdivided into several distinct steps:

Obtaining SCAP Content

After performing the installation steps, there is already some sample SCAP content available.

You can upload additional SCAP content to orcharhino using the SCAP contents page. You can upload tailoring files to modify existing SCAP content using the tailoring files page.

Creating a SCAP Policy

Create a SCAP policy on the compliance policies page after you’ve added SCAP content.

Assigning SCAP Policies

Assign SCAP policies to hosts or host groups. Either select a host groups when creating or editing a SCAP compliance policy, or select a host on the content hosts page.

Running an OpenSCAP Scan

  1. Navigate to Hosts > All Hosts.

  2. Select one or multiple hosts.

  3. Click on Run OpenSCAP scan.

    Alternatively, schedule a remote job or use the schedule remote job bulk action on the all hosts page to schedule multiple scans at once.

Viewing ARF Reports

Check the resulting ARF report after running an OpenSCAP scan.

  1. Navigate to Hosts > Compliance Reports.

  2. Select a report.

    Note that there won’t be any reports prior to the first scheduled scan.