OpenSCAP Plugin

The OpenSCAP plugin allows orcharhino to collect automated vulnerability and security compliance audits from managed hosts using SCAP. As a matter of terminology, the OpenSCAP plugin involves several basic concepts or entities: SCAP content, XCCDF profiles, tailoring files, compliance policies, and ARF reports:

  • SCAP content (“Security Content Automation Protocol”, pronounced “S-cap”) refers to an XML file in DataStream format. This format is a part of the SCAP standard since version 1.2. DataStream files define a security baseline for hosts to comply with. DataStream files may bundle multiple constituent parts.
  • XCCDF profiles (“eXtensible Configuration Checklist Description Format”) are a component part of SCAP content (DataStream files). XCCDF is a specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for some set of target systems. (Description taken directly from the XCCDF specification).
  • Tailoring files specify a set of modifications for existing SCAP content. They exist to modify SCAP content for your particular needs without changing the original SCAP content itself.
  • Compliance policies relate to the actual application of SCAP content to concrete systems via orcharhino and the OpenSCAP plugin. Compliance policies are created via the orcharhino web interface and require the setting of a specific XCCDF profile from some chosen SCAP content, optionally using a tailoring file. They are also associated with a schedule for running audits and can be associated with any number of host groups (see also Host Groups from the Management UI chapter).
  • ARF reports (“Asset Reporting Format”) are the output of a compliance scan on a host that has a assigned policy. They will list any compliance criteria and whether the scanned host has passed or failed.

The OpenSCAP plugin will add four additional menu entries to The Hosts Menu of the Management UI under a group heading of “Compliance”. They are “Policies”, “SCAP Content”, “Reports”, and “Tailoring Files”. Each of these new interface pages is documented below.

The OpenSCAP plugin guide has the following subsections:

Prerequisites

Successful OpenSCAP plugin usage has several prerequisites:

  • The OpenSCAP plugin makes extensive use of Puppet (see also Puppet Guide) to install and configure client software on hosts, as well as to manage plugin content on orcharhino itself. As a result, hosts making use of the plugin will need to be managed via orcharhino’s Puppet master.
  • Hosts making use of the plugin will also need to be fully entitled, registered, content hosts, since SCAP content is distributed using orcharhino’s content management (see also Content Management Guide).
  • Relevant SCAP content is required. Some example SCAP content is provided by the scap-security-guide package. Obtaining additional SCAP content or modifying this SCAP content falls outside the scope of this documentation, but you can look up the official OpenSCAP documentation.

Installation

This portion of the OpenSCAP plugin guide deals with installing the plugin. Note, that the OpenSCAP plugin consists of several distinct parts, each of which needs to be installed separately. The parts are the main OpenSCAP plugin itself, the OpenSCAP plugin smart proxy functionality (see also Smart Proxy Guide), the OpenSCAP client software, and finally the OpenSCAP plugin puppet module.

To install the OpenSCAP plugin itself, run the following command on the orcharhino host:

foreman-installer --enable-foreman-plugin-openscap

To install the OpenSCAP plugin smart proxy functionality on one or more smart proxy hosts (the orcharhino host is one such host) perform the following steps:

foreman-installer --enable-foreman-proxy-plugin-openscap

If you want to add the default SCAP content from the scap-security-guide package to orcharhino, run the following command on one or more orcharhino smart proxy hosts:

foreman-rake foreman_openscap:bulk_upload:default

To install the OpenSCAP plugin puppet module:

  1. Install the module on the orcharhino host:

    puppet module install theforeman-foreman_scap_client
    
  2. Import the now installed module into orcharhino via the “Import environments from <orcharhino_fqdn>” button on the Puppet Classes page of the Management UI.

The OpenSCAP client software will be installed and configured by Puppet, whenever and wherever it is needed. It does not normally need to be manually installed.

Usage

Usage of the OpenSCAP plugin can be subdivided into several distinct steps:

  1. Obtaining SCAP content: If you performed the relevant installation step, there should already be some example SCAP content available. Additional SCAP content can be uploaded to orcharhino using the scap content page (see SCAP Content Page below). Tailoring files, for the modification of existing SCAP content, can be uploaded to orcharhino via the tailoring files page (see Tailoring Files Page below).
  2. Creating a SCAP policy: Once you have obtained some SCAP content, you can create a SCAP policy using that content, on the compliance policies page (see Compliance Policies Page below).
  3. Assigning SCAP policies to hosts: If you have selected any host groups (see also Host Groups) when creating or editing your SCAP compliance policy, it will automatically be assigned to any hosts in the group. Alternatively, you can assign a compliance policy to one or more hosts by selecting the relevant bulk action on the all hosts page (see also Performing Bulk Actions from All Hosts).
  4. Checking the resultant ARF reports: Once your policies are assigned, you can look for compliance reports on the compliance reports page (see Compliance Reports Page below). Note that there won’t be any reports prior to the first scheduled scan. If you don’t want to wait, you can schedule a remote job (see also Jobs) using orcharhino’s remote execution features (see also Remote Execution Guide). There is also a “Schedule Remote Job” bulk action on the all hosts page that will allow you to schedule many scans at once (see also Performing Bulk Actions from All Hosts).

SCAP Content Page

The SCAP content page can be accessed via The Hosts Menu:

Hosts > Compliance > SCAP contents

The SCAP content page includes a Upload New SCAP Content button, as well as a list of SCAP content:

List of SCAP content
  • Clicking the Upload New SCAP Content button (1), will open the upload new SCAP content window, which will allow you to upload an XML file in DataStream format containing SCAP content.
  • Selecting Edit (3) from the list of SCAP content (2), will take you to the edit SCAP content page. This page is essentially identical to the upload new SCAP content window. It will allow you to change the title of the SCAP content, the associated DataStream file, as well as the associated context (see also The Context Menu).
  • Selecting Download (4) from the list of SCAP content (2), will download the relevant XML file for local storage.
  • Selecting Delete (5) from the list of SCAP content (2), will delete the SCAP content from orcharhino.

Tailoring Files Page

The tailoring files page can be accessed via The Hosts Menu:

Hosts > Compliance > Tailoring Files

The tailoring files page includes a Upload New Tailoring File button, as well as a list of tailoring files:

List of tailoring files
  • Clicking the Upload New Tailoring File button (1), will open the upload new tailoring file page, which will allow you to upload an XML file in DataSream format containing SCAP content modifications.
  • Selecting Edit (3) from the list of tailoring files (2), will take you to the edit tailoring file page. This page is essentially identical to the upload new tailoring file page. It will allow you to change the name associated with the tailoring file, the file itself, as well as the associated context (see also The Context Menu).
  • Selecting Download (4) from the list of tailoring files (2), will download the relevant XML file for local storage.
  • Selecting Delete (5) from the list of tailoring files (2), will delete the tailoring file from orcharhino.

Compliance Policies Page

The compliance policies page can be accessed via The Hosts Menu:

Hosts > Compliance > Policies

The compliance policies page includes a New Compliance Policy button, as well as a list of compliange policies:

List of compliange policies
  • Clicking the New Compliance Policy button (1) will open the new compliance policy page. This page will take you through a step-by-step setup wizard. New compliance policies are associated with a name, an optional description, a SCAP content file, an XCCDF profile from that SCAP content, optionally a tailoring file (with XCCDF profile), a schedule, an orcharhino context, and any number of host groups. (See also The Context Menu and/or Host Groups).
  • Clicking on a name in the Name column (3) of the list of compliance policies (2) will take you to a overview page for all hosts associated with that policy.
  • Clicking on a SCAP content in the Content column (4) will take you to the edit SCAP content page for that SCAP content. (See also SCAP Content Page above).
  • Selecting Show Guide (5) from the drop down menu in the list of compliance policies (2) will display a detailed guide of all configuration settings associated with the relevant SCAP content.
  • Selecting Edit (6) from the the drop down menu in the list of compliance policies (2), will take you to the edit compliance policy page. This page will allow you to change all parameters associated with the policy.
  • Selecting Delete (7) from the the drop down menu in the list of compliance policies (2), will delete the compliance policy from orcharhino.

Compliance Reports Page

The compliance reports page can be accessed via The Hosts Menu:

Hosts > Compliance > Reports

The compliance reports page includes a Delete Reports button, as well as a list of reports:

List of reports
  • The Delete Reports button (1) will delete any reports selected in the first column of the list of reports (2).
  • Clicking on a host in the Host column (3) of the list of compliance reports (2) will take you to the host overview page of that host. (See also Viewing a Host from the All Hosts page).
  • Clicking on an entry in the Reported At column (4) of the list of compliance reports (2), will take you to the compliance report overview page. (See Viewing a Report below).
  • Clicking on a policy in the Policy column (5) of the list of compliance reports (2) will take you to the edit compliance policy page of that policy. (See also Compliance Policies Page above).
  • Clicking on a smart proxy from the OpenSCAP Proxy column (6) of the list of compliance reports (2) will take you to the smart proxy overview page for that smart proxy. (See also About and/or Smart Proxies).
  • Selecting Delete (7) from the the drop down menu in the list of compliance reports (2), will delete the compliance policy from orcharhino.
  • Selecting Full Report (8) from the the drop down menu in the list of compliance reports (2), will take you to a very detailed report (see also Viewing a Report below).

Viewing a Report

The compliance report overview page (for a given report) can be accessed via the list of compliance reports:

Hosts > Compliance > Reports >> list of compliance reports > Reported At column

A compliance report overview page includes a number of buttons, (including to the full report), as well as a list of tests that were run and whether the relevant host passed each test:

Compliance Report
  • The Back button (1) will take you back to the compliance reports page. (See Compliance Reports Page above).
  • The Delete button (2) will delete the compliance report being viewed.
  • The Host details button (3) will take you to the host overview page of the host that the compliance report is about. (See also Viewing a Host).
  • The View full report button (4) will take you to a much more detailed version of the compliance report being viewed.
  • The Download XML in bzip button (5) will download the full report in XML format compressed using bzip2.
  • The Download HTML button (6) will download the full report in HTML format.