In this exercise, we will learn how to configure and perform an OpenSCAP scan using playbooks in Ansible Automation Platform 2 with Satellite. When running multiple Red Hat Enterprise Linux systems, it’s important to keep all of these systems compliant with a meaningful security policy and perform security scans often. OpenSCAP is an open source project that is used by government agencies, corporations, as well as e-commerce (just to name a few examples). OpenSCAP provides tools for automated vulnerability checking. Satellite can be loaded with RPM packages for SCAP workbench v1.2.0-8 which will provide scanning capabilities. Satellite is also loaded with the SCAP security guide v0.1.54-3 for RHEL7 and CentOS devices which provides the appropriate XCCDF benchmarks for PCI and STIG compliance for the purpose of this exercise. This exercise will focus on RHEL systems, CentOS will be out of scope.
Red Hat Satellite v6.x, Ansible Automation Platform 4.x
3 x Red Hat Enterprise Linux clients v7.9
Exercise 0 : Lab Setup
Organization to be used = Default Organization
Content view = RHEL7
Lifecycle environments = Dev, QA, Prod
Now we will start configuring a compliance policy that we can use to scan our RHEL nodes.
In Satellite hover over ‘Hosts’ from the menu on the left side pane, and then click on ‘Policies’
Click on the “New Policy” button, and fill out the details as followed in step 3.
Now we will start configuring our Satellite server to be able to manage a compliance policy
This step will allow us to scan a single rhel7 host with the
PCI_Compliance policy that we configured on Satellite.
In Ansible Automation Platform click ‘Templates’ from the left side pane menu
Click the BLUE ‘Add’ drop-down icon and select ‘Add job template’ from the drop-down selection menu. Fill out the details as follows:
Name: SATELLITE / Compliance - OpenSCAP_Configure Job Type: Run Inventory: RHEL7 Development (Click the magnifying glass icon to select.) Project: Automated Management (Click the magnifying glass icon to select.) Execution Environment: smart_mgmt workshop execution environment (Click the magnifying glass icon to select.) Playbook: configure_openscap.yml (Click drop-down to select.) Credentials: Workshop Credential, and Satellite Credential (Click the magnifying glass icon to select.) NOTE: In this new menu. Select the Workshop Credential radio button button. The 'Selected Category' for this is 'Machine'. Next, use the 'Selected Category' drop-down menu again to select Satellite_Collection. You will choose the Satellite Credential. This will provide you with two sets of credentials. Choosing 'Select' will save your changes and exit the menu. Extra Variables (Keep the exact spacing provided below. Note that the extra-vars that we are supplying need to be in YAML format): --- HOSTS: node1.example.com Policy_scan: - PCI_Compliance
Selecting launch will take you to the Jobs > SATELLITE / Compliance - OpenSCAP_Configure output window where you will be able to follow each task executed as part of the playbook. This will take approximately 3 mins to complete. Wait for the job template to complete before proceeding to the next step.
Hover over ‘Hosts’ from the side pane menu and then click on ‘Reports’.
Click on the ‘Full Report’ button, under Actions, for ‘node1.example.com’ to evaluate
Scroll down to the Rule Overview section. You can sort by “Pass”, “Fail”, “Fixed”, or any number of qualifiers as well as group rules by “Severity”
Now, uncheck everything except the fail checkbox. Then scroll down and click on the failure “Prevent Login to Accounts With Empty Password”
This step will expand our OpenSCAP policy scan to add another XCCDF compliance profile called
STIG_Compliance. We will also expand to include all systems in the ‘RHEL7 Development’ inventory by adjusting the ‘HOSTS’ extra variable to ‘all’ instead of specifying a single system.
In Satellite, hover over “Hosts” from the menu on the left side of the screen, and then click on “Policies”.
Click on the “New Compliance Policy” button
Select “Manual” from the deployment options and click “Next”
Select the OpenSCAP_Configure job template, and click edit at the bottom of the template to make changes to the “Extra Variables”:
Extra Variables (Keep the exact spacing provided below. Note that the extra-vars that we are supplying need to be in YAML format): --- HOSTS: all Policy_scan: - PCI_Compliance - STIG_Compliance
Leave the rest of the fields blank or as they are, and click ‘Save’. You can then select ‘Launch’ to deploy the job template.
Selecting launch will take you to the Jobs > SATELLITE / Compliance - OpenSCAP_Configure output window. This will take approximately 5 mins to complete. Wait for the job template to complete before proceeding to the next step.
Hover over “Hosts” from the menu on the left side of the screen, and then click on “Reports”.
Notice that we’ve now easily scaled to six scans, 2 scans of each node for PCI_Compliance and for STIG_Compliance.