Automated Smart Management Workshop: Configuring and performing an OpenSCAP Scan

In this exercise, we will learn how to configure and perform an OpenSCAP scan using playbooks in Ansible Automation Platform 2 with Satellite. When running multiple Red Hat Enterprise Linux systems, it’s important to keep all of these systems compliant with a meaningful security policy and perform security scans often. OpenSCAP is an open source project that is used by government agencies, corporations, as well as e-commerce (just to name a few examples). OpenSCAP provides tools for automated vulnerability checking. Satellite can be loaded with RPM packages for SCAP workbench v1.2.0-8 which will provide scanning capabilities. Satellite is also loaded with the SCAP security guide v0.1.54-3 for RHEL7 and CentOS devices which provides the appropriate XCCDF benchmarks for PCI and STIG compliance for the purpose of this exercise. This exercise will focus on RHEL systems, CentOS will be out of scope.

Environment

Pre-requisites

Exercise

1. Logging into Satellite

login screen

satellite_dash

2. Creating a new compliance policy

Now we will start configuring a compliance policy that we can use to scan our RHEL nodes.

satellite_policy

3. Configuring a new compliance policy

Now we will start configuring our Satellite server to be able to manage a compliance policy

satellite_policy

satellite_policy

satellite_policy

satellite_policy

satellite_policy

4. Logging into the Ansible Automation Platform

login screen

aap_dashboard

5. Configure and launch an Ansible Automation Platform template to run an OpenSCAP scan.

This step will allow us to scan a single rhel7 host with the PCI_Compliance policy that we configured on Satellite.

aap_template

Selecting launch will take you to the Jobs > SATELLITE / Compliance - OpenSCAP_Configure output window where you will be able to follow each task executed as part of the playbook. This will take approximately 3 mins to complete. Wait for the job template to complete before proceeding to the next step.

aap_output

6. Navigate back to Satellite to examine the Asset Reporting File (ARF).

aap_arf

aap_arf

7. Expanding OpenSCAP policy scans

This step will expand our OpenSCAP policy scan to add another XCCDF compliance profile called STIG_Compliance. We will also expand to include all systems in the ‘RHEL7 Development’ inventory by adjusting the ‘HOSTS’ extra variable to ‘all’ instead of specifying a single system.

satellite_policy

satellite_policy

satellite_policy

satellite_policy

satellite_policy

aap_template

aap_output

8. Navigate back to Satellite to examine the Asset Reporting File (ARF).

aap_arf

9. End Lab