foreman_openscap

10.1.0last stable release 2 months ago
Complexity Score
Medium
Open Issues
N/A
Dependent Projects
0
Weekly Downloadsglobal
7

License

  • GPL-3.0

    Downloads

    Readme

    Foreman-OpenSCAP

    This plug-in enables automated vulnerability assessment and compliance audit of Foreman based infrastructure.

    • Current features:
      • Centralized policy management
      • Set-up organization defined targeting (connect set of system, a policy and time schedule)
      • Set-up periodical audits
      • Search for not audited systems
      • Collect & achieve OpenSCAP audit results from your infrastructure
      • Display audit results
      • Search audit results
      • Search for non-compliant systems
    • Future features:
      • Comparison of audit results
      • Waive known issues (one-time waivers, re-occurring, waivers)
      • Ad-hoc audit of given machine
      • Support for PreupgradeAssistant evaluation
      • E-mail notifications

    Usage

    Basic Concepts

    There are three basic concepts (entities) in OpenSCAP plug-in: SCAP Contents, Compliance Policies and ARF Reports.

    SCAP Content represents SCAP DataStream XML file as defined by SCAP 1.2 standard. Datastream file contains implementation of compliance, configuration or security baselines. Users are advised to acquire examplary baseline by installing scap-security-guide package. DataStream file usualy contains multiple XCCDF Profiles. Each for different security target. The content of Datastream file can be inspected by oscap tool from openscap-scanner package.

    # yum install -y scap-security-guide openscap-scanner
    # oscap info /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
    # oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
    

    Compliance Policy is highlevel concept of a baseline applied to the infrastructure. Compliance Policy is defined by user on web interface. User may assign following information to the Policy:

    • SCAP Content
    • XCCDF Profile from particular SCAP Content
    • Host Groups that should comply with the policy
    • Schedule - the period in which the audit shall occur

    ARF Report is XML output of single scan occurance per single host. Asset Reporting File format is defined by SCAP 1.2 standard. Foreman plug-in stores the ARF Reports in database for later inspections.

    User Interface

    The most of the Foreman-OpenSCAP controls are located in the Compliance section under the Host menu. The section contains three items as described in previous section: SCAP Contents, Compliance Policies, ARF Reports.

    Prerequisites before the first use

    Make sure that

    1. smart_proxy_openscap and puppet-foreman_scap_client packages are installed on your proxies
    2. proxies have Foreman uri defined
    # echo ':foreman_url: https://foreman17.local.lan' >> /etc/foreman-proxy/settings.yml
    
    1. foreman_scap_client puppet class is imported to your Foreman
    2. Go to Configure -> Puppet classes page
    3. Click Import button
    4. Select foreman_scap_client

    Setting-up first compliance policy

    1. Log-in to Web Interface

    2. Create new SCAP Content

    3. Go to Hosts -> Compliance -> SCAP contents page

    4. Upload DataSteam file

    5. Create new Policy

    6. Go to Hosts -> Compliance -> Policies page

    7. Assign SCAP Content to Policy

    8. Select Profile from your SCAP Content

    9. Define periodic scan schedule

    10. Assign Hostgroups to the policy (hosts you want to audit should be assigned with one of the hostgroups)

    11. Select particular hosts for compliance audit

    12. Go to Hosts -> All hosts page

    13. Select hosts

    14. Use Select Action -> Assign Compliance Policy button

    15. Make sure the DataStream file is present on the clients’ file system.

      At the moment, Foreman infrastructure is not able to serve a file to the clients. Hence, users are required to distribute their DataStrem file to each client. The expected location is defined at Compliance Policy -> Edit dialogue.

    16. Inspect the compliance results

    17. Go to Hosts -> Compliance -> Reports page

    18. Wait for ARF Reports to show-up

    19. Go to Hosts -> Compliance -> Policies page

    20. Click the policy link to view dashboard and trend

    Installation

    • Follow the official guide on theforeman.org

    Development setup

    • set up Foreman for development, preferably using forklift
    • clone this repo
        git clone https://github.com/theforeman/foreman_openscap.git
      
    • point foreman to your checkout
      echo "gemspec :path => 'path/to/foreman_openscap'" >> foreman/bundler.d/Gemfile.local.rb
      
    • run bundler, migrations and seeds from foreman dir
      cd foreman
      bundle install
      rake db:migrate
      rake db:seed
      
    • start your Rails server, verify openscap plugin is present

    Releasing

    follow these steps:

    1. Bump the version.rb to desired number
    2. git commit -a -m “Version $number”
    3. rake release

    the commit gets tagged with what it find in version.rb

    if you have commit permissions, the commit and the tag gets pushed to origin remote

    if you’re the gem owner, gem is built and uploaded to rubygems.org

    Found a bug?

    We use the issue tracker at http://projects.theforeman.org/projects/foreman_openscap/issues, it supports github SSO so it’s straightforward to open new issues there. If you think you found a bug, please take search through existing issues and if you haven’t found any, free free to open a new one. Thank you.

    Copyright

    Copyright (c) 2014–2015 Red Hat, Inc.

    This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

    This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

    You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.

    Dependencies

    No runtime dependency information found for this package.

    CVE IssuesActive
    0
    Scorecards Score
    No Data
    Test Coverage
    No Data
    Follows Semver
    Yes
    Github Stars
    39
    Dependenciestotal
    1
    DependenciesOutdated
    0
    DependenciesDeprecated
    0
    Threat Modelling
    No Data
    Repo Audits
    No Data

    Learn how to distribute foreman_openscap in your own private RubyGems registry

    gem install foreman_openscap
    Processing...
    Done

    121 Releases

    RubyGems on Cloudsmith

    Getting started with RubyGems on Cloudsmith is fast and easy.