GithubHelp home page GithubHelp logo

foreman_scap_client's Introduction

ForemanScapClient

Client script that runs openscap scan and uploads the result to foreman proxy. It's usually executed by cron.

Installation

Add this line to your application's Gemfile:

gem 'foreman_scap_client'

And then execute:

$ bundle

Or install it yourself as:

$ gem install foreman_scap_client

Dependencies * openscap-utils

Configuration

Configuration file must be created at /etc/foreman_scap_client/config.yaml You can use config/config.yaml.example as an example. Also you may be interested in puppet-openscap module that can configure this client.

Usage

To run a openscap scan and upload a result you run following command

foreman_scap_client 1

This will load content file and uses a profile based on policy number 1 specified in config.yaml.

Contributing

  1. Fork it ( https://github.com/OpenSCAP/foreman_scap_client/fork )
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create a new Pull Request

foreman_scap_client's People

Contributors

alexjfisher avatar ares avatar evgeni avatar isimluk avatar jan-cerny avatar lzap avatar ofedoren avatar ranjan avatar sbernhard avatar shlomizadok avatar xprazak2 avatar

Stargazers

avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

ares isimluk shlomizadok tchellomello aliallomani ranjan xprazak2 alexjfisher ogajduse upadhyeammit atix-ag igramic hsjarbin banzo lzap lazyuncle greek-fire jan-cerny ofedoren ekohl

foreman_scap_client's Issues

Fail to Run scan RHEL7

Fail to Run the scan and throws this error. given all details in configuration file

foreman_scap_client 1
/usr/share/gems/gems/foreman_scap_client-0.1.2/lib/foreman_scap_client/client.rb:121:in ensure_scan_file': undefined method[]' for nil:NilClass (NoMethodError)
from /usr/share/gems/gems/foreman_scap_client-0.1.2/lib/foreman_scap_client/client.rb:14:in run' from /usr/share/gems/gems/foreman_scap_client-0.1.2/bin/foreman_scap_client:9:in<top (required)>'
from /bin/foreman_scap_client:23:in load' from /bin/foreman_scap_client:23:in

'

Failure to install foreman_scap_client due to ncurses

Also posted in Foreman forums @ https://community.theforeman.org/t/cant-install-foreman-scap-client/21836

Issue is due needing an older version of ncurses to install.

[root@localhost bha]# yum info rubygem-foreman_scap_client
Loaded plugins: product-id, search-disabled-repos, subscription-manager
Available Packages
Name : rubygem-foreman_scap_client
Arch : noarch
Version : 0.4.6
Release : 1.el7sat
Size : 22 k
Repo : rhel-7-server-satellite-tools-6.7-rpms/x86_64
Summary : Client script that runs OpenSCAP scan and uploads the result
to foreman proxy
URL : https://github.com/openscap/foreman_scap_client
License : GPLv3
Description : Client script that runs OpenSCAP scan and uploads the result
to foreman proxy.

---> Package pcre.i686 0:8.32-12.el7 will be installed
--> Finished Dependency Resolution
--> Finding unneeded leftover dependencies
Found and removing 0 unneeded dependencies
Error: Package: ncurses-libs-5.9-13.20130511.el7.i686 (rhel-7-server-rpms)
Requires: ncurses-base = 5.9-13.20130511.el7
Installed: ncurses-base-5.9-14.20130511.el7_4.noarch
(@rhel-7-server-rpms)
ncurses-base = 5.9-14.20130511.el7_4
Available: ncurses-base-5.9-13.20130511.el7.noarch
(rhel-7-server-rpms)
ncurses-base = 5.9-13.20130511.el7
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest

bzip2ed xml should be sent

Currently we send XML without compression over the network. Foreman assumes bzip2ed xml and fails with

Could not read from bz_stream: BZ2_bzDecompress returns -5 [bz2.c:157]
Could not create Result DataStream session: File is not Result DataStream. [ds_rds_session.c:54]
 (OpenSCAP::OpenSCAPError)
/opt/rh/ruby193/root/usr/share/gems/gems/openscap-0.4.2/lib/openscap/openscap.rb:34:in `raise!'
/opt/rh/ruby193/root/usr/share/gems/gems/openscap-0.4.2/lib/openscap/ds/arf.rb:30:in `initialize'
/opt/rh/ruby193/root/usr/share/gems/gems/scaptimony-0.2.0/app/models/scaptimony/arf_report_raw.rb:48:in `new'
/opt/rh/ruby193/root/usr/share/gems/gems/scaptimony-0.2.0/app/models/scaptimony/arf_report_raw.rb:48:in `build_arf'
/opt/rh/ruby193/root/usr/share/gems/gems/scaptimony-0.2.0/app/models/scaptimony/arf_report_raw.rb:26:in `save_dependent_entities'

tailoring file?

Would it be possible to reference a tailoring file in the config so something like this could be run?

oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp_tailored --tailoring-file tailored-rhel6.xml

Feature request: Downloading content and tailoring files from other sources [incl. basic authentication]

It seems that usually the scap client uses the same settings for uploading reports and for downloading content which is not suitable in some circumstances.
After installing Foreman with default settings, the proxy for uploading reports listens on :9090, but downloading content and tailoring files is available via API on :443.

Example
Configuration

# Foreman proxy to which reports should be uploaded
:server: 'foreman.local'
:port: 9090

# HTTP proxy server for downloading remote resources
:http_proxy_server:
:http_proxy_port:

# policies
1:
  :profile: 'xccdf_org.ssgproject.content_profile_pci-dss'
  :content_path: '/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml'
  :download_path: '/api/compliance/policies/1/content/'

may lead to

[root@local]# foreman_scap_client 1
File /usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml is missing. Downloading it from proxy.
Download SCAP content xml from: https://foreman.local:9090/api/compliance/policies/1/content/
SCAP content is missing and download failed with error: 404 "Not Found"

It should be possible to define the source via separate settings, e.g.

:content_server: 'public-source.for.scap-content'
:content_port: 443

And if so - the possibility to use basic authentication would be great too.

# Foreman proxy to which reports should be uploaded
:server: 'foreman.local'
:port: 9090

# HTTP content server for downloading remote resources (no proxy here - see below)
:content_server: 'public-source.for.scap-content'
:content_port: 443
:content_user: 'scap-user'
:content_pass: 'MyVerySecretPassword'

# HTTP proxy server for downloading remote resources
:http_proxy_server:
:http_proxy_port:

In the end it should look like

[root@local]# foreman_scap_client 1
File /usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml is missing. Downloading it from proxy.
Download SCAP content xml from: https://public-source.for.scap-content/api/compliance/policies/1/content/
Basic authentication enabled.
DEBUG: running: oscap xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_pci-dss  --results-arf /tmp/d20210813-29128-1ocljac/results.xml /usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml
Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml ... ok
DEBUG: running: /usr/bin/env bzip2 /tmp/d20210813-29128-1ocljac/results.xml
Uploading results to https://foreman.local:9090/compliance/arf/1
Report uploaded, report id: 156

FQDN in lower-case as certificate file name

inconsistent certs path when host name set as upper-case,

[root@JEDIPAM01 foreman_scap_client]# foreman_scap_client 1
File /var/lib/openscap/content/6298742afc45309f86ac467c0c9a3e433ff505dd3d237dd8cbf72be1a02937bb.xml is missing. Downloading it from proxy
Download scap content xml from: https://jedrhm02.gaca.itnn.ad:8443/compliance/policies/1/content
Unable to load certs
No such file or directory - /var/lib/puppet/ssl/certs/JEDIPAM01.gaca.itnn.ad.pem
[root@JEDIPAM01 foreman_scap_client]# ll /var/lib/puppet/ssl/certs/JEDIPAM01.gaca.itnn.ad.pem
ls: cannot access /var/lib/puppet/ssl/certs/JEDIPAM01.gaca.itnn.ad.pem: No such file or directory

Changes required in manifests/params.pp :

class foreman_scap_client::params {
  $fqdn_s = downcase($fqdn)
  $ca_file          = pick($::rh_certificate_repo_ca_file, '/var/lib/puppet/ssl/certs/ca.pem')
  $host_certificate = pick($::rh_certificate_consumer_host_cert, "/var/lib/puppet/ssl/certs/${fqdn_s}.pem")
  $host_private_key = pick($::rh_certificate_consumer_host_key, "/var/lib/puppet/ssl/private_keys/${fqdn_s}.pem")
}

Support online remediation

Support for online remediation here would lay the foundation for remediation from foreman. This could be a achieved by adding a boolean variable that could be used to control the addition of --remediate on the oscap command.

Of course, this would consequently lead to the need for an update to the 'puppet-foreman_scap_client' project to support these changes.

Autoguess the paths to the certs/pems

Most common scenario would be to re-use puppet certificate infrastructure. Perhaps we can automagically autoguess usual path to the certificates.

Currently, when config does not contain paths we get:

[root@fedora20 tmp]# /usr/bin/foreman_scap_client 1
DEBUG: running: oscap xccdf eval  --results-arf /tmp/d20150120-23771-1komslx/results.xml /usr/share/xml/scap/ssg/fedora/ssg-fedora-ds.xml
Uploading results to https://foreman.local.lan:8443/compliance/arf/1
Unable to load certs
no implicit conversion of nil into String

Fails to upload to server with undefined method `join'

Fails to upload to server:

Uploading results to https://foremantesting.vm:8443/compliance/arf/5
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<HTML>
  <HEAD><TITLE>Internal Server Error</TITLE></HEAD>
  <BODY>
    <H1>Internal Server Error</H1>
    undefined method `join' for #&lt;String:0x007f4364434730&gt;
    <HR>
    <ADDRESS>
     WEBrick/1.3.1 (Ruby/2.0.0/2014-11-13) OpenSSL/1.0.1e at
     foremantesting.vm:8443
    </ADDRESS>
  </BODY>
</HTML>
Upload failed: 500 "Internal Server Error "

If I do some monkey patching to force it log to /tmp just so I can see the content of the result:

module ForemanScapClient
  CONFIG_FILE = '/etc/foreman_scap_client/config.yaml'
  TMP_LOCATION = '/tmp'

  class Client
    def run(policy_id)
      @policy_id = policy_id
      ensure_scan_file
      Dir.mktmpdir do |dir|
        @tmp_dir = TMP_LOCATION

The results.xml looks normal enough (will attach)

Upstream ticket here: http://projects.theforeman.org/issues/15123

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.