diff --git a/CHANGELOG.md b/CHANGELOG.md index 739a9dd6a76..1599a2249ed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,5 @@ +- Improved the appearance of Web UI instructions in Administration + Guide (bsc#1250451) - Improved example for proxy bootstrap script in Client Configuration Guide (bsc#1251117) - Corrected the images files location in Administration guide diff --git a/modules/administration/pages/openscap.adoc b/modules/administration/pages/openscap.adoc index 8d22d555b9e..4068b202f60 100644 --- a/modules/administration/pages/openscap.adoc +++ b/modules/administration/pages/openscap.adoc @@ -10,6 +10,7 @@ It allows you to schedule and view compliance scans for any client. == About SCAP + The Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. It is a line of specifications maintained by the National Institute of Standards and Technology (NIST) for maintaining system security for enterprise systems. @@ -32,7 +33,7 @@ For more information about the {suse} Security Team, see https://www.suse.com/s -== Prepare Clients for an SCAP Scan +== Prepare clients for an SCAP scan Before you begin, you need to prepare your client systems for SCAP scanning. @@ -89,7 +90,7 @@ For Non-{suse} operating systems the included profiles are community supplied. They are not officially supported by {suse}. ==== -== OpenSCAP Content Files +== OpenSCAP content files OpenSCAP uses SCAP content files to define test rules. These content files are created based on the XCCDF or OVAL standards. @@ -172,24 +173,33 @@ Take a note of the file paths and profiles for performing the scan. -== Perform an Audit Scan +== Perform an audit scan When you have installed or transferred your content files, you can perform audit scans. Audit scans can be triggered using the {productname} {webui}. You can also use the {productname} API to schedule regular scans. -.Procedure: Running an Audit Scan from the {webui} +.Procedure: Running an audit scan from the {webui} +[role=procedure] +_____ + . In the {productname} {webui}, navigate to menu:Systems[Systems List] and select the client you want to scan. + . Navigate to the [guimenu]``Audit`` tab, and the [guimenu]``Schedule`` subtab. + . In the [guimenu]``Path to XCCDF Document`` field, enter the parameters for the SCAP template and profile you want to use on the client. For example: + + ----- - Command: /usr/bin/oscap xccdf eval - Command-line arguments: --profile xccdf_org.ssgproject.content_profile_stig - Path to XCCDF document: /usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml ----- + + * [literal]``Command``: /usr/bin/oscap xccdf eval + + * [literal]``Command-line arguments``: --profile xccdf_org.ssgproject.content_profile_stig + + * [literal]``Path to XCCDF document``: /usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml + + + [NOTE] ==== If you use [literal]``--fetch-remote-resources`` parameter a lot of RAM is required. @@ -198,6 +208,7 @@ In addition, you may need to increase the value of [literal]``file_recv_max_size . The scan runs at the client's next scheduled synchronization. +_____ [IMPORTANT] ==== @@ -206,11 +217,17 @@ If the content file includes invalid arguments, the test fails. ==== -.Procedure: Running an Audit Scan from the API +.Procedure: Running an audit scan from the API +[role=procedure] +_____ + . Before you begin, ensure that the client to be scanned has Python and XML-RPC libraries installed. + . Choose an existing script or create a script for scheduling a system scan through ``system.scap.scheduleXccdfScan``. For example: + + + ---- #!/usr/bin/python3 import xmlrpc.client @@ -221,18 +238,25 @@ client.system.scap.scheduleXccdfScan(key, <1000010001>, '--profile ') client.auth.logout(session_key) ---- + + + In this example: + * ``<1000010001>`` is the system ID (sid). + * ```` is the path to the content file location on the client. For example, [path]``/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml``. + * ```` is an additional argument for the [command]``oscap`` command. For example, use ``united_states_government_configuration_baseline`` (USGCB). + . Run the script on the client you want to scan, from the command prompt. +_____ -== Scan Results +== Scan results Information about the scans you have run is in the {productname} {webui}. @@ -293,6 +317,7 @@ For more information, see xref:administration:ansible-setup-control-node.adoc[]. Packages, channels and scripts are different for each operating system and distribution. Examples are listed in the <> section. + ==== Run the Bash script on single systems as a remote command Run the Bash script as a remote command on single systems.