diff --git a/CHANGELOG.md b/CHANGELOG.md index fc52b7fa15f..713423b09ac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,5 @@ +- Improved the appearance of Web UI instructions in Administration + Guide (bsc#1250451) - Improved example for proxy bootstrap script in Client Configuration Guide (bsc#1251117) - Added new workflow for liberating RHEL server in Common Workflows diff --git a/modules/administration/pages/openscap.adoc b/modules/administration/pages/openscap.adoc index b623d77cd67..4891e5ae5e5 100644 --- a/modules/administration/pages/openscap.adoc +++ b/modules/administration/pages/openscap.adoc @@ -33,7 +33,7 @@ For more information about the {suse} Security Team, see https://www.suse.com/s -== Prepare Clients for an SCAP Scan +== Prepare clients for an SCAP scan Before you begin, you need to prepare your client systems for SCAP scanning. @@ -90,7 +90,7 @@ For Non-{suse} operating systems the included profiles are community supplied. They are not officially supported by {suse}. ==== -== OpenSCAP Content Files +== OpenSCAP content files OpenSCAP uses SCAP content files to define test rules. These content files are created based on the XCCDF or OVAL standards. @@ -173,24 +173,33 @@ Take a note of the file paths and profiles for performing the scan. -== Perform an Audit Scan +== Perform an audit scan When you have installed or transferred your content files, you can perform audit scans. Audit scans can be triggered using the {productname} {webui}. You can also use the {productname} API to schedule regular scans. -.Procedure: Running an Audit Scan from the {webui} +.Procedure: Running an audit scan from the {webui} +[role=procedure] +_____ + . In the {productname} {webui}, navigate to menu:Systems[Systems List] and select the client you want to scan. + . Navigate to the [guimenu]``Audit`` tab, and the [guimenu]``Schedule`` subtab. + . In the [guimenu]``Path to XCCDF Document`` field, enter the parameters for the SCAP template and profile you want to use on the client. For example: + + ----- - Command: /usr/bin/oscap xccdf eval - Command-line arguments: --profile xccdf_org.ssgproject.content_profile_stig - Path to XCCDF document: /usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml ----- + + * [literal]``Command``: /usr/bin/oscap xccdf eval + + * [literal]``Command-line arguments``: --profile xccdf_org.ssgproject.content_profile_stig + + * [literal]``Path to XCCDF document``: /usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml + + + [NOTE] ==== If you use [literal]``--fetch-remote-resources`` parameter a lot of RAM is required. @@ -199,6 +208,7 @@ In addition, you may need to increase the value of [literal]``file_recv_max_size . The scan runs at the client's next scheduled synchronization. +_____ [IMPORTANT] ==== @@ -207,11 +217,17 @@ If the content file includes invalid arguments, the test fails. ==== -.Procedure: Running an Audit Scan from the API +.Procedure: Running an audit scan from the API +[role=procedure] +_____ + . Before you begin, ensure that the client to be scanned has Python and XML-RPC libraries installed. + . Choose an existing script or create a script for scheduling a system scan through ``system.scap.scheduleXccdfScan``. For example: + + + ---- #!/usr/bin/python3 import xmlrpc.client @@ -222,18 +238,25 @@ client.system.scap.scheduleXccdfScan(key, <1000010001>, '--profile ') client.auth.logout(session_key) ---- + + + In this example: + * ``<1000010001>`` is the system ID (sid). + * ```` is the path to the content file location on the client. For example, [path]``/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml``. + * ```` is an additional argument for the [command]``oscap`` command. For example, use ``united_states_government_configuration_baseline`` (USGCB). + . Run the script on the client you want to scan, from the command prompt. +_____ -== Scan Results +== Scan results Information about the scans you have run is in the {productname} {webui}. @@ -294,6 +317,7 @@ For more information, see xref:administration:ansible-setup-control-node.adoc[]. Packages, channels and scripts are different for each operating system and distribution. Examples are listed in the <> section. + ==== Run the Bash script on single systems as a remote command Run the Bash script as a remote command on single systems.