The document discusses the integration of Foreman and OpenSCAP for security and compliance automation. It details the capabilities of provisioning, monitoring, and configuration management across various platforms, as well as the process of applying SCAP scans and reporting results. Future improvements and additional features, such as remediation, are also mentioned.

1. Security & Compliance
automation and reports with
Foreman & OpenSCAP
#OSMC 2016
@shlomizadok

2. /me
https://{twitter,github}.com/shlomizadok
Senior software engineer @ Red Hat
Foreman team member
Foreman-OpenSCAP plugins maintainer
!security_expert ;)

3. Stop the lies!!!!11
The internet is safe!
No one will attack you...

4. No one will abuse your servers / Vms. #3v3r!
E9:87:3D:79:C6:D8:7D:C0:FB:6A:57:78:63:33:89:F4:45:32:13:30:3D:A6:1F:20:BD:67:FC

5. Or steal your clients data

6. Or maybe they will?

7. * much needed promotional video ;)

8. Foreman + OpenSCAP for the rescue!

9. Foreman 101
MonitoringConfigurationProvisioning

10. Provisioning
Provision new machines or containers to (almost)
anything:
Bare metal, oVirt, libvirt, VMware, Docker, EC2, Rackspace,
Digital Ocean, OpenStack, etc.
* If we don't support it today, we can via new plugins

11. Configuration
● Puppet
● Via plugins:
✔ Chef
✔ Salt
✔ Ansible
● Automatic registration & setup of
clients, including autosigning
certs/keys
● Defining:
● Classes / states
● Parameters / pillars
● Inventory data:
● Facts / Grains
● results of configuration runs

12. Monitoring
● Generic API with graphs/trends:
✔ System Inventories
✔ Reports from runs
✔ Generic reports: ABRT, OpenSCAP
● Context sensitive search:
✔ Not full-text (SQL level)
✔ Keyword completion
✔ Works across whole application

13. SCAP
Security Content Automation Protocol
Define security and audit rulez
Scan you systems and test if the rules apply
Report scan results, decide if compliant or not

14. 14
OpenSCAP
Base tool `oscap`
SCAP Workbench
OSCAP Anaconda Add-on
OpenSCAP Daemon
Scaptimony
More @ open-scap.org

15. 15
Foreman OpenSCAP
Helps you apply OpenSCAP scans on hosts
Helps scheduling OpenSCAP scans
UI for reporting and monitoring

16. Foreman OpenSCAP - Concepts
● SCAP content
● Profile
● Policy
● ARF Report

17. Foreman OpenSCAP - flow
● Assign policy to host(group)
● Puppet installs foreman_scap_client,
and configures it
● SCAP content is downloaded to host
● `oscap` scanner runs, and generates Report
● Report parsed and uploaded to Foreman

18. DEMO

19. Future improvements
● Tailoring file
● Remediation via ReX
● Improve monitoring

20. Questions?