Open Grieves

Open Grieves

Assimilate quickly!

You must comply!

SCAP/PCI DSS v3 compliance on RHEL 7.2 with Satellite 6.1.7

You must readPosted by Magnus Glantz 2016-02-21 23:27:43
Here’s how you get a good base for PCI DSS v3 compliance on Red Hat Enterprise Linux 7.2 using Red Hat Satellite 6.1.7 and OpenSCAP which is in Technology Preview in Satellite atm.



Step 1. Install some RPMs.

If you only have a Red Hat Satellite server..
-Install these packages on the Satellite server:
# yum install ruby193-rubygem-foreman_openscap rubygem-smart_proxy_openscap puppet-foreman_scap_client

If you have a Red Hat Satellite and Capsule server(s):
-Install these packages on the Satellite server:
# yum install ruby193-rubygem-foreman_openscap rubygem-smart_proxy_openscap puppet-foreman_scap_client

-Install these packages on the Capsule server(s):
# yum install rubygem-smart_proxy_openscap puppet-foreman_scap_client

Step 2: Restart Satellite/Capsule services with:
# katello-service restart

Step 3. Add a cronjob for the foreman-proxy user on your Satellite and Capsule, to run the following command:
‘smart-proxy-openscap-send’

This will push the reports to the Satellite GUI.

Step 4. Add two Puppet modules available from Puppet Forge to your Content View:
-isimluk/foreman_scap_client
-puppetlabs/stdlib

Step 5: Promote Content View.

Step 6: Create a special hostgroup for PCI DSS compliance. Just call it whatever you like, parent should be your ‘base SOE’ hostgroup. You can call it just PCI DSS. Like that:
‘RHEL 7 SOE / PCI DSS’

Step 7: Add the puppetlabs/stdlib Puppet module to your PCI DSS hostgroup.

Step 8: Download the following file from your Satellite server:
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
(Owned by package scap-security-guide)

Step 9: Goto Hosts > SCAP Contents (At the bottom of the host menu).

Step 10: Click ‘New SCAP content’

Title: RHEL7.2 Security Guides
Scap file: <upload ssg-rhel7-ds.xml>
Location: Default Location?
Organisation: Default Organisation?

Step 11: Goto Hosts > Policies (At the bottom of the hosts menu)

Step 12: Click ‘New Compliance Policy’.
Name: PCIDSSv3
Description: Payment Card Industry Data Security Standard, Version 3
(Click Next)
SCAP Content: RHEL7.2 Security Guides
XCCDF Profile: Draft PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7
(Click Next)
Period: <Whatever you like>
(Click Next)
Locations: Default location?
(Click Next)
Organisations: Default organisation?
(Click Next)
Host groups: <Select your PCI DSS hostgroup>

Step 13: In your Kickstart Default provisioning template..
Add the following code.. (Please note that if you have not cloned your Kickstart Default provisioning template, you have do do that first, to be able to edit it).
<% if @host.hostgroup.to_s == "RHEL7 SOE Development/PCI DSS" -%>
%addon org_fedora_oscap
content-type = scap-security-guide
profile = pci-dss
%end
<% end -%>
after: skipx
before: <% subnet = @host.subnet -%>

(In above example, my PCI DSS hostgroup is called PCI DSS and it’s parent is RHEL7 SOE Development)

Step 14: In your Kickstart Default provisioning template.. Add the following code to be executed in %POST (adjust as required):

# Put name of hostgroup into variable
HOSTGROUP="<%= @host.hostgroup.to_s %>"

# If user has selected the PCI DSS hostgroup, apply the PCI DSS v3 compliant SCAP profile.
if echo $HOSTGROUP|grep "PCI DSS" >/dev/null; then
oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml >/tmp/pcidss-hardening 2>&1
fi

# Send scap report at boot-up
echo "foreman_scap_client 1" >>/etc/rc.d/rc.local

Step 15: There are no more steps! Install a new system and behold how much simpler PCI DSS compliance has become :)

Note: Ofcourse, just applying a best practice guide does not make you PCI DSS compliant, there is much more to it than that, but this helps, a lot :)











  • Comments(1)//blog.hacka.net/#post120