Open Grieves

Open Grieves

Assimilate quickly!

You must comply!

SCAP/PCI DSS v3 compliance on RHEL 7.2 with Satellite 6.1.7

You must readPosted by Magnus Glantz 2016-02-21 23:27:43
Here’s how you get a good base for PCI DSS v3 compliance on Red Hat Enterprise Linux 7.2 using Red Hat Satellite 6.1.7 and OpenSCAP which is in Technology Preview in Satellite atm.



Step 1. Install some RPMs.

If you only have a Red Hat Satellite server..
-Install these packages on the Satellite server:
# yum install ruby193-rubygem-foreman_openscap rubygem-smart_proxy_openscap puppet-foreman_scap_client

If you have a Red Hat Satellite and Capsule server(s):
-Install these packages on the Satellite server:
# yum install ruby193-rubygem-foreman_openscap rubygem-smart_proxy_openscap puppet-foreman_scap_client

-Install these packages on the Capsule server(s):
# yum install rubygem-smart_proxy_openscap puppet-foreman_scap_client

Step 2: Restart Satellite/Capsule services with:
# katello-service restart

Step 3. Add a cronjob for the foreman-proxy user on your Satellite and Capsule, to run the following command:
‘smart-proxy-openscap-send’

This will push the reports to the Satellite GUI.

Step 4. Add two Puppet modules available from Puppet Forge to your Content View:
-isimluk/foreman_scap_client
-puppetlabs/stdlib

Step 5: Promote Content View.

Step 6: Create a special hostgroup for PCI DSS compliance. Just call it whatever you like, parent should be your ‘base SOE’ hostgroup. You can call it just PCI DSS. Like that:
‘RHEL 7 SOE / PCI DSS’

Step 7: Add the puppetlabs/stdlib Puppet module to your PCI DSS hostgroup.

Step 8: Download the following file from your Satellite server:
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
(Owned by package scap-security-guide)

Step 9: Goto Hosts > SCAP Contents (At the bottom of the host menu).

Step 10: Click ‘New SCAP content’

Title: RHEL7.2 Security Guides
Scap file: <upload ssg-rhel7-ds.xml>
Location: Default Location?
Organisation: Default Organisation?

Step 11: Goto Hosts > Policies (At the bottom of the hosts menu)

Step 12: Click ‘New Compliance Policy’.
Name: PCIDSSv3
Description: Payment Card Industry Data Security Standard, Version 3
(Click Next)
SCAP Content: RHEL7.2 Security Guides
XCCDF Profile: Draft PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7
(Click Next)
Period: <Whatever you like>
(Click Next)
Locations: Default location?
(Click Next)
Organisations: Default organisation?
(Click Next)
Host groups: <Select your PCI DSS hostgroup>

Step 13: In your Kickstart Default provisioning template..
Add the following code.. (Please note that if you have not cloned your Kickstart Default provisioning template, you have do do that first, to be able to edit it).
<% if @host.hostgroup.to_s == "RHEL7 SOE Development/PCI DSS" -%>
%addon org_fedora_oscap
content-type = scap-security-guide
profile = pci-dss
%end
<% end -%>
after: skipx
before: <% subnet = @host.subnet -%>

(In above example, my PCI DSS hostgroup is called PCI DSS and it’s parent is RHEL7 SOE Development)

Step 14: In your Kickstart Default provisioning template.. Add the following code to be executed in %POST (adjust as required):

# Put name of hostgroup into variable
HOSTGROUP="<%= @host.hostgroup.to_s %>"

# If user has selected the PCI DSS hostgroup, apply the PCI DSS v3 compliant SCAP profile.
if echo $HOSTGROUP|grep "PCI DSS" >/dev/null; then
oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml >/tmp/pcidss-hardening 2>&1
fi

# Send scap report at boot-up
echo "foreman_scap_client 1" >>/etc/rc.d/rc.local

Step 15: There are no more steps! Install a new system and behold how much simpler PCI DSS compliance has become :)

Note: Ofcourse, just applying a best practice guide does not make you PCI DSS compliant, there is much more to it than that, but this helps, a lot :)











  • Comments(1)//blog.hacka.net/#post120

Satellite 6.1.7 and SCAP

Out of troublePosted by Magnus Glantz 2016-02-20 20:11:25
If you're trying to setup SCAP with Red Hat Satellite 6.1.7 and encounter below error message on your client when running 'puppet agent -t':

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Unknown function pick at /etc/puppet/environments/KT_Default_Organization_Library_CONTENTVIEW_2/modules/foreman_scap_client/manifests/params.pp:2

Then the issue is that you have to add the 'puppetlabs/stdlib' module to your content view/host.

That was all.

  • Comments(0)//blog.hacka.net/#post119

KS-tree and initial sync of repos in Satellite 6

Out of troublePosted by Magnus Glantz 2016-02-20 12:18:07
If you cancel a synchronization the first time you sync one of your RHEL repositories and leave it as 'pending', Satellite 6 will not properly create the default 'Installation Media' when you sync your kickstart tree. So, if you have a problem with installation media not getting created, even though you synced it successfully, check so that you do not have some previous reposync that is 'pending'.

  • Comments(0)//blog.hacka.net/#post118

Monitoring Puppet Forge sync on Satellite 6.1.7

Out of troublePosted by Magnus Glantz 2016-02-18 15:29:22
If you sync in Puppet Forge into Satellite 6.1, you may think that it's not working properly. Looking at the task progress, it states 0%. Looking in Sync Status, it says something like:

'Total module count: 3970.'

..but no progress indicated.

This is a bug, there are actually plenty of stuff happening. You can track the status by doing a grep in /var/log/messages on your satellite server.

# watch 'echo "Puppet modules synced in so far: $(grep "pulp: requests.packages.urllib3.connectionpool:INFO: Starting new HTTP connection (1): forge.puppetlabs.com" /var/log/messages|wc -l)"'

---
Puppet modules synced in so far: 1247
---

Sync time, on my VM with 8GB RAM and limited CPU was ~1-1,5 modules / second. So, approx. 1 hour to sync in all modules in Puppet Forge.






  • Comments(0)//blog.hacka.net/#post117

How much diskspace does Satellite 6 with RHEL7 synced-in require?

You must readPosted by Magnus Glantz 2016-02-18 15:22:37
If you're to do a quick demo installation of Red Hat Satellite 6.1, you may wonder how much or how little disk space you can get away with. The answer is, running on a minimal installation of Red Hat Enterprise Linux 7.2, excluding the RHEL7 Supplementary repo, but including:

* Red Hat Enterprise Linux 7 Server RPMs x86_64 7Server
* Red Hat Enterprise Linux 7 Server - Extras RPMs x86_64
* Red Hat Enterprise Linux 7 Server - Optional RPMs x86_64 7Server
* Red Hat Satellite Tools 6.1 for RHEL 7 Server RPMs x86_64
* Red Hat Enterprise Linux 7 Server Kickstart x86_64 7.2

and
* Puppet forge (~3950 modules)

It takes approximately 36 GB of total space, excluding SWAP, as of this writing :-)





  • Comments(0)//blog.hacka.net/#post116

Red Hat Solution Architect in the nordics

You must readPosted by Magnus Glantz 2016-02-18 12:16:25
So. I'm now employed at Red Hat as a Solution Architect in the nordics. Primarily I work in Denmark. If you also are located there and you want to know more about what cool stuff can be done with Red Hat's products, let me know. My area of specialty is in and around infrastructure, LCM, IaaS, PaaS, SaaS, migration, HA, SoE, etc.

/ sudo 'thatthingthatgoesbeforethedomainname' redhat dotcom..

  • Comments(0)//blog.hacka.net/#post115

Fedora 23 on VirtualBox 5.0.14

Out of troublePosted by Magnus Glantz 2016-02-17 21:10:04
VirtualBox doesn't have support for the version of Xorg that F23 ships with. So, to fix screen resolution, on your F23 system, run:

# dnf --showduplicates --allowerasing --releasever=22 downgrade xorg-x11-server-Xorg

Then apply guest additions and reboot.

Done.

  • Comments(0)//blog.hacka.net/#post114

Satellite 6.1: Facts vs. Global hostgroup parameters

Out of troublePosted by Magnus Glantz 2016-02-02 23:00:06
If you ever wondered what wins.. facts or global hostgroup parameters, the answer is global hostgroup parameters.

So.. if you have a global hostgroup parameter, you can refer to it in a manifest as such:

if $myhostgroupparameter == 'bluesbrothers' {
...
}


That was all.



  • Comments(0)//blog.hacka.net/#post113

Fast import/export of Satellite 5 repository to Satellite 6

Out of troublePosted by Magnus Glantz 2016-01-30 13:32:17
So, you have a Satellite <=5.4 installation (if you have the latest version of Satellite 5, see this link) and you want your custom repositories into Satellite 6. Here's briefly how you can go about it. Please note that this method is ~100 times faster than using Hammer to upload the RPMs. Hammer is as of this writing extremely slow in uploading RPMs.

1. Logon to your Satellite 5 server.
2. Use spacecmd to list all packages
in your repository and put the list into a file ('rpmlist').
3. Run:

# updatedb
# mkdir my-custom-channel
# cd my-custom-channel
# for item in $(cat rpmlist); do cp $(locate $item|head -1) . ; done
# cd ..
# tar xvzf my-custom-channel.tar.gz my-custom-channel
4. Logon to Satellite 6 server
5. Run:
# cd /var/lib/pulp
# scp user@satellite5-server:/path/to/my-custom-channel.tar.gz .
# tar xvzf my-custom-channel.tar.gz
# chmod a+rx my-custom-channel
# cd my-custom-channel
# createrepo -v .
# chmod a+rx repodata
# cd /var/lib/pulp
# chmod a+r my-custom-channel -R
6. Logon to Satellite 6 Webgui, create a new product, add your custom repository and modify Sync source to be: file:///var/lib/pulp/my-custom-channel
7. Synchronize repository (it will be much much much much quicker than running Hammer).
8. Done.










  • Comments(0)//blog.hacka.net/#post112

Abnormal high CPU and memory consumption in Satellite 6

Out of troublePosted by Magnus Glantz 2016-01-28 22:24:01
It seems that when abrt detects crashes, it generates traffic to Satellite 6 candlepin...
Be aware of running abrt on RHEL 6.7 when using Satellite 6. abrt can get stuck in a loop of reporting crashes that itself causes. This generates enormous amounts of traffic to candlepin (tomcat) (postgresql) and foreman causing it to consume fantastic amounts of CPU and memory.

Check if you are affected on RHEL 6.7 by looking at number of crash counts:
# abrt-cli list|grep -i count

Solution:
# for item in abrtd abrt-oops abrt-ccpp; do service $item stop; chkconfig $item off; done

Done.









  • Comments(0)//blog.hacka.net/#post111
« PreviousNext »