Version information
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
- Puppet >= 7.0.0 < 9.0.0
- , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-openscap', '6.8.1'Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they can be submitted to our JIRA.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
- When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
- In the future, all SIMP-managed security subsystems will be disabled by default and must be explicitly opted into by administrators. Please review simp/simp_options for details.
Module Description
This module sets up openscap and allows you to schedule and log openscap runs.
Setup
What simp openscap affects
simp/openscap will manage:
- openscap-utils and scap-security-guide packages
simp/openscap::schedule will manage:
- A cron job for openscap runs
- A logging directory for openscap (Default: /var/log/openscap)
Setup Requirements
The module can support logrotate if simp/logrotate is used. Otherwise, no additional setup is required.
Beginning with openscap
You can install openscap by:
include 'openscap'
Usage
I want to install openscap with default logging
The following will run a cron job on Monday at 1:30 AM and log to /var/log/openscap:
class { 'openscap':
enable_schedule => true,
}
OR
include 'openscap::schedule'
I have a particular SCAP profile I want to use
class { 'openscap::schedule':
scap_profile => 'xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream',
}
I want to log daily at a set time
class { 'openscap::schedule':
minute => 00,
hour => 22,
weekday => '*',
}
I want to log on the first and fifteenth day of the month
class { 'openscap::schedule':
monthday => '1,15',
}
I want to log to a different directory
class { 'openscap::schedule':
logdir => '/opt/scaplogs',
}
Reference
Please see the REFERENCE.md.
Limitations
This module is designed to work in RHEL-compatible environments.
Development
Please read our Contribution Guide.
Reference
Table of Contents
Classes
openscap: This class installs SCAP content and the associated tools. It is mostly based on the scap-security-guide open source project with several cusopenscap::schedule: This class allows you to set a schedule for openscap to run a check on your system via cron.
Data types
Openscap::Profile: Valid OpenSCAP profile names
Classes
openscap
This class installs SCAP content and the associated tools. It is mostly based on the scap-security-guide open source project with several customizations for SIMP.
Parameters
The following parameters are available in the openscap class:
enable_schedule
Data type: Boolean
Run an OpenSCAP scan on a schedule, using openscap::schedule
Default value: false
scap_ensure
Data type: String
Package ensure value for the openscap-utils package
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
ssg_ensure
Data type: String
Package ensure value for the scap-security-guide package
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
openscap::schedule
This class allows you to set a schedule for openscap to run a check on your system via cron.
Parameters
The following parameters are available in the openscap::schedule class:
scap_profileoscap_pathssg_base_dirssg_data_streamfetch_remote_resourcesscap_tailoring_filelogdirlogrotateminutehourmonthdaymonthweekdayforce
scap_profile
Data type: Openscap::Profile
The name of the profile with the content.
- Valid profiles change based on the target system. See the results of the
oscapfact for valid targets.
oscap_path
Data type: Stdlib::Absolutepath
The path to the oscap executable
- This is set to a sane default for most systems but will pick the value
out of the
oscapfact if it has been installed and is in the path.
Default value: pick(fact('oscap.path'), '/bin/oscap')
ssg_base_dir
Data type: Stdlib::Absolutepath
The starting directory for all SSG content. Change this if you want to install your own SSG profiles.
Default value: '/usr/share/xml/scap/ssg/content'
ssg_data_stream
Data type: Pattern[/^.+\.xml$/]
Type: XML file under $ssg_base_dir The data stream XML file to use for your system scan. This must be a file under $ssg_base_dir.
fetch_remote_resources
Data type: Boolean
If true, download remote content referenced by XCCDF.
Default value: false
scap_tailoring_file
Data type: Optional[Stdlib::Absolutepath]
Use given file for XCCDF tailoring.
Default value: undef
logdir
Data type: Stdlib::Absolutepath
Specifies output location. Default is /var/log/openscap
Default value: '/var/log/openscap'
logrotate
Data type: Boolean
If true, use logrotate to rotate the output logs.
Default value: simplib::lookup('simp_options::logrotate', { 'default_value' => false})
minute
Data type: Simplib::Cron::Minute
Default value: 30
hour
Data type: Simplib::Cron::Hour
Default value: 1
monthday
Data type: Simplib::Cron::MonthDay
Default value: '*'
month
Data type: Simplib::Cron::Month
Default value: '*'
weekday
Data type: Simplib::Cron::Weekday
Default value: 1
force
Data type: Boolean
If set, ignore the fact that oscap does not appear to be installed on the
target system and add the schedule anyway
- This should be used if you've installed
oscapinto a non-standard location that cannot be found by the fact in the default path
Default value: false
Data types
Openscap::Profile
Valid OpenSCAP profile names
Alias of Pattern[/xccdf_[^_]+_profile_.+/]
- Wed Jan 17 2024 Richard Gardner rick@sicura.us - 6.8.1
- Updated hiera.yaml facts to support puppet 8
- Mon Oct 23 2023 Steven Pritchard steve@sicura.us - 6.8.0
- [puppetsync] Add EL9 support
- Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 6.7.0
- [puppetsync] Updates for Puppet 8
- These updates may include the following:
- Update Gemfile
- Add support for Puppet 8
- Drop support for Puppet 6
- Update module dependencies
- These updates may include the following:
- Thu Aug 31 2023 Steven Pritchard steve@sicura.us - 6.6.0
- Add AlmaLinux 8 support
- Mon Jul 24 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 6.5.0
- Add RockyLinux 8 support
- Wed Jun 16 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 6.4.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Wed Jan 06 2021 Trevor Vaughan tvaughan@onyxpoint.com - 6.3.1
- Fixed EL7 default data stream name in CentOS
- Added support for Puppet 7
- Fri Dec 18 2020 Chris Tessmer chris.tessmer@onyxpoint.com - 6.3.1
- Removed EL6 support
- Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 6.3.0-0
- Drop Puppet 4 support
- Add Puppet 6 support
- Add puppetlabs-stdlib 6 support
- Mon Mar 25 2019 Joseph Sharkey shark.bruhaha@gmail.com - 6.2.1-0
- Standardized cron datatypes to use the Simplib::Cron::### types
- Mon Mar 11 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.2.1-0
- Updated a URL in the README.md
- Mon Oct 29 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.2.0-0
- Update badges and contribution guide URL in README.md
- Mon Oct 01 2018 Nick Miller nick.miller@onyxpoint.com - 6.2.0-0
- Add package_ensure parameters to packages managed by this modoule
- $scap_ensure - openscap-utils
- $ssg_ensure - scap-security-guide
- Add missing $scap_tailoring_file parameter to openscap::schedule
- Fri Sep 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.2.0-0
- Update Hiera 4 to Hiera 5
- Mon Jul 16 2018 Michael Morrone michael.morrone@onyxpoint.com - 6.1.1-0
- Updated puppetlabs-stdlib lower bound version to support fact() function
- Mon Jun 25 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.0-0
- Added an
oscapfact for gathering the following information:- OpenSCAP Version
- OpenSCAP Supported Specifications
- SCAP Profiles from /usr/share/xml/scap//content/-ds.xml
- Added logic to ensure that a valid profile is chosen based on the new fact
- Added unit and acceptance tests
- Updated data to reflect valid choices on a default EL6 load
- Fri Jun 15 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.5-0
- Added Oracle Linux support
- Added Puppet 5 support
- Remove uneeded fixtures
- Mon Feb 05 2018 Nick Miller nick.miller@onyxpoint.com - 6.0.4-0
- Asset update
- Wed Nov 28 2017 Brandon Riden brandon.riden@onyxpoint.com - 6.0.3-0
- Changed Openscap::Profile type to use regex match on profiles rather than the Enum.
- Added hieradata to module to specify scap_profile and ssg_data_stream based on OS (RedHat 6, RedHat 7, CentOS 6, and CentOS 7)
- Wed Apr 19 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.2-0
- Updated logrotate to use new lastaction API
- Confine puppet version in metadata.json
- Fri Mar 17 2017 Liz Nemsick lnemsick-simp@gmail.com 6.0.1-0
- Update puppet version in .travis.yaml
- Wed Mar 01 2017 Ryan Russell-Yates ryan.russellyates@gmail.com 6.0.1-0
- Update README
- Tue Dec 13 2016 Jeanne Greulich jgreulich@onypoint.com - 6.0.0-0
- Strong type and Global Catalyst updates for SIMP 6
- Wed Nov 23 2016 Jeanne Greulich jgreulich@onypoint.com - 5.0.0-0
- Bump major version number for SIMP 6
- Mon Nov 21 2016 Chris Tessmer chris.tessmer@onypoint.com - 4.2.3-0
- Migration to semantic versioning and fix of the build system
- Mon Jul 11 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.1-0
- Migration to semantic versioning and fix of the build system
- Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.2.0-3
- migration to simplib and simpcat (lib/ only)
- Fri Feb 27 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-2
- Updated to use the new 'simp' environment.
- Changed calls directly to /etc/init.d/rsyslog to '/sbin/service rsyslog' so that both RHEL6 and RHEL7 are properly supported.
- Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-1
- Changed puppet-server requirement to puppet
- Sat Nov 01 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-0
- Moved set_schedule to just schedule
- Updated for the native release of OpenSCAP and the SCAP Security Guide as include in RHEL6.6 and higher.
- Mon Apr 07 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-0
- Updated for hiera and puppet 3 compatibility.
- Added spec tests.
- Wed Sep 11 2013 Ralph Wright rwright@onyxpoint.com 1.0.0-1
- Initial release
Dependencies
- puppetlabs/stdlib (>= 8.0.0 < 10.0.0)
- simp/simplib (>= 4.9.0 < 5.0.0)
- simp/logrotate (>= 6.5.0 < 7.0.0)
pupmod-simp-openscap - A Puppet Module for managing OpenSCAP
--
Per Section 105 of the Copyright Act of 1976, these works are not entitled to
domestic copyright protection under US Federal law.
The US Government retains the right to pursue copyright protections outside of
the United States.
The United States Government has unlimited rights in this software and all
derivatives thereof, pursuant to the contracts under which it was developed and
the License under which it falls.
---
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.