Ansible Role for Foreman SCAP Client

This Ansible role sets up and configures the Foreman SCAP client, known as foreman_scap_client, to perform security scans and send results to the Foreman proxy.

Configuration

This role will:

• Automatically install the foreman_scap_client if it's not already present.
• Set up the configuration file /etc/foreman_scap_client/config.yaml with necessary settings.
• Create a cron job to schedule the SCAP client to run regularly.

Variables

Here's a list of important variables you can set:

• foreman_scap_client_state: State of the SCAP client package.
• foreman_scap_client_package: Name of the package if different from the default (varies for different Linux distributions).
• foreman_scap_client_server: The URL of the proxy server.
• foreman_scap_client_port: Port number for the proxy server.
• foreman_scap_client_policies: List of policies to configure.
• foreman_scap_client_ca_cert_path: Path to the certificate authority file for the client.
• foreman_scap_client_host_cert_path: Path to the host certificate.
• foreman_scap_client_host_private_key_path: Path to the host's private key.
• foreman_scap_client_release: The release version for repository configuration.
• foreman_scap_client_repo_url: URL for the repository containing the SCAP client.
• foreman_scap_client_apt_repo_url: Debian-based repository for the client.
• foreman_scap_client_repo_state: State of the repository.
• foreman_scap_client_repo_key: RPM key file for the repository (noted that packages are currently unsigned).
• foreman_scap_client_repo_gpg: Enable or disable GPG checks.
• foreman_scap_client_cron_template: Path to the cron job template.
• foreman_scap_client_cron_splay_seed: Seed for generating random numbers for cron task timing.
• foreman_scap_client_cron_splay: Maximum delay time for cron tasks.
• foreman_scap_client_fetch_remote_resources: Option to fetch resources from a remote location.
• foreman_scap_client_http_proxy_server: HTTP proxy server URL.
• foreman_scap_client_http_proxy_port: Port for the HTTP proxy.
• foreman_scap_client_ciphers: Optional list of encryption methods for connections.

Sample Usage

The example below shows how to set up a weekly SCAP audit that sends results to a proxy server at proxy.example.com:9090. The role will attempt to install the SCAP client on the system automatically. If you don't want to use a specific file for policies, just leave the variables for them empty.

---
- hosts: all
  become: true
  roles:
    - theforeman.foreman_scap_client
  vars:
    foreman_scap_client_server: https://proxy.example.com
    foreman_scap_client_port: 9090
    foreman_scap_client_policies: [{
      "id": "1",
      "hour": "12",
      "minute": "1",
      "month": "*",
      "monthday": "*",
      "weekday": "1",
      "profile_id": "",
      "content_path": "/usr/share/xml/scap/ssg/fedora/ssg-fedora-ds.xml",
      "download_path": "/compliance/policies/1/content",
      "tailoring_path": "/var/lib/openscap/ssg-fedora-ds-tailored.xml",
      "tailoring_download_path": "/compliance/policies/1/tailoring"
    }]
}

Usage with foreman_openscap

If you're using this role with the foreman_openscap plugin, you typically don't need to do any additional setup. The values will be taken from Foreman's parameters. Just make sure to check the server, port, and policies after importing the role.

Testing

To test the role, we use Docker with Molecule and Testinfra. First, install the required dependencies:

pip install -r requirements.txt

Make sure your user can access Docker without needing sudo. If not, create a Docker group and add your user to it. To run the tests, use:

molecule test

Releasing on Ansible Galaxy

Ansible Galaxy pulls content from GitHub, using git tags for versioning. Ensure that your tags follow semantic versioning format.