Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-28333

[DOC] Improve documentation on deploying OpenSCAP policies

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • 0
    • Endeavour
    • None

      In the Managing security compliance guide, we have procedures on how to deploy the OpenSCAP policies on hosts in two places:
      1. Chapter 5 [1]
      2. Chapter 9 [2]

      Instructions in chapter 5 are incomplete compared to instructions in chapter 9, missing prerequisites and a step to assign the OpenSCAP capsule to the host / host group. Should the procedure be performed without this step, hosts will be unable to upload the OpenSCAP reports. At the same time instructions in chapter 5 do not add anything that is not present in chapter 9.

      Additionally, the solution article How to use Ansible as a deployment option to create OpenSCAP compliance policy in Red Hat Satellite 6 [3] is also omitting the step of assigning the OpenSCAP capsule when deploying policies on host (the step is present for host group).

      I suggest removing the chapter 5 to de-duplicate procedures and point the user to the correct procedure. Contents of chapter 4, which serve basically as an introduction to chapter 5, should be moved to chapter 9.

      How I suggest disassembling chapter 5:
      Parts with ansible and puppet can be deleted entirely, part with manual deployment can be:
      a) made into a module similar to other procedures in chapter 9. This would probably add significant amount of work to this ticket, but the advantage would be that all the deployment methods would be in one place.
      b) referenced from the moved list of deployment methods (current chapter 4). The simplest solution which avoids duplication of information across different documentation sources but it creates a bit of inconsistency.
      Which of these two approaches is better I leave to the writer's judgement. Alternatively an entirely different approach can also be implemented. I will be happy to provide review if needed.

      Finally, the step to assign the OpenSCAP capsule should be added to the aforementioned solution article as well.

      [1]: https://docs.redhat.com/en/documentation/red_hat_satellite/6.15/html-single/managing_security_compliance/index#compliance-policy-deployment-options_security-compliance
      [2]: https://docs.redhat.com/en/documentation/red_hat_satellite/6.15/html-single/managing_security_compliance/index#inclusion-of-remote-scap-resources_security-compliance
      [3]: https://access.redhat.com/solutions/4557961

              Unassigned Unassigned
              rhn-support-alazik Adam Lazik
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: