Audit

The Systems  Audit section displays the results of OpenSCAP scans that you have performed on the selected client.

The Security Certification and Authorization Package (SCAP) is a standardized compliance checking solution for enterprise-level Linux infrastructures. SUSE Multi-Linux Manager uses OpenSCAP to implement the SCAP specifications.

For more information about OpenSCAP, see System Security with OpenSCAP.

The Systems  Audit subtab is split into sections:

1. List scans

This section displays ther results of openSCAP scans that have been performed on the selected client.

The table columns on this page are:

Table 1. OpenSCAP Scan Results
Name Description

Xccdf Test Result

The name of the test result

Diff

FIXME

Completed

The time that the scan was completed

Compliance

The unweighted pass/fail ratio

P

The number of checks that passed

F

The number of checks that failed

E

The number of errors that occurred

U

The number of checks with an unknown status

N

The number of checks that were not applicable to the selected client

K

The number of checks not run

S

The number of checks that were not selected

I

The number of checks that have information available for review

X

The number of checks that reported a status of fixed

Total

The total number of checks run

Click the name of a scan test result to see details about the result.

2. Rule result detail

The Details of Rule Result page displays detailed information about a specific XCCDF rule evaluation result and provides remediation capabilities. This page is accessed by clicking a rule in the XCCDF scan results.

2.1. Rule information

The top of the page displays the following details about the rule result:

Table 2. Rule Result Details
Field Description

Reference within Document

The unique identifier of the rule within the SCAP document.

Evaluation Result

The outcome of the rule evaluation (for example: pass, fail, notselected).

Parent Scan

A link back to the parent XCCDF scan result that contains this rule.

2.2. Remediation

The remediation panel provides two tabs for managing remediation scripts:

2.2.1. Original tab

Displays the original remediation script from the SCAP datastream in a read-only code editor. This is the remediation provided by the benchmark author and cannot be modified.

2.2.2. Custom tab

Allows you to write and save custom remediation scripts for this rule. Custom remediations can be written in two script types:

Table 3. Script Types
Script Type Description

Bash Script

A shell script to remediate the rule.

Salt State

A Salt state in YAML format to remediate the rule.

You can maintain separate Bash and Salt remediations for the same rule by switching between script types using the Script Type dropdown.

The following actions are available in the Custom tab:

  • Click Save Custom Remediation to save the custom remediation script.

  • Click Delete Custom Remediation to remove the saved custom remediation for the current script type. A confirmation dialog is displayed before deletion.

2.3. Applying remediation

To apply a remediation:

  1. Select the appropriate tab (Original or Custom).

  2. Use the Schedule section to select the date and time for the remediation action.

  3. Click Apply Remediation to schedule the remediation. A confirmation dialog is displayed before the action is scheduled.

After scheduling, a link to the scheduled action is displayed at the top of the page.

3. Schedule

The Schedule New XCCDF Scan panel allows you to schedule a compliance scan on one or more systems. You can either select a predefined SCAP policy or manually configure the scan parameters.

This form is available from:

  • A single system: Systems  System Details  Audit  Schedule

  • Multiple systems via SSM: Systems  System Set Manager  Audit  Schedule

3.1. Using a SCAP policy

Select a policy from the SCAP Policy dropdown to automatically populate the scan configuration from the policy definition. When a policy is selected, the SCAP Content, XCCDF Profile, Tailoring File, Tailoring Profile, and Fetch Remote Content fields are disabled and pre-filled with the policy values.

To clear the policy selection and configure the scan manually, clear the SCAP Policy dropdown.

3.2. Manual configuration

If no policy is selected, you can manually configure the scan using the fields below.

Table 4. Schedule SCAP Scan Fields
Field Required Description

SCAP Policy

No

Optionally select a predefined compliance policy to auto-populate the scan configuration.

SCAP Content

Yes

Select a SCAP content file containing the security benchmarks.

XCCDF Profile

Yes

Select an XCCDF profile from the chosen SCAP content.

Tailoring File

No

Optionally select a tailoring file to customize the profile.

Profile from Tailoring File

No

Select a profile from the chosen tailoring file.

Advanced Arguments

No

Additional command-line arguments, for example: --rule <rule_id> --remediate.

OVAL Files

No

Paths to local OVAL definitions on the target system, comma separated.

Fetch Remote Content

No

Enable fetching of remote resources during the scan. This requires internet access and significant memory on the target system.

Enabling Fetch Remote Content requires internet access and a large amount of available memory on the target minion. Ensure the target system has sufficient resources before enabling this option.

Use the Schedule section to select the date and time for the scan.

Click Schedule to schedule the scan.

3.3. Single system scheduling

When scheduling a scan from a single system’s audit page, a Create Recurring button is also available. Click Create Recurring to navigate to the recurring actions page for the system, where you can set up a recurring schedule for SCAP scans.

3.4. SSM bulk scheduling

When scheduling from the System Set Manager (SSM), the scan is applied to all systems currently in the system set. The Create Recurring option is not available in SSM mode.