Plugins » OpenSCAP

Preface¶

In the current state of foreman_openscap, a user can upload scap_content to foreman_openscap. Yet the user needs also to upload the same content to the client host and save it in the location that puppet-foreman_scap_client expects it to be.

Design
¶

Content distribution:¶

• Expose a url on Satellite for downloading the scap file for the policy (/api/compliance/policies//content)
• OpenSCAP plugin on Proxy serves as a (dumb) proxy to the above url (meaning, calling something like: https://<proxy_url>/compliance/policies/<policy_id>/content will fetch the xml from https://<foreman_url>/api/compliance/policies/<policy_id>/content)
• When foreman_scap_client starts running, it checks if the file configured by puppet exists. If it exists, it will resume operation. If it doesn’t exist, it will download the file from the Proxy and resume its operation.