Puppet Class: openscap::schedule

Defined in:
manifests/schedule.pp

Overview

This class allows you to set a schedule for openscap to run a check on your system via cron.

Parameters:

  • scap_profile (Openscap::Profile)

    The name of the profile with the content.

    • Valid profiles change based on the target system. See the results of the

    ‘oscap` fact for valid targets.

  • oscap_path (Stdlib::Absolutepath) (defaults to: pick(fact('oscap.path'), '/bin/oscap'))

    The path to the ‘oscap` executable

    • This is set to a sane default for most systems but will pick the value

      out of the `oscap` fact if it has been installed and is in the path.
  • ssg_base_dir (Stdlib::Absolutepath) (defaults to: '/usr/share/xml/scap/ssg/content')

    The starting directory for all SSG content. Change this if you want to install your own SSG profiles.

  • ssg_data_stream (Pattern[/^.+\.xml$/])

    Type: XML file under $ssg_base_dir The data stream XML file to use for your system scan. This must be a file under $ssg_base_dir.

  • fetch_remote_resources (Boolean) (defaults to: false)

    If true, download remote content referenced by XCCDF.

  • scap_tailoring_file (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    Use given file for XCCDF tailoring.

  • logdir (Stdlib::Absolutepath) (defaults to: '/var/log/openscap')

    Specifies output location. Default is /var/log/openscap

  • logrotate (Boolean) (defaults to: simplib::lookup('simp_options::logrotate', { 'default_value' => false}))

    If true, use logrotate to rotate the output logs.

  • minute (Simplib::Cron::Minute) (defaults to: 30)
  • hour (Simplib::Cron::Hour) (defaults to: 1)
  • monthday (Simplib::Cron::MonthDay) (defaults to: '*')
  • month (Simplib::Cron::Month) (defaults to: '*')
  • weekday (Simplib::Cron::Weekday) (defaults to: 1)
  • force (Boolean) (defaults to: false)

    If set, ignore the fact that ‘oscap` does not appear to be installed on the target system and add the schedule anyway

    • This should be used if you’ve installed ‘oscap` into a non-standard location that cannot be found by the fact in the default path

Author:



52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
 
# File 'manifests/schedule.pp', line 52

class openscap::schedule (
  Openscap::Profile                $scap_profile,
  Pattern[/^.+\.xml$/]             $ssg_data_stream,
  Stdlib::Absolutepath             $oscap_path             = pick(fact('oscap.path'), '/bin/oscap'),
  Stdlib::Absolutepath             $ssg_base_dir           = '/usr/share/xml/scap/ssg/content',
  Boolean                          $fetch_remote_resources = false,
  Optional[Stdlib::Absolutepath]   $scap_tailoring_file    = undef,
  Stdlib::Absolutepath             $logdir                 = '/var/log/openscap',
  Boolean                          $logrotate              = simplib::lookup('simp_options::logrotate', { 'default_value' => false}),
  Simplib::Cron::Minute            $minute                 = 30,
  Simplib::Cron::Hour              $hour                   = 1,
  Simplib::Cron::MonthDay          $monthday               = '*',
  Simplib::Cron::Month             $month                  = '*',
  Simplib::Cron::Weekday           $weekday                = 1,
  Boolean                          $force                  = false
) {
  include 'openscap'

  if $force {
    $_set_schedule = true
  }
  else {
    if $facts['oscap'] {
      $_ssg_ds_basename = basename($ssg_data_stream, '.xml')

      if !$facts['oscap']['profiles'] {
        fail('No SCAP Profiles found')
      }
      elsif !$facts['oscap']['profiles'][$ssg_base_dir] {
        fail("No SCAP Data Streams found under '${ssg_base_dir}'")
      }
      elsif !$facts['oscap']['profiles'][$ssg_base_dir][$_ssg_ds_basename] {
        fail("Could not find SCAP Data Stream '${ssg_data_stream}'")
      }
      elsif !$facts['oscap']['profiles'][$ssg_base_dir][$_ssg_ds_basename][$scap_profile] {
        fail("Could not find SCAP Profile '${scap_profile}'")
      }
      else {
        $_set_schedule = true
      }
    }
    else {
      notify { 'Could not find oscap binary on the system, not setting schedule':
        loglevel => 'warning'
      }

      $_set_schedule = false
    }
  }

  if $_set_schedule {
    file { $logdir:
      ensure => directory,
      mode   => '0600',
    }

    $host = $facts['networking']['fqdn']
    cron { 'openscap':
      command  => template('openscap/oscap_command.erb'),
      user     => 'root',
      minute   => $minute,
      hour     => $hour,
      monthday => $monthday,
      month    => $month,
      weekday  => $weekday
    }

    if $logrotate {
      include 'logrotate'

      logrotate::rule { 'openscap':
        log_files                 => [ "${logdir}/*.xml" ],
        missingok                 => true,
        rotate_period             => 'daily',
        rotate                    => 3,
        lastaction_restart_logger => true
      }
    }
  }
}