Turn Openscap OVAL report into Puppet facts

I wanted to have a quick way to find out which systems had a particular set of outstanding errata. There are actually quite a few solutions that will do that for you, but I wanted a free/libre way of doing it that would integrate with our existing open-source Puppet (we don't use PE) and would be easy to query via mcollective orchestration.

Red Hat dutifully publishes an Openscap OVAL file for RHEL, but we needed a solution that worked both for RHEL and CentOS (not because we're cheapskates, but because we use Cloud providers that do not offer a RHEL option and we need to track errata on those systems, too).

After a bit of effort, I had a small wrapper script around openscap that would translate the report results into Puppet facts:

It comes with a sample tweaks file to make it work on a CentOS 7 system should you be in a similar position as us and be dependent on an upstream cloud provider who doesn't offer RHEL.

Once the facts are collected, you can use MCO to query which systems have specific outstanding errata. For example, by RHSA number:

mco find -S "fact('openscap.oval.rhsa.RHSA-2017:1308-01').exists=true"

or by CVE:

mco find -S "fact('openscap.oval.cve.CVE-2017-7502').exists=true"

or list systems with outstanding important/critical errata in general:

mco find -S "fact('openscap.oval.severity.critical').exists=true"

There's also a full HTML report generated for each of these systems and placed into /var/lib/openscap.

It is a handy tool and I hope it's useful to others.