Skip to content

Commit

Permalink
Multi-profile compliance (#87)
Browse files Browse the repository at this point in the history
Co-authored-by: willtome <[email protected]>
  • Loading branch information
jce-redhat and willtome authored Sep 25, 2023
1 parent 44585bf commit a5aa956
Show file tree
Hide file tree
Showing 7 changed files with 255 additions and 3 deletions.
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,5 @@ choose_demo_example_aws.yml
.ansible.cfg
*.gz

**/roles/*
!**/roles/requirements.yml
12 changes: 9 additions & 3 deletions linux/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,10 @@ This category of demos shows examples of linux operations and management with An
- [**Linux / Fact Scan**](https://github.com/ansible/awx-facts-playbooks/blob/master/scan_facts.yml) - Run a fact, package, and service scan against a system and store in fact cache
- [**Linux / Podman Webserver**](podman.yml) - Install and run a Podman webserver with given text on the home page
- [**Linux / System Roles**](system_roles.yml) - Apply Linux system roles to servers. Must provide variables and role names.
- [**Linux / Compliance Enforce**](compliance.yml) - Apply remediation to meet the requirements of a compliance baseline
- [**Linux / Insights Compliance Scan**](insights_compliance_scan.yml) - Run a Compliance scan based on the configuration in [Red Hat Insights][https://console.redhat.com]
- [**Linux / DISA STIG**](compliance.yml) - Apply the RHEL STIG supplemental content from DISA
- [**Linux / Multi-profile compliance**](compliance-enforce.yml) - Apply remediation from [Compliance as Code](https://github.com/ComplianceAsCode/content) to enforce the requirements of a specified compliance profile
- [**Linux / Report Compliance**](compliance-report.yml) - Run an OpenSCAP report against a specified compliance profile
- [**Linux / Insights Compliance Scan**](insights_compliance_scan.yml) - Run a Compliance scan based on the configuration in [Red Hat Insights](https://console.redhat.com)

### Inventory

Expand Down Expand Up @@ -86,6 +88,10 @@ timesync_ntp_servers:
pool: yes
iburst: yes
```
**Linux / Compliance** - Apply compliance profile hardening configuration from [here](https://galaxy.ansible.com/RedHatOfficial). BE AWARE: this could have unintended results based on the current state of your machine. Always test on a single machine before distributing at scale. For example, AWS instances have NOPASSWD allowed for sudo. Running STIG compliance without adding `sudo_remove_nopasswd: false` to extra_vars on the job template will lock you out of the machine. This variable is configured on the job template by default for this reason.
**Linux / DISA STIG** - Apply the RHEL STIG security hardening configuration using the [DISA Supplemental Automation Content](https://public.cyber.mil/stigs/supplemental-automation-content/). BE AWARE: this could have unintended results based on the current state of your machine. Always test on a single machine before distributing at scale. For example, AWS instances have NOPASSWD allowed for sudo. Running STIG compliance without adding `sudo_remove_nopasswd: false` to extra_vars on the job template will lock you out of the machine. This variable is configured on the job template by default for this reason.

**Linux / Multi-profile Compliance** - Apply security hardening configuration from a [supported compliance profile role](compliance_profiles.md). BE AWARE: this could have unintended results based on the current state of your machine. Always test on a single machine before distributing at scale. For example, AWS instances have NOPASSWD allowed for sudo. Applying certain compliance profiles without adding `sudo_remove_nopasswd: false` to extra_vars on the job template will lock you out of the machine. This variable is configured on the job template by default for this reason.

**Linux / Report Compliance** - Run this template before running the "**Linux / Multi-profile Compliance**" template and again afterwards to highlight the changes made by the enforcement template. By default, the reports are available by pointing a web browser to the system(s) where the report runs. By setting the `use_httpd` variable to "false" in the template survey the reports will instead be stored on the target node in the /tmp/oscap-reports directory.

**Linux / Insights Compliance Scan** - Scan the system according to the compliance profile configured via [Red Hat Insights](https://console.redhat.com). NOTE: This job will fail if the systems haven't been registered with Insights and associated with a relevant compliance profile. A survey when running the job will ask if you have configured all systems with a compliance profile, and effectively skip all tasks in the job template if the answer is "No".
17 changes: 17 additions & 0 deletions linux/compliance-enforce.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
- name: Apply compliance profile
hosts: "{{ _hosts | default(omit) }}"
become: true
vars:
compliance_profile: undef

tasks:
- name: Check os type
ansible.builtin.assert:
that: "ansible_os_family == 'RedHat'"

- name: Run Compliance Profile
ansible.builtin.include_role:
name: "redhatofficial.rhel{{ ansible_distribution_major_version }}_{{ compliance_profile }}"

...
90 changes: 90 additions & 0 deletions linux/compliance-report.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
---
- name: Generate OpenSCAP compliance report
hosts: '{{ _hosts | default(omit) }}'
become: true

vars:
openscap_packages:
- openscap-scanner
- openscap-utils
- scap-security-guide
compliance_profile: ospp
use_httpd: true

tasks:
- name: Get our facts straight
ansible.builtin.set_fact:
_profile: '{{ compliance_profile | replace("pci_dss", "pci-dss") }}'
_report_dir: /tmp/oscap-reports

- name: Ensure OpenSCAP tools are installed
ansible.builtin.dnf:
name: '{{ openscap_packages }}'
state: present

- name: Configure httpd
when: use_httpd | bool
block:
- name: Install httpd
ansible.builtin.dnf:
name: httpd
state: present
notify: Restart httpd

- name: Override report directory
ansible.builtin.set_fact:
_report_dir: /var/www/html/oscap-reports

- name: Gather service facts
ansible.builtin.service_facts:

- name: Enable firewall http service
ansible.posix.firewalld:
service: http
state: enabled
immediate: true
permanent: true
when: "'firewalld.service' in ansible_facts.services"

- name: Disable httpd welcome page
ansible.builtin.file:
path: /etc/httpd/conf.d/welcome.conf
state: absent
notify: Restart httpd

- name: Ensure report directory exists
ansible.builtin.file:
path: '{{ _report_dir }}/{{ _profile }}'
state: directory
owner: root
group: root
mode: 0755

- name: Set report name
ansible.builtin.set_fact:
_report: '{{ _report_dir }}/{{ _profile }}/report-{{ ansible_date_time.iso8601 }}.html'

- name: Generate compliance report
ansible.builtin.command: >-
oscap xccdf eval --profile {{ _profile }} --report {{ _report }}
/usr/share/xml/scap/ssg/content/ssg-rhel{{ ansible_distribution_major_version }}-ds.xml
args:
creates: '{{ _report }}'
register: _oscap
failed_when: _oscap.rc not in [0, 2]

- name: Set report permissions
ansible.builtin.file:
path: '{{ _report }}'
owner: root
group: root
mode: 0644

handlers:
- name: Restart httpd
ansible.builtin.service:
name: httpd
state: restarted
enabled: true

...
15 changes: 15 additions & 0 deletions linux/compliance_profiles.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# Supported Compliance Profiles

The following compliance profiles are supported by the [**Linux / Enforce Compliance**](README.md#jobs) job template:

| **Profile** | **Role Repository** |
|-------------|---------------------|
| CIS | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-cis |
| CUI | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-cui |
| HIPAA | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-hipaa |
| OSPP | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-ospp |
| PCI-DSS | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-pci-dss |
| DISA STIG | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-stig |

These roles are derived from the [Compliance as Code](https://github.com/ComplianceAsCode/content) project, which provides SCAP content used by the [OpenSCAP](https://www.open-scap.org/) `oscap` tool.

80 changes: 80 additions & 0 deletions linux/setup.yml
Original file line number Diff line number Diff line change
Expand Up @@ -359,6 +359,84 @@ controller_templates:
variable: _hosts
required: true

- name: "LINUX / Multi-profile Compliance"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
playbook: "linux/compliance-enforce.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
credentials:
- "Demo Credential"
extra_vars:
# used by CIS profile role
sudo_require_authentication: false
# used by STIG profile role
sudo_remove_nopasswd: false
sudo_remove_no_authenticate: false
# used by CIS and STIG profile role
accounts_password_set_max_life_existing: false
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Server Name or Pattern
type: text
variable: _hosts
required: true
- question_name: Compliance Profile
type: multiplechoice
variable: compliance_profile
required: true
choices:
- cis
- cui
- hipaa
- ospp
- pci_dss
- stig

- name: "LINUX / Multi-profile Compliance Report"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
playbook: "linux/compliance-report.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
credentials:
- "Demo Credential"
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Server Name or Pattern
type: text
variable: _hosts
required: true
- question_name: Compliance Profile
type: multiplechoice
variable: compliance_profile
required: true
choices:
- cis
- cui
- hipaa
- ospp
- pci_dss
- stig
- question_name: Use httpd on the target host(s) to access reports locally?
type: multiplechoice
variable: use_httpd
required: true
choices:
- "true"
- "false"
default: "true"

- name: "LINUX / Insights Compliance Scan"
job_type: run
inventory: "Demo Inventory"
Expand Down Expand Up @@ -408,3 +486,5 @@ controller_templates:
type: text
variable: application
required: true

...
42 changes: 42 additions & 0 deletions roles/requirements.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
---
roles:
# RHEL 7 compliance roles from ComplianceAsCode
- name: redhatofficial.rhel7_cis
version: 0.1.69
- name: redhatofficial.rhel7_cui
version: 0.1.67
- name: redhatofficial.rhel7_hipaa
version: 0.1.69
- name: redhatofficial.rhel7_ospp
version: 0.1.69
- name: redhatofficial.rhel7_pci_dss
version: 0.1.69
- name: redhatofficial.rhel7_stig
version: 0.1.69
# RHEL 8 compliance roles from ComplianceAsCode
- name: redhatofficial.rhel8_cis
version: 0.1.69
- name: redhatofficial.rhel8_cui
version: 0.1.69
- name: redhatofficial.rhel8_hipaa
version: 0.1.69
- name: redhatofficial.rhel8_ospp
version: 0.1.69
- name: redhatofficial.rhel8_pci_dss
version: 0.1.69
- name: redhatofficial.rhel8_stig
version: 0.1.69
# RHEL 9 compliance roles from ComplianceAsCode
- name: redhatofficial.rhel9_cis
version: 0.1.68
- name: redhatofficial.rhel9_cui
version: 0.1.64
- name: redhatofficial.rhel9_hipaa
version: 0.1.68
- name: redhatofficial.rhel9_ospp
version: 0.1.68
- name: redhatofficial.rhel9_pci_dss
version: 0.1.68
- name: redhatofficial.rhel9_stig
version: 0.1.64
...

0 comments on commit a5aa956

Please sign in to comment.