From afb2046ef18c3132e4ef43f1255c2518598b13b9 Mon Sep 17 00:00:00 2001 From: Chris Edillon Date: Wed, 9 Aug 2023 16:41:18 -0400 Subject: [PATCH 1/8] Add multi-profile compliance templates Added two new playbooks for reporting against and enforcing multiple compliance profile controls using the Compliance as Code remediation content. Update linux/setup.yml to create the related job templates and linux/README.md to update documentation. The compliance_profiles.md document was also added to describe the supported compliance profiles. --- linux/README.md | 12 +++-- linux/compliance-enforce.yml | 17 +++++++ linux/compliance-report.yml | 90 ++++++++++++++++++++++++++++++++++++ linux/compliance_profiles.md | 15 ++++++ linux/setup.yml | 80 ++++++++++++++++++++++++++++++++ 5 files changed, 211 insertions(+), 3 deletions(-) create mode 100644 linux/compliance-enforce.yml create mode 100644 linux/compliance-report.yml create mode 100644 linux/compliance_profiles.md diff --git a/linux/README.md b/linux/README.md index 9984885c8..620ee235a 100644 --- a/linux/README.md +++ b/linux/README.md @@ -26,8 +26,10 @@ This category of demos shows examples of linux operations and management with An - [**Linux / Fact Scan**](https://github.com/ansible/awx-facts-playbooks/blob/master/scan_facts.yml) - Run a fact, package, and service scan against a system and store in fact cache - [**Linux / Podman Webserver**](podman.yml) - Install and run a Podman webserver with given text on the home page - [**Linux / System Roles**](system_roles.yml) - Apply Linux system roles to servers. Must provide variables and role names. -- [**Linux / Compliance Enforce**](compliance.yml) - Apply remediation to meet the requirements of a compliance baseline -- [**Linux / Insights Compliance Scan**](insights_compliance_scan.yml) - Run a Compliance scan based on the configuration in [Red Hat Insights][https://console.redhat.com] +- [**Linux / DISA STIG**](compliance.yml) - Apply the RHEL STIG supplemental content from DISA +- [**Linux / Multi-profile compliance**](compliance-enforce.yml) - Apply remediation from [Compliance as Code](https://github.com/ComplianceAsCode/content) to enforce the requirements of a specified compliance profile +- [**Linux / Report Compliance**](compliance-report.yml) - Run an OpenSCAP report against a specified compliance profile +- [**Linux / Insights Compliance Scan**](insights_compliance_scan.yml) - Run a Compliance scan based on the configuration in [Red Hat Insights](https://console.redhat.com) ### Inventory @@ -86,6 +88,10 @@ timesync_ntp_servers: pool: yes iburst: yes ``` -**Linux / Compliance** - Apply compliance profile hardening configuration from [here](https://galaxy.ansible.com/RedHatOfficial). BE AWARE: this could have unintended results based on the current state of your machine. Always test on a single machine before distributing at scale. For example, AWS instances have NOPASSWD allowed for sudo. Running STIG compliance without adding `sudo_remove_nopasswd: false` to extra_vars on the job template will lock you out of the machine. This variable is configured on the job template by default for this reason. +**Linux / DISA STIG** - Apply the RHEL STIG security hardening configuration using the [DISA Supplemental Automation Content](https://public.cyber.mil/stigs/supplemental-automation-content/). BE AWARE: this could have unintended results based on the current state of your machine. Always test on a single machine before distributing at scale. For example, AWS instances have NOPASSWD allowed for sudo. Running STIG compliance without adding `sudo_remove_nopasswd: false` to extra_vars on the job template will lock you out of the machine. This variable is configured on the job template by default for this reason. + +**Linux / Multi-profile Compliance** - Apply security hardening configuration from a [supported compliance profile role](compliance_profiles.md). BE AWARE: this could have unintended results based on the current state of your machine. Always test on a single machine before distributing at scale. For example, AWS instances have NOPASSWD allowed for sudo. Applying certain compliance profiles without adding `sudo_remove_nopasswd: false` to extra_vars on the job template will lock you out of the machine. This variable is configured on the job template by default for this reason. + +**Linux / Report Compliance** - Run this template before running the "**Linux / Multi-profile Compliance**" template and again afterwards to highlight the changes made by the enforcement template. By default, the reports are available by pointing a web browser to the system(s) where the report runs. By setting the `use_httpd` variable to "false" in the template survey the reports will instead be stored on the target node in the /tmp/oscap-reports directory. **Linux / Insights Compliance Scan** - Scan the system according to the compliance profile configured via [Red Hat Insights](https://console.redhat.com). NOTE: This job will fail if the systems haven't been registered with Insights and associated with a relevant compliance profile. A survey when running the job will ask if you have configured all systems with a compliance profile, and effectively skip all tasks in the job template if the answer is "No". diff --git a/linux/compliance-enforce.yml b/linux/compliance-enforce.yml new file mode 100644 index 000000000..b8122e406 --- /dev/null +++ b/linux/compliance-enforce.yml @@ -0,0 +1,17 @@ +--- +- name: Apply compliance profile + hosts: "{{ _hosts | default(omit) }}" + become: true + vars: + compliance_profile: undef + + tasks: + - name: Check os type + ansible.builtin.assert: + that: "ansible_os_family == 'RedHat'" + + - name: Run Compliance Profile + ansible.builtin.include_role: + name: "redhatofficial.rhel{{ ansible_distribution_major_version }}_{{ compliance_profile }}" + +... diff --git a/linux/compliance-report.yml b/linux/compliance-report.yml new file mode 100644 index 000000000..f695adbce --- /dev/null +++ b/linux/compliance-report.yml @@ -0,0 +1,90 @@ +--- +- name: Generate OpenSCAP compliance report + hosts: '{{ _hosts | default(omit) }}' + become: true + + vars: + openscap_packages: + - openscap-scanner + - openscap-utils + - scap-security-guide + compliance_profile: ospp + use_httpd: true + + tasks: + - name: Get our facts straight + ansible.builtin.set_fact: + _profile: '{{ compliance_profile | replace("pci_dss", "pci-dss") }}' + _report_dir: /tmp/oscap-reports + + - name: Ensure OpenSCAP tools are installed + ansible.builtin.dnf: + name: '{{ openscap_packages }}' + state: present + + - name: Configure httpd + when: use_httpd | bool + block: + - name: Install httpd + ansible.builtin.dnf: + name: httpd + state: present + notify: Restart httpd + + - name: Override report directory + ansible.builtin.set_fact: + _report_dir: /var/www/html/oscap-reports + + - name: Gather service facts + ansible.builtin.service_facts: + + - name: Enable firewall http service + ansible.posix.firewalld: + service: http + state: enabled + immediate: true + permanent: true + when: "'firewalld.service' in ansible_facts.services" + + - name: Disable httpd welcome page + ansible.builtin.file: + path: /etc/httpd/conf.d/welcome.conf + state: absent + notify: Restart httpd + + - name: Ensure report directory exists + ansible.builtin.file: + path: '{{ _report_dir }}/{{ _profile }}' + state: directory + owner: root + group: root + mode: 0755 + + - name: Set report name + ansible.builtin.set_fact: + _report: '{{ _report_dir }}/{{ _profile }}/report-{{ ansible_date_time.iso8601 }}.html' + + - name: Generate compliance report + command: >- + oscap xccdf eval --profile {{ _profile }} --report {{ _report }} + /usr/share/xml/scap/ssg/content/ssg-rhel{{ ansible_distribution_major_version }}-ds.xml + args: + creates: '{{ _report }}' + register: _oscap + failed_when: _oscap.rc not in [0, 2] + + - name: Set report permissions + ansible.builtin.file: + path: '{{ _report }}' + owner: root + group: root + mode: 0644 + + handlers: + - name: Restart httpd + ansible.builtin.service: + name: httpd + state: restarted + enabled: true + +... diff --git a/linux/compliance_profiles.md b/linux/compliance_profiles.md new file mode 100644 index 000000000..7ef595c0f --- /dev/null +++ b/linux/compliance_profiles.md @@ -0,0 +1,15 @@ +# Supported Compliance Profiles + +The following compliance profiles are supported by the [**Linux / Enforce Compliance**](README.md#jobs) job template: + +| **Profile** | **Role Repository** | +|-------------|---------------------| +| CIS | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-cis | +| CUI | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-cui | +| HIPAA | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-hipaa | +| OSPP | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-ospp | +| PCI-DSS | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-pci-dss | +| DISA STIG | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-stig | + +These roles are derived from the [Compliance as Code](https://github.com/ComplianceAsCode/content) project, which provides SCAP content used by the [OpenSCAP](https://www.open-scap.org/) `oscap` tool. + diff --git a/linux/setup.yml b/linux/setup.yml index dcb031da6..8213d8f36 100644 --- a/linux/setup.yml +++ b/linux/setup.yml @@ -359,6 +359,84 @@ controller_templates: variable: _hosts required: true + - name: "LINUX / Multi-profile Compliance" + job_type: run + inventory: "Workshop Inventory" + project: "Ansible official demo project" + playbook: "linux/compliance-enforce.yml" + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + credentials: + - "Workshop Credential" + extra_vars: + # used by CIS profile role + sudo_require_authentication: false + # used by STIG profile role + sudo_remove_nopasswd: false + sudo_remove_no_authenticate: false + # used by CIS and STIG profile role + accounts_password_set_max_life_existing: false + survey_enabled: true + survey: + name: '' + description: '' + spec: + - question_name: Server Name or Pattern + type: text + variable: _hosts + required: true + - question_name: Compliance Profile + type: multiplechoice + variable: compliance_profile + required: true + choices: + - cis + - cui + - hipaa + - ospp + - pci_dss + - stig + + - name: "LINUX / Compliance Report" + job_type: run + inventory: "Workshop Inventory" + project: "Ansible official demo project" + playbook: "linux/compliance-report.yml" + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + credentials: + - "Workshop Credential" + survey_enabled: true + survey: + name: '' + description: '' + spec: + - question_name: Server Name or Pattern + type: text + variable: _hosts + required: true + - question_name: Compliance Profile + type: multiplechoice + variable: compliance_profile + required: true + choices: + - cis + - cui + - hipaa + - ospp + - pci_dss + - stig + - question_name: Use httpd on the target host(s) to access reports locally? + type: multiplechoice + variable: use_httpd + required: true + choices: + - "true" + - "false" + default: "true" + - name: "LINUX / Insights Compliance Scan" job_type: run inventory: "Demo Inventory" @@ -408,3 +486,5 @@ controller_templates: type: text variable: application required: true + +... From 6fc8dcb2067b3880302f65e26058d5384230d9e0 Mon Sep 17 00:00:00 2001 From: Chris Edillon Date: Wed, 9 Aug 2023 17:05:59 -0400 Subject: [PATCH 2/8] role requirements for multi-profile compliance role versions are latest available on galaxy even though the source repos have newer releases --- .gitignore | 2 ++ roles/requirements.yml | 42 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 roles/requirements.yml diff --git a/.gitignore b/.gitignore index 73bcc109d..bb9433c6d 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,5 @@ choose_demo_example_aws.yml .ansible.cfg *.gz +**/roles/* +!**/roles/requirements.yml diff --git a/roles/requirements.yml b/roles/requirements.yml new file mode 100644 index 000000000..75eaa0ce2 --- /dev/null +++ b/roles/requirements.yml @@ -0,0 +1,42 @@ +--- +roles: + # RHEL 7 compliance roles from ComplianceAsCode + - name: redhatofficial.rhel7_cis + version: 0.1.69 + - name: redhatofficial.rhel7_cui + version: 0.1.67 + - name: redhatofficial.rhel7_hipaa + version: 0.1.69 + - name: redhatofficial.rhel7_ospp + version: 0.1.69 + - name: redhatofficial.rhel7_pci_dss + version: 0.1.69 + - name: redhatofficial.rhel7_stig + version: 0.1.69 + # RHEL 8 compliance roles from ComplianceAsCode + - name: redhatofficial.rhel8_cis + version: 0.1.69 + - name: redhatofficial.rhel8_cui + version: 0.1.69 + - name: redhatofficial.rhel8_hipaa + version: 0.1.69 + - name: redhatofficial.rhel8_ospp + version: 0.1.69 + - name: redhatofficial.rhel8_pci_dss + version: 0.1.69 + - name: redhatofficial.rhel8_stig + version: 0.1.69 + # RHEL 9 compliance roles from ComplianceAsCode + - name: redhatofficial.rhel9_cis + version: 0.1.68 + - name: redhatofficial.rhel9_cui + version: 0.1.64 + - name: redhatofficial.rhel9_hipaa + version: 0.1.68 + - name: redhatofficial.rhel9_ospp + version: 0.1.68 + - name: redhatofficial.rhel9_pci_dss + version: 0.1.68 + - name: redhatofficial.rhel9_stig + version: 0.1.64 +... From b802644b654a0d60f2a9811af166fcc4ca78a960 Mon Sep 17 00:00:00 2001 From: Chris Edillon Date: Mon, 21 Aug 2023 10:05:58 -0400 Subject: [PATCH 3/8] FQCN fix --- linux/compliance-report.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux/compliance-report.yml b/linux/compliance-report.yml index f695adbce..a1f2274ba 100644 --- a/linux/compliance-report.yml +++ b/linux/compliance-report.yml @@ -65,7 +65,7 @@ _report: '{{ _report_dir }}/{{ _profile }}/report-{{ ansible_date_time.iso8601 }}.html' - name: Generate compliance report - command: >- + ansible.builtin.command: >- oscap xccdf eval --profile {{ _profile }} --report {{ _report }} /usr/share/xml/scap/ssg/content/ssg-rhel{{ ansible_distribution_major_version }}-ds.xml args: From f8f303d60a0cff4f870e4ec3b7aa9b57f8210698 Mon Sep 17 00:00:00 2001 From: Chris Edillon Date: Wed, 9 Aug 2023 16:41:18 -0400 Subject: [PATCH 4/8] Add multi-profile compliance templates Added two new playbooks for reporting against and enforcing multiple compliance profile controls using the Compliance as Code remediation content. Update linux/setup.yml to create the related job templates and linux/README.md to update documentation. The compliance_profiles.md document was also added to describe the supported compliance profiles. --- linux/README.md | 12 +++-- linux/compliance-enforce.yml | 17 +++++++ linux/compliance-report.yml | 90 ++++++++++++++++++++++++++++++++++++ linux/compliance_profiles.md | 15 ++++++ linux/setup.yml | 80 ++++++++++++++++++++++++++++++++ 5 files changed, 211 insertions(+), 3 deletions(-) create mode 100644 linux/compliance-enforce.yml create mode 100644 linux/compliance-report.yml create mode 100644 linux/compliance_profiles.md diff --git a/linux/README.md b/linux/README.md index 9984885c8..620ee235a 100644 --- a/linux/README.md +++ b/linux/README.md @@ -26,8 +26,10 @@ This category of demos shows examples of linux operations and management with An - [**Linux / Fact Scan**](https://github.com/ansible/awx-facts-playbooks/blob/master/scan_facts.yml) - Run a fact, package, and service scan against a system and store in fact cache - [**Linux / Podman Webserver**](podman.yml) - Install and run a Podman webserver with given text on the home page - [**Linux / System Roles**](system_roles.yml) - Apply Linux system roles to servers. Must provide variables and role names. -- [**Linux / Compliance Enforce**](compliance.yml) - Apply remediation to meet the requirements of a compliance baseline -- [**Linux / Insights Compliance Scan**](insights_compliance_scan.yml) - Run a Compliance scan based on the configuration in [Red Hat Insights][https://console.redhat.com] +- [**Linux / DISA STIG**](compliance.yml) - Apply the RHEL STIG supplemental content from DISA +- [**Linux / Multi-profile compliance**](compliance-enforce.yml) - Apply remediation from [Compliance as Code](https://github.com/ComplianceAsCode/content) to enforce the requirements of a specified compliance profile +- [**Linux / Report Compliance**](compliance-report.yml) - Run an OpenSCAP report against a specified compliance profile +- [**Linux / Insights Compliance Scan**](insights_compliance_scan.yml) - Run a Compliance scan based on the configuration in [Red Hat Insights](https://console.redhat.com) ### Inventory @@ -86,6 +88,10 @@ timesync_ntp_servers: pool: yes iburst: yes ``` -**Linux / Compliance** - Apply compliance profile hardening configuration from [here](https://galaxy.ansible.com/RedHatOfficial). BE AWARE: this could have unintended results based on the current state of your machine. Always test on a single machine before distributing at scale. For example, AWS instances have NOPASSWD allowed for sudo. Running STIG compliance without adding `sudo_remove_nopasswd: false` to extra_vars on the job template will lock you out of the machine. This variable is configured on the job template by default for this reason. +**Linux / DISA STIG** - Apply the RHEL STIG security hardening configuration using the [DISA Supplemental Automation Content](https://public.cyber.mil/stigs/supplemental-automation-content/). BE AWARE: this could have unintended results based on the current state of your machine. Always test on a single machine before distributing at scale. For example, AWS instances have NOPASSWD allowed for sudo. Running STIG compliance without adding `sudo_remove_nopasswd: false` to extra_vars on the job template will lock you out of the machine. This variable is configured on the job template by default for this reason. + +**Linux / Multi-profile Compliance** - Apply security hardening configuration from a [supported compliance profile role](compliance_profiles.md). BE AWARE: this could have unintended results based on the current state of your machine. Always test on a single machine before distributing at scale. For example, AWS instances have NOPASSWD allowed for sudo. Applying certain compliance profiles without adding `sudo_remove_nopasswd: false` to extra_vars on the job template will lock you out of the machine. This variable is configured on the job template by default for this reason. + +**Linux / Report Compliance** - Run this template before running the "**Linux / Multi-profile Compliance**" template and again afterwards to highlight the changes made by the enforcement template. By default, the reports are available by pointing a web browser to the system(s) where the report runs. By setting the `use_httpd` variable to "false" in the template survey the reports will instead be stored on the target node in the /tmp/oscap-reports directory. **Linux / Insights Compliance Scan** - Scan the system according to the compliance profile configured via [Red Hat Insights](https://console.redhat.com). NOTE: This job will fail if the systems haven't been registered with Insights and associated with a relevant compliance profile. A survey when running the job will ask if you have configured all systems with a compliance profile, and effectively skip all tasks in the job template if the answer is "No". diff --git a/linux/compliance-enforce.yml b/linux/compliance-enforce.yml new file mode 100644 index 000000000..b8122e406 --- /dev/null +++ b/linux/compliance-enforce.yml @@ -0,0 +1,17 @@ +--- +- name: Apply compliance profile + hosts: "{{ _hosts | default(omit) }}" + become: true + vars: + compliance_profile: undef + + tasks: + - name: Check os type + ansible.builtin.assert: + that: "ansible_os_family == 'RedHat'" + + - name: Run Compliance Profile + ansible.builtin.include_role: + name: "redhatofficial.rhel{{ ansible_distribution_major_version }}_{{ compliance_profile }}" + +... diff --git a/linux/compliance-report.yml b/linux/compliance-report.yml new file mode 100644 index 000000000..f695adbce --- /dev/null +++ b/linux/compliance-report.yml @@ -0,0 +1,90 @@ +--- +- name: Generate OpenSCAP compliance report + hosts: '{{ _hosts | default(omit) }}' + become: true + + vars: + openscap_packages: + - openscap-scanner + - openscap-utils + - scap-security-guide + compliance_profile: ospp + use_httpd: true + + tasks: + - name: Get our facts straight + ansible.builtin.set_fact: + _profile: '{{ compliance_profile | replace("pci_dss", "pci-dss") }}' + _report_dir: /tmp/oscap-reports + + - name: Ensure OpenSCAP tools are installed + ansible.builtin.dnf: + name: '{{ openscap_packages }}' + state: present + + - name: Configure httpd + when: use_httpd | bool + block: + - name: Install httpd + ansible.builtin.dnf: + name: httpd + state: present + notify: Restart httpd + + - name: Override report directory + ansible.builtin.set_fact: + _report_dir: /var/www/html/oscap-reports + + - name: Gather service facts + ansible.builtin.service_facts: + + - name: Enable firewall http service + ansible.posix.firewalld: + service: http + state: enabled + immediate: true + permanent: true + when: "'firewalld.service' in ansible_facts.services" + + - name: Disable httpd welcome page + ansible.builtin.file: + path: /etc/httpd/conf.d/welcome.conf + state: absent + notify: Restart httpd + + - name: Ensure report directory exists + ansible.builtin.file: + path: '{{ _report_dir }}/{{ _profile }}' + state: directory + owner: root + group: root + mode: 0755 + + - name: Set report name + ansible.builtin.set_fact: + _report: '{{ _report_dir }}/{{ _profile }}/report-{{ ansible_date_time.iso8601 }}.html' + + - name: Generate compliance report + command: >- + oscap xccdf eval --profile {{ _profile }} --report {{ _report }} + /usr/share/xml/scap/ssg/content/ssg-rhel{{ ansible_distribution_major_version }}-ds.xml + args: + creates: '{{ _report }}' + register: _oscap + failed_when: _oscap.rc not in [0, 2] + + - name: Set report permissions + ansible.builtin.file: + path: '{{ _report }}' + owner: root + group: root + mode: 0644 + + handlers: + - name: Restart httpd + ansible.builtin.service: + name: httpd + state: restarted + enabled: true + +... diff --git a/linux/compliance_profiles.md b/linux/compliance_profiles.md new file mode 100644 index 000000000..7ef595c0f --- /dev/null +++ b/linux/compliance_profiles.md @@ -0,0 +1,15 @@ +# Supported Compliance Profiles + +The following compliance profiles are supported by the [**Linux / Enforce Compliance**](README.md#jobs) job template: + +| **Profile** | **Role Repository** | +|-------------|---------------------| +| CIS | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-cis | +| CUI | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-cui | +| HIPAA | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-hipaa | +| OSPP | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-ospp | +| PCI-DSS | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-pci-dss | +| DISA STIG | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-stig | + +These roles are derived from the [Compliance as Code](https://github.com/ComplianceAsCode/content) project, which provides SCAP content used by the [OpenSCAP](https://www.open-scap.org/) `oscap` tool. + diff --git a/linux/setup.yml b/linux/setup.yml index dcb031da6..8213d8f36 100644 --- a/linux/setup.yml +++ b/linux/setup.yml @@ -359,6 +359,84 @@ controller_templates: variable: _hosts required: true + - name: "LINUX / Multi-profile Compliance" + job_type: run + inventory: "Workshop Inventory" + project: "Ansible official demo project" + playbook: "linux/compliance-enforce.yml" + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + credentials: + - "Workshop Credential" + extra_vars: + # used by CIS profile role + sudo_require_authentication: false + # used by STIG profile role + sudo_remove_nopasswd: false + sudo_remove_no_authenticate: false + # used by CIS and STIG profile role + accounts_password_set_max_life_existing: false + survey_enabled: true + survey: + name: '' + description: '' + spec: + - question_name: Server Name or Pattern + type: text + variable: _hosts + required: true + - question_name: Compliance Profile + type: multiplechoice + variable: compliance_profile + required: true + choices: + - cis + - cui + - hipaa + - ospp + - pci_dss + - stig + + - name: "LINUX / Compliance Report" + job_type: run + inventory: "Workshop Inventory" + project: "Ansible official demo project" + playbook: "linux/compliance-report.yml" + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + credentials: + - "Workshop Credential" + survey_enabled: true + survey: + name: '' + description: '' + spec: + - question_name: Server Name or Pattern + type: text + variable: _hosts + required: true + - question_name: Compliance Profile + type: multiplechoice + variable: compliance_profile + required: true + choices: + - cis + - cui + - hipaa + - ospp + - pci_dss + - stig + - question_name: Use httpd on the target host(s) to access reports locally? + type: multiplechoice + variable: use_httpd + required: true + choices: + - "true" + - "false" + default: "true" + - name: "LINUX / Insights Compliance Scan" job_type: run inventory: "Demo Inventory" @@ -408,3 +486,5 @@ controller_templates: type: text variable: application required: true + +... From e5246acbfdcc8756df6faa88b56e5d8cf21e9300 Mon Sep 17 00:00:00 2001 From: Chris Edillon Date: Wed, 9 Aug 2023 17:05:59 -0400 Subject: [PATCH 5/8] role requirements for multi-profile compliance role versions are latest available on galaxy even though the source repos have newer releases --- .gitignore | 2 ++ roles/requirements.yml | 42 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 roles/requirements.yml diff --git a/.gitignore b/.gitignore index 73bcc109d..bb9433c6d 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,5 @@ choose_demo_example_aws.yml .ansible.cfg *.gz +**/roles/* +!**/roles/requirements.yml diff --git a/roles/requirements.yml b/roles/requirements.yml new file mode 100644 index 000000000..75eaa0ce2 --- /dev/null +++ b/roles/requirements.yml @@ -0,0 +1,42 @@ +--- +roles: + # RHEL 7 compliance roles from ComplianceAsCode + - name: redhatofficial.rhel7_cis + version: 0.1.69 + - name: redhatofficial.rhel7_cui + version: 0.1.67 + - name: redhatofficial.rhel7_hipaa + version: 0.1.69 + - name: redhatofficial.rhel7_ospp + version: 0.1.69 + - name: redhatofficial.rhel7_pci_dss + version: 0.1.69 + - name: redhatofficial.rhel7_stig + version: 0.1.69 + # RHEL 8 compliance roles from ComplianceAsCode + - name: redhatofficial.rhel8_cis + version: 0.1.69 + - name: redhatofficial.rhel8_cui + version: 0.1.69 + - name: redhatofficial.rhel8_hipaa + version: 0.1.69 + - name: redhatofficial.rhel8_ospp + version: 0.1.69 + - name: redhatofficial.rhel8_pci_dss + version: 0.1.69 + - name: redhatofficial.rhel8_stig + version: 0.1.69 + # RHEL 9 compliance roles from ComplianceAsCode + - name: redhatofficial.rhel9_cis + version: 0.1.68 + - name: redhatofficial.rhel9_cui + version: 0.1.64 + - name: redhatofficial.rhel9_hipaa + version: 0.1.68 + - name: redhatofficial.rhel9_ospp + version: 0.1.68 + - name: redhatofficial.rhel9_pci_dss + version: 0.1.68 + - name: redhatofficial.rhel9_stig + version: 0.1.64 +... From 4418ad48c880020dbecc18e56d1eeaa9de472d1f Mon Sep 17 00:00:00 2001 From: Chris Edillon Date: Mon, 21 Aug 2023 10:05:58 -0400 Subject: [PATCH 6/8] FQCN fix --- linux/compliance-report.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux/compliance-report.yml b/linux/compliance-report.yml index f695adbce..a1f2274ba 100644 --- a/linux/compliance-report.yml +++ b/linux/compliance-report.yml @@ -65,7 +65,7 @@ _report: '{{ _report_dir }}/{{ _profile }}/report-{{ ansible_date_time.iso8601 }}.html' - name: Generate compliance report - command: >- + ansible.builtin.command: >- oscap xccdf eval --profile {{ _profile }} --report {{ _report }} /usr/share/xml/scap/ssg/content/ssg-rhel{{ ansible_distribution_major_version }}-ds.xml args: From 82516be04b5eebb5963c4940ffe8df48b8ff6055 Mon Sep 17 00:00:00 2001 From: Chris Edillon Date: Mon, 28 Aug 2023 16:41:02 -0400 Subject: [PATCH 7/8] switch to Demo Inventory/Credential --- linux/setup.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/linux/setup.yml b/linux/setup.yml index 8213d8f36..68c130149 100644 --- a/linux/setup.yml +++ b/linux/setup.yml @@ -361,14 +361,14 @@ controller_templates: - name: "LINUX / Multi-profile Compliance" job_type: run - inventory: "Workshop Inventory" + inventory: "Demo Inventory" project: "Ansible official demo project" playbook: "linux/compliance-enforce.yml" notification_templates_started: Telemetry notification_templates_success: Telemetry notification_templates_error: Telemetry credentials: - - "Workshop Credential" + - "Demo Credential" extra_vars: # used by CIS profile role sudo_require_authentication: false @@ -400,14 +400,14 @@ controller_templates: - name: "LINUX / Compliance Report" job_type: run - inventory: "Workshop Inventory" + inventory: "Demo Inventory" project: "Ansible official demo project" playbook: "linux/compliance-report.yml" notification_templates_started: Telemetry notification_templates_success: Telemetry notification_templates_error: Telemetry credentials: - - "Workshop Credential" + - "Demo Credential" survey_enabled: true survey: name: '' From 41f27204d7b97dec3e63f6249c55201217c52d90 Mon Sep 17 00:00:00 2001 From: Chris Edillon Date: Mon, 28 Aug 2023 16:46:18 -0400 Subject: [PATCH 8/8] renamed compliance reporting template --- linux/setup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux/setup.yml b/linux/setup.yml index 68c130149..b4ccd526e 100644 --- a/linux/setup.yml +++ b/linux/setup.yml @@ -398,7 +398,7 @@ controller_templates: - pci_dss - stig - - name: "LINUX / Compliance Report" + - name: "LINUX / Multi-profile Compliance Report" job_type: run inventory: "Demo Inventory" project: "Ansible official demo project"