Multi-profile compliance

.gitignore

@@ -7,3 +7,5 @@ choose_demo_example_aws.yml
 .ansible.cfg
 *.gz
 
+**/roles/*
+!**/roles/requirements.yml

linux/README.md

@@ -26,8 +26,10 @@ This category of demos shows examples of linux operations and management with An
 - [**Linux / Fact Scan**](https://github.com/ansible/awx-facts-playbooks/blob/master/scan_facts.yml) - Run a fact, package, and service scan against a system and store in fact cache
 - [**Linux / Podman Webserver**](podman.yml) - Install and run a Podman webserver with given text on the home page
 - [**Linux / System Roles**](system_roles.yml) - Apply Linux system roles to servers. Must provide variables and role names.
-- [**Linux / Compliance Enforce**](compliance.yml) - Apply remediation to meet the requirements of a compliance baseline
-- [**Linux / Insights Compliance Scan**](insights_compliance_scan.yml) - Run a Compliance scan based on the configuration in [Red Hat Insights][https://console.redhat.com]
+- [**Linux / DISA STIG**](compliance.yml) - Apply the RHEL STIG supplemental content from DISA
+- [**Linux / Multi-profile compliance**](compliance-enforce.yml) - Apply remediation from [Compliance as Code](https://github.com/ComplianceAsCode/content) to enforce the requirements of a specified compliance profile
+- [**Linux / Report Compliance**](compliance-report.yml) - Run an OpenSCAP report against a specified compliance profile
+- [**Linux / Insights Compliance Scan**](insights_compliance_scan.yml) - Run a Compliance scan based on the configuration in [Red Hat Insights](https://console.redhat.com)
 
 ### Inventory
 
@@ -86,6 +88,10 @@ timesync_ntp_servers:
     pool: yes
     iburst: yes
 ```
-**Linux / Compliance** - Apply compliance profile hardening configuration from [here](https://galaxy.ansible.com/RedHatOfficial). BE AWARE: this could have unintended results based on the current state of your machine. Always test on a single machine before distributing at scale. For example, AWS instances have NOPASSWD allowed for sudo. Running STIG compliance without adding `sudo_remove_nopasswd: false` to extra_vars on the job template will lock you out of the machine. This variable is configured on the job template by default for this reason.
+**Linux / DISA STIG** - Apply the RHEL STIG security hardening configuration using the [DISA Supplemental Automation Content](https://public.cyber.mil/stigs/supplemental-automation-content/). BE AWARE: this could have unintended results based on the current state of your machine. Always test on a single machine before distributing at scale. For example, AWS instances have NOPASSWD allowed for sudo. Running STIG compliance without adding `sudo_remove_nopasswd: false` to extra_vars on the job template will lock you out of the machine. This variable is configured on the job template by default for this reason.
+
+**Linux / Multi-profile Compliance** - Apply security hardening configuration from a [supported compliance profile role](compliance_profiles.md). BE AWARE: this could have unintended results based on the current state of your machine. Always test on a single machine before distributing at scale. For example, AWS instances have NOPASSWD allowed for sudo. Applying certain compliance profiles without adding `sudo_remove_nopasswd: false` to extra_vars on the job template will lock you out of the machine. This variable is configured on the job template by default for this reason.
+
+**Linux / Report Compliance** - Run this template before running the "**Linux / Multi-profile Compliance**" template and again afterwards to highlight the changes made by the enforcement template.  By default, the reports are available by pointing a web browser to the system(s) where the report runs.  By setting the `use_httpd` variable to "false" in the template survey the reports will instead be stored on the target node in the /tmp/oscap-reports directory.
 
 **Linux / Insights Compliance Scan** - Scan the system according to the compliance profile configured via [Red Hat Insights](https://console.redhat.com). NOTE: This job will fail if the systems haven't been registered with Insights and associated with a relevant compliance profile. A survey when running the job will ask if you have configured all systems with a compliance profile, and effectively skip all tasks in the job template if the answer is "No".

linux/compliance-enforce.yml

@@ -0,0 +1,17 @@
+---
+- name: Apply compliance profile
+  hosts: "{{ _hosts | default(omit) }}"
+  become: true
+  vars:
+    compliance_profile: undef
+
+  tasks:
+    - name: Check os type
+      ansible.builtin.assert:
+        that: "ansible_os_family == 'RedHat'"
+
+    - name: Run Compliance Profile
+      ansible.builtin.include_role:
+        name: "redhatofficial.rhel{{ ansible_distribution_major_version }}_{{ compliance_profile }}"
+
+...

linux/compliance-report.yml

@@ -0,0 +1,90 @@
+---
+- name: Generate OpenSCAP compliance report
+  hosts: '{{ _hosts | default(omit) }}'
+  become: true
+
+  vars:
+    openscap_packages:
+      - openscap-scanner
+      - openscap-utils
+      - scap-security-guide
+    compliance_profile: ospp
+    use_httpd: true
+
+  tasks:
+    - name: Get our facts straight
+      ansible.builtin.set_fact:
+        _profile: '{{ compliance_profile | replace("pci_dss", "pci-dss") }}'
+        _report_dir: /tmp/oscap-reports
+
+    - name: Ensure OpenSCAP tools are installed
+      ansible.builtin.dnf:
+        name: '{{ openscap_packages }}'
+        state: present
+
+    - name: Configure httpd
+      when: use_httpd | bool
+      block:
+        - name: Install httpd
+          ansible.builtin.dnf:
+            name: httpd
+            state: present
+          notify: Restart httpd
+
+        - name: Override report directory
+          ansible.builtin.set_fact:
+            _report_dir: /var/www/html/oscap-reports
+
+        - name: Gather service facts
+          ansible.builtin.service_facts:
+
+        - name: Enable firewall http service
+          ansible.posix.firewalld:
+            service: http
+            state: enabled
+            immediate: true
+            permanent: true
+          when: "'firewalld.service' in ansible_facts.services"
+
+        - name: Disable httpd welcome page
+          ansible.builtin.file:
+            path: /etc/httpd/conf.d/welcome.conf
+            state: absent
+          notify: Restart httpd
+
+    - name: Ensure report directory exists
+      ansible.builtin.file:
+        path: '{{ _report_dir }}/{{ _profile }}'
+        state: directory
+        owner: root
+        group: root
+        mode: 0755
+
+    - name: Set report name
+      ansible.builtin.set_fact:
+        _report: '{{ _report_dir }}/{{ _profile }}/report-{{ ansible_date_time.iso8601 }}.html'
+
+    - name: Generate compliance report
+      ansible.builtin.command: >-
+        oscap xccdf eval --profile {{ _profile }} --report {{ _report }}
+        /usr/share/xml/scap/ssg/content/ssg-rhel{{ ansible_distribution_major_version }}-ds.xml
+      args:
+        creates: '{{ _report }}'
+      register: _oscap
+      failed_when: _oscap.rc not in [0, 2]
+
+    - name: Set report permissions
+      ansible.builtin.file:
+        path: '{{ _report }}'
+        owner: root
+        group: root
+        mode: 0644
+
+  handlers:
+    - name: Restart httpd
+      ansible.builtin.service:
+        name: httpd
+        state: restarted
+        enabled: true
+
+...

linux/compliance_profiles.md

@@ -0,0 +1,15 @@
+# Supported Compliance Profiles
+
+The following compliance profiles are supported by the [**Linux / Enforce Compliance**](README.md#jobs) job template:
+
+| **Profile** | **Role Repository** |
+|-------------|---------------------|
+| CIS | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-cis |
+| CUI | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-cui |
+| HIPAA | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-hipaa |
+| OSPP | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-ospp |
+| PCI-DSS | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-pci-dss |
+| DISA STIG | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-stig |
+
+These roles are derived from the [Compliance as Code](https://github.com/ComplianceAsCode/content) project, which provides SCAP content used by the [OpenSCAP](https://www.open-scap.org/) `oscap` tool.
+

linux/setup.yml

@@ -359,6 +359,84 @@ controller_templates:
           variable: _hosts
           required: true
 
+  - name: "LINUX / Multi-profile Compliance"
+    job_type: run
+    inventory: "Demo Inventory"
+    project: "Ansible official demo project"
+    playbook: "linux/compliance-enforce.yml"
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    credentials:
+      - "Demo Credential"
+    extra_vars:
+      # used by CIS profile role
+      sudo_require_authentication: false
+      # used by STIG profile role
+      sudo_remove_nopasswd: false
+      sudo_remove_no_authenticate: false
+      # used by CIS and STIG profile role
+      accounts_password_set_max_life_existing: false
+    survey_enabled: true
+    survey:
+      name: ''
+      description: ''
+      spec:
+        - question_name: Server Name or Pattern
+          type: text
+          variable: _hosts
+          required: true
+        - question_name: Compliance Profile
+          type: multiplechoice
+          variable: compliance_profile
+          required: true
+          choices:
+            - cis
+            - cui
+            - hipaa
+            - ospp
+            - pci_dss
+            - stig
+
+  - name: "LINUX / Multi-profile Compliance Report"
+    job_type: run
+    inventory: "Demo Inventory"
+    project: "Ansible official demo project"
+    playbook: "linux/compliance-report.yml"
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    credentials:
+      - "Demo Credential"
+    survey_enabled: true
+    survey:
+      name: ''
+      description: ''
+      spec:
+        - question_name: Server Name or Pattern
+          type: text
+          variable: _hosts
+          required: true
+        - question_name: Compliance Profile
+          type: multiplechoice
+          variable: compliance_profile
+          required: true
+          choices:
+            - cis
+            - cui
+            - hipaa
+            - ospp
+            - pci_dss
+            - stig
+        - question_name: Use httpd on the target host(s) to access reports locally?
+          type: multiplechoice
+          variable: use_httpd
+          required: true
+          choices:
+            - "true"
+            - "false"
+          default: "true"
+
   - name: "LINUX / Insights Compliance Scan"
     job_type: run
     inventory: "Demo Inventory"
@@ -408,3 +486,5 @@ controller_templates:
           type: text
           variable: application
           required: true
+
+...

roles/requirements.yml

@@ -0,0 +1,42 @@
+---
+roles:
+  # RHEL 7 compliance roles from ComplianceAsCode
+  - name: redhatofficial.rhel7_cis
+    version: 0.1.69
+  - name: redhatofficial.rhel7_cui
+    version: 0.1.67
+  - name: redhatofficial.rhel7_hipaa
+    version: 0.1.69
+  - name: redhatofficial.rhel7_ospp
+    version: 0.1.69
+  - name: redhatofficial.rhel7_pci_dss
+    version: 0.1.69
+  - name: redhatofficial.rhel7_stig
+    version: 0.1.69
+  # RHEL 8 compliance roles from ComplianceAsCode
+  - name: redhatofficial.rhel8_cis
+    version: 0.1.69
+  - name: redhatofficial.rhel8_cui
+    version: 0.1.69
+  - name: redhatofficial.rhel8_hipaa
+    version: 0.1.69
+  - name: redhatofficial.rhel8_ospp
+    version: 0.1.69
+  - name: redhatofficial.rhel8_pci_dss
+    version: 0.1.69
+  - name: redhatofficial.rhel8_stig
+    version: 0.1.69
+  # RHEL 9 compliance roles from ComplianceAsCode
+  - name: redhatofficial.rhel9_cis
+    version: 0.1.68
+  - name: redhatofficial.rhel9_cui
+    version: 0.1.64
+  - name: redhatofficial.rhel9_hipaa
+    version: 0.1.68
+  - name: redhatofficial.rhel9_ospp
+    version: 0.1.68
+  - name: redhatofficial.rhel9_pci_dss
+    version: 0.1.68
+  - name: redhatofficial.rhel9_stig
+    version: 0.1.64
+...