From 5939284f656d889eaabc865cbd588a7b51e23e6d Mon Sep 17 00:00:00 2001 From: benblasco <42140583+benblasco@users.noreply.github.com> Date: Thu, 1 Dec 2022 08:01:04 +1100 Subject: [PATCH] Added Insights Compliance Scan (Issue #49) (#51) Co-authored-by: Benjamin Blasco --- linux/README.md | 5 ++++- linux/insights_compliance_scan.yml | 24 ++++++++++++++++++++++++ linux/setup.yml | 27 ++++++++++++++++++++++++++- 3 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 linux/insights_compliance_scan.yml diff --git a/linux/README.md b/linux/README.md index b68ba47..9984885 100644 --- a/linux/README.md +++ b/linux/README.md @@ -26,7 +26,8 @@ This category of demos shows examples of linux operations and management with An - [**Linux / Fact Scan**](https://github.com/ansible/awx-facts-playbooks/blob/master/scan_facts.yml) - Run a fact, package, and service scan against a system and store in fact cache - [**Linux / Podman Webserver**](podman.yml) - Install and run a Podman webserver with given text on the home page - [**Linux / System Roles**](system_roles.yml) - Apply Linux system roles to servers. Must provide variables and role names. -- [**Linux / Compliance**](compliance.yml) - Apply remediation to meet the requirements of a compliance baseline +- [**Linux / Compliance Enforce**](compliance.yml) - Apply remediation to meet the requirements of a compliance baseline +- [**Linux / Insights Compliance Scan**](insights_compliance_scan.yml) - Run a Compliance scan based on the configuration in [Red Hat Insights][https://console.redhat.com] ### Inventory @@ -86,3 +87,5 @@ timesync_ntp_servers: iburst: yes ``` **Linux / Compliance** - Apply compliance profile hardening configuration from [here](https://galaxy.ansible.com/RedHatOfficial). BE AWARE: this could have unintended results based on the current state of your machine. Always test on a single machine before distributing at scale. For example, AWS instances have NOPASSWD allowed for sudo. Running STIG compliance without adding `sudo_remove_nopasswd: false` to extra_vars on the job template will lock you out of the machine. This variable is configured on the job template by default for this reason. + +**Linux / Insights Compliance Scan** - Scan the system according to the compliance profile configured via [Red Hat Insights](https://console.redhat.com). NOTE: This job will fail if the systems haven't been registered with Insights and associated with a relevant compliance profile. A survey when running the job will ask if you have configured all systems with a compliance profile, and effectively skip all tasks in the job template if the answer is "No". diff --git a/linux/insights_compliance_scan.yml b/linux/insights_compliance_scan.yml new file mode 100644 index 0000000..6faa0d4 --- /dev/null +++ b/linux/insights_compliance_scan.yml @@ -0,0 +1,24 @@ +--- +- hosts: "{{ HOSTS }}" + become: true + vars: + #compliance_profile: undef + + tasks: + - name: Check OS Type + assert: + that: "ansible_os_family == 'RedHat'" + + - name: Check variable values + debug: + msg: "Value of compliance_profile_configured is {{ compliance_profile_configured }}" + + - name: Run Insights Compliance scan + import_role: + name: redhat.insights.compliance + when: compliance_profile_configured == "Yes" + + - name: Notify user that Compliance scan is not being attempted + debug: + msg: "User has not confirmed that all hosts are associated with an Insights Compliance profile. Scan aborted." + when: compliance_profile_configured == "No" diff --git a/linux/setup.yml b/linux/setup.yml index 43ecf6f..afc0467 100644 --- a/linux/setup.yml +++ b/linux/setup.yml @@ -292,7 +292,7 @@ controller_templates: variable: HOSTS required: true - - name: "LINUX / Compliance" + - name: "LINUX / Compliance Enforce" job_type: run inventory: "Workshop Inventory" project: "Ansible official demo project" @@ -319,3 +319,28 @@ controller_templates: required: true choices: - stig + + - name: "LINUX / Insights Compliance Scan" + job_type: run + inventory: "Workshop Inventory" + project: "Ansible official demo project" + playbook: "linux/insights_compliance_scan.yml" + credentials: + - "Workshop Credential" + survey_enabled: true + survey: + name: '' + description: '' + spec: + - question_name: Server Name or Pattern + type: text + variable: HOSTS + required: true + - question_name: Have you associated a compliance profile in the Insights Console for all hosts to be scanned? If not, then the scan will fail. + type: multiplechoice + variable: compliance_profile_configured + required: true + choices: + - "Yes" + - "No" + default: "No"