reverting b/c symbolic link doesn't work :-|

2022-02-04 09:21:45 -05:00
parent 258d0f4869
commit 6431c64213
25 changed files with 48 additions and 3 deletions
--- a/playbooks/security/hardening.yml
+++ b/playbooks/security/hardening.yml
@@ -0,0 +1,31 @@
+---
+- name: harden linux systems
+  hosts: "{{ HOSTS | default('web') }}"
+  become: true
+  vars:
+    - harden_firewall: false
+    - harden_time: false
+    - harden_ssh: false
+    - harden_pci: false
+
+  tasks:
+    - name: Configure Firewall
+      when: harden_firewall | bool
+      include_role:
+        name: linux-system-roles.firewall
+
+    - name: Configure Timesync
+      when: harden_time | bool
+      include_role:
+        name: redhat.rhel_system_roles.timesync
+
+    - name: SSH Hardening
+      when: harden_ssh | bool
+      include_role:
+        name: dev-sec.ssh-hardening
+
+    # run with --skip-tags accounts_passwords_pam_faillock_deny
+    - name: Apply PCI Baseline
+      when: harden_pci | bool
+      include_role:
+        name: redhatofficial.rhel8_pci_dss
--- a/playbooks/security/openscap.yml
+++ b/playbooks/security/openscap.yml
@@ -0,0 +1,45 @@
+---
+- name: build openscap report for rhel7
+  hosts: web
+  gather_facts: false
+
+  vars:
+    file_path: "/var/www/html/openscap/"
+    ssg_schema: "/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml"
+
+  tasks:
+    - name: make sure openscap-scanner and scap-security guide are installed
+      yum:
+        name:
+          - openscap-scanner
+          - scap-security-guide
+        state: present
+
+    - name: Check if  SCAP Security Guide (SSG) profile is available
+      stat:
+        path: "{{ssg_schema}}"
+
+    - name: create HTML report
+      command: "oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --results report.xml --report index.html {{ssg_schema}}"
+      register: command_result
+      failed_when: "'Error' in command_result.stderr"
+
+    - name: Create directory if it does falset exist
+      become: true
+      file:
+        path: "{{file_path}}"
+        state: directory
+
+    - name: move files into httpd
+      become: true
+      copy:
+        src: ./{{item}}
+        dest: "{{file_path}}/{{item}}"
+        remote_src: true
+      loop:
+        - report.xml
+        - index.html
+
+    - name: DISPLAY LINK TO INVENTORY REPORT
+      debug:
+        msg: "Please go to http://{{ansible_host}}/openscap"