ptoal/product-demos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Multi-profile compliance (#87)

Browse Source 
Co-authored-by: willtome <wtome@redhat.com>
This commit is contained in:
Chris Edillon
2023-09-25 15:13:15 -04:00
committed by GitHub
parent 44585bf1b9
commit a5aa9564f5
7 changed files with 255 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
linux/README.md
View File

@@ -26,8 +26,10 @@ This category of demos shows examples of linux operations and management with An
- [**Linux / Fact Scan**](https://github.com/ansible/awx-facts-playbooks/blob/master/scan_facts.yml) - Run a fact, package, and service scan against a system and store in fact cache
- [**Linux / Podman Webserver**](podman.yml) - Install and run a Podman webserver with given text on the home page
- [**Linux / System Roles**](system_roles.yml) - Apply Linux system roles to servers. Must provide variables and role names.
- [**Linux / Compliance Enforce**](compliance.yml) - Apply remediation to meet the requirements of a compliance baseline
- [**Linux / Insights Compliance Scan**](insights_compliance_scan.yml) - Run a Compliance scan based on the configuration in [Red Hat Insights][https://console.redhat.com]
- [**Linux / DISA STIG**](compliance.yml) - Apply the RHEL STIG supplemental content from DISA
- [**Linux / Multi-profile compliance**](compliance-enforce.yml) - Apply remediation from [Compliance as Code](https://github.com/ComplianceAsCode/content) to enforce the requirements of a specified compliance profile
- [**Linux / Report Compliance**](compliance-report.yml) - Run an OpenSCAP report against a specified compliance profile
- [**Linux / Insights Compliance Scan**](insights_compliance_scan.yml) - Run a Compliance scan based on the configuration in [Red Hat Insights](https://console.redhat.com)
### Inventory
@@ -86,6 +88,10 @@ timesync_ntp_servers:
pool: yes
iburst: yes
```
**Linux / Compliance** - Apply compliance profile hardening configuration from [here](https://galaxy.ansible.com/RedHatOfficial). BE AWARE: this could have unintended results based on the current state of your machine. Always test on a single machine before distributing at scale. For example, AWS instances have NOPASSWD allowed for sudo. Running STIG compliance without adding `sudo_remove_nopasswd: false` to extra_vars on the job template will lock you out of the machine. This variable is configured on the job template by default for this reason.
**Linux / DISA STIG** - Apply the RHEL STIG security hardening configuration using the [DISA Supplemental Automation Content](https://public.cyber.mil/stigs/supplemental-automation-content/). BE AWARE: this could have unintended results based on the current state of your machine. Always test on a single machine before distributing at scale. For example, AWS instances have NOPASSWD allowed for sudo. Running STIG compliance without adding `sudo_remove_nopasswd: false` to extra_vars on the job template will lock you out of the machine. This variable is configured on the job template by default for this reason.
**Linux / Multi-profile Compliance** - Apply security hardening configuration from a [supported compliance profile role](compliance_profiles.md). BE AWARE: this could have unintended results based on the current state of your machine. Always test on a single machine before distributing at scale. For example, AWS instances have NOPASSWD allowed for sudo. Applying certain compliance profiles without adding `sudo_remove_nopasswd: false` to extra_vars on the job template will lock you out of the machine. This variable is configured on the job template by default for this reason.
**Linux / Report Compliance** - Run this template before running the "**Linux / Multi-profile Compliance**" template and again afterwards to highlight the changes made by the enforcement template. By default, the reports are available by pointing a web browser to the system(s) where the report runs. By setting the `use_httpd` variable to "false" in the template survey the reports will instead be stored on the target node in the /tmp/oscap-reports directory.
**Linux / Insights Compliance Scan** - Scan the system according to the compliance profile configured via [Red Hat Insights](https://console.redhat.com). NOTE: This job will fail if the systems haven't been registered with Insights and associated with a relevant compliance profile. A survey when running the job will ask if you have configured all systems with a compliance profile, and effectively skip all tasks in the job template if the answer is "No".

17
linux/compliance-enforce.yml Normal file
View File

@@ -0,0 +1,17 @@
---
- name: Apply compliance profile
hosts: "{{ _hosts | default(omit) }}"
become: true
vars:
compliance_profile: undef
tasks:
- name: Check os type
ansible.builtin.assert:
that: "ansible_os_family == 'RedHat'"
- name: Run Compliance Profile
ansible.builtin.include_role:
name: "redhatofficial.rhel{{ ansible_distribution_major_version }}_{{ compliance_profile }}"
...

90
linux/compliance-report.yml Normal file
View File

@@ -0,0 +1,90 @@
---
- name: Generate OpenSCAP compliance report
hosts: '{{ _hosts | default(omit) }}'
become: true
vars:
openscap_packages:
- openscap-scanner
- openscap-utils
- scap-security-guide
compliance_profile: ospp
use_httpd: true
tasks:
- name: Get our facts straight
ansible.builtin.set_fact:
_profile: '{{ compliance_profile | replace("pci_dss", "pci-dss") }}'
_report_dir: /tmp/oscap-reports
- name: Ensure OpenSCAP tools are installed
ansible.builtin.dnf:
name: '{{ openscap_packages }}'
state: present
- name: Configure httpd
when: use_httpd | bool
block:
- name: Install httpd
ansible.builtin.dnf:
name: httpd
state: present
notify: Restart httpd
- name: Override report directory
ansible.builtin.set_fact:
_report_dir: /var/www/html/oscap-reports
- name: Gather service facts
ansible.builtin.service_facts:
- name: Enable firewall http service
ansible.posix.firewalld:
service: http
state: enabled
immediate: true
permanent: true
when: "'firewalld.service' in ansible_facts.services"
- name: Disable httpd welcome page
ansible.builtin.file:
path: /etc/httpd/conf.d/welcome.conf
state: absent
notify: Restart httpd
- name: Ensure report directory exists
ansible.builtin.file:
path: '{{ _report_dir }}/{{ _profile }}'
state: directory
owner: root
group: root
mode: 0755
- name: Set report name
ansible.builtin.set_fact:
_report: '{{ _report_dir }}/{{ _profile }}/report-{{ ansible_date_time.iso8601 }}.html'
- name: Generate compliance report
ansible.builtin.command: >-
oscap xccdf eval --profile {{ _profile }} --report {{ _report }}
/usr/share/xml/scap/ssg/content/ssg-rhel{{ ansible_distribution_major_version }}-ds.xml
args:
creates: '{{ _report }}'
register: _oscap
failed_when: _oscap.rc not in [0, 2]
- name: Set report permissions
ansible.builtin.file:
path: '{{ _report }}'
owner: root
group: root
mode: 0644
handlers:
- name: Restart httpd
ansible.builtin.service:
name: httpd
state: restarted
enabled: true
...

15
linux/compliance_profiles.md Normal file
View File

@@ -0,0 +1,15 @@
# Supported Compliance Profiles
The following compliance profiles are supported by the [**Linux / Enforce Compliance**](README.md#jobs) job template:
| **Profile** | **Role Repository** |
|-------------|---------------------|
| CIS | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-cis |
| CUI | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-cui |
| HIPAA | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-hipaa |
| OSPP | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-ospp |
| PCI-DSS | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-pci-dss |
| DISA STIG | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-stig |
These roles are derived from the [Compliance as Code](https://github.com/ComplianceAsCode/content) project, which provides SCAP content used by the [OpenSCAP](https://www.open-scap.org/) `oscap` tool.

80
linux/setup.yml
View File

@@ -359,6 +359,84 @@ controller_templates:
variable: _hosts
required: true
- name: "LINUX / Multi-profile Compliance"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
playbook: "linux/compliance-enforce.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
credentials:
- "Demo Credential"
extra_vars:
# used by CIS profile role
sudo_require_authentication: false
# used by STIG profile role
sudo_remove_nopasswd: false
sudo_remove_no_authenticate: false
# used by CIS and STIG profile role
accounts_password_set_max_life_existing: false
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Server Name or Pattern
type: text
variable: _hosts
required: true
- question_name: Compliance Profile
type: multiplechoice
variable: compliance_profile
required: true
choices:
- cis
- cui
- hipaa
- ospp
- pci_dss
- stig
- name: "LINUX / Multi-profile Compliance Report"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
playbook: "linux/compliance-report.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
credentials:
- "Demo Credential"
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Server Name or Pattern
type: text
variable: _hosts
required: true
- question_name: Compliance Profile
type: multiplechoice
variable: compliance_profile
required: true
choices:
- cis
- cui
- hipaa
- ospp
- pci_dss
- stig
- question_name: Use httpd on the target host(s) to access reports locally?
type: multiplechoice
variable: use_httpd
required: true
choices:
- "true"
- "false"
default: "true"
- name: "LINUX / Insights Compliance Scan"
job_type: run
inventory: "Demo Inventory"
@@ -408,3 +486,5 @@ controller_templates:
type: text
variable: application
required: true
...