add compliance
add job template fix I add extra vars add documentation Added contributing doc (#2) add contributing doc cleaning up docs add suggested usage log demo DERP network demos change role name source update add hub creds add readme add main readme typo, no biggie (#23) https://knowyourmeme.com/memes/but-its-honest-work add notification fix var fix var fix var fix vars fix vars fix vars fix vars fix vars add telemetry update telemetry add feedback add feedback add feedback update windows stuff bugs bugs bugs bugs add assert add groups update AD jobs random pass pin version for comm.gen Add landing page (#25) * work on landing page * work on landing page * work on landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * add files * derp * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add ee * add ee * add ee * fix landing page * fix landing page * fix landing page * fix landing page * fix landing page * remove commented out sections Increased the Idle Time Force Log Out (#28) * increased timeout * sdf * asdf * corrected key Instruqt Refactor (#40) * work on landing page * work on landing page * work on landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * add files * derp * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add ee * add ee * add ee * fix landing page * fix landing page * fix landing page * fix landing page * fix landing page * remove commented out sections * remove default ee * set local admin password * set ee for fact scan * fall back to default ee for patching * check for valid org_id * check for valid org_id * check admin username * add remote_user * credssp * ntlm Add network report job template (#44) * Network report Linux demo updates bblasco pt1 (#45) * Improved description of Ansible group to address issue #29 * Ensured "at" package is present rather than latest for Issue #31 * Added timesync as a second example role to run (Issue #37) Co-authored-by: Benjamin Blasco <bblasco@redhat.com> Added task to print STDOUT lines from script (Issue #33) (#46) Co-authored-by: Benjamin Blasco <bblasco@redhat.com> Added Insights Compliance Scan (Issue #49) (#51) Co-authored-by: Benjamin Blasco <bblasco@redhat.com> Linux demo updates bblasco podman (#47) * Switched from using podman volumes to file path (issue #36) * Improved readability of output * Added a sensible default message for web server (Issue #36) Co-authored-by: Benjamin Blasco <bblasco@redhat.com> Run insights scan (skip errors if not configured) (Issue #32) (#48) * Run insights scan (skip errors if not configured) (Issue #32) * Improved Insights client checks to use facts defined by redhatinsights.insights.insights_client role * Fixed missed call to debug module * Updated message for clarity Co-authored-by: Benjamin Blasco <bblasco@redhat.com> Issue 52 (#53) * add fact scan * add fact scan * update patching role * dont ask limit * add become Add Satellite Demos (#41) * add satellite demos * move satellite vars to setup.yml * fix var * fix playbook path * remove async * fix = * fix condition * fix lookup * add credential * update tools version * fix scap role * add satellite setup * add satellite stuff * remove local * stupid * stupid * params * these vars arent right * these vars arent right * add compliance workflow * work on landing page * work on landing page * work on landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * add files * derp * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add ee * add ee * add ee * fix landing page * fix landing page * fix landing page * fix landing page * fix landing page * remove commented out sections * remove default ee * set local admin password * set ee for fact scan * fall back to default ee for patching * check for valid org_id * check for valid org_id * no gpg * no gpg * add satllite stuff * update cred type * update cred type * raw * raw * work on landing page * work on landing page * work on landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * add files * derp * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add ee * add ee * add ee * fix landing page * fix landing page * fix landing page * fix landing page * fix landing page * remove commented out sections * remove default ee * set local admin password * set ee for fact scan * fall back to default ee for patching * check for valid org_id * check for valid org_id * no gpg * no gpg * add satllite stuff * update cred type * update cred type * raw * raw * raw * merge satellite * fix vars * fix vars * fix vars * fix vars * add publish * add lifecycle and actviation keys * workaround for publish issue * use module to publish * use module to publish * use module to publish * use module to publish * change sat version * change sat version * change sat version * remove maint repos * launch sat setup * reorder * reorder * moar inventory * add manifest refresh * add telemetry * run linux setup * parentefcf729fa0author willtome <willtome@gmail.com> 1663173584 -0400 committer willtome <willtome@gmail.com> 1668183942 -0500 parentefcf729fa0author willtome <willtome@gmail.com> 1663173584 -0400 committer willtome <willtome@gmail.com> 1668183785 -0500 parentefcf729fa0author willtome <willtome@gmail.com> 1663173584 -0400 committer willtome <willtome@gmail.com> 1668183318 -0500 parentefcf729fa0author willtome <willtome@gmail.com> 1663173584 -0400 committer willtome <willtome@gmail.com> 1668182787 -0500 parentefcf729fa0author willtome <willtome@gmail.com> 1663173584 -0400 committer willtome <willtome@gmail.com> 1668182651 -0500 add satellite demos work on landing page landing page landing page landing page landing page landing page landing page landing page landing page landing page landing page landing page add files derp add link add link add link add link add link add link add link add link add link add link add link add link add ee add ee add ee fix landing page fix landing page fix landing page fix landing page fix landing page remove commented out sections remove default ee set local admin password set ee for fact scan fall back to default ee for patching check for valid org_id check for valid org_id no gpg no gpg add satllite stuff update cred type update cred type raw raw raw add satellite demos move satellite vars to setup.yml fix var fix playbook path remove async fix = fix condition fix lookup add credential update tools version fix scap role add satellite setup add satellite stuff remove local stupid stupid params these vars arent right these vars arent right add compliance workflow work on landing page work on landing page work on landing page landing page landing page landing page landing page landing page landing page landing page landing page landing page landing page landing page add files derp add link add link add link add link add link add link add link add link add link add link add link add link add ee add ee add ee fix landing page fix landing page fix landing page fix landing page fix landing page remove commented out sections remove default ee set local admin password set ee for fact scan fall back to default ee for patching check for valid org_id check for valid org_id no gpg no gpg update cred type update cred type raw merge satellite fix vars fix vars fix vars fix vars add publish add lifecycle and actviation keys workaround for publish issue use module to publish use module to publish use module to publish use module to publish change sat version change sat version change sat version remove maint repos launch sat setup reorder reorder moar inventory add manifest refresh add telemetry run linux setup * Updates to node1 (#42) clean up satellite config clean up server registration add web console job Co-authored-by: Calvin Smith <calvingsmith@users.noreply.github.com> * add rhel 8 tailoring * add ee * dont verify certs * Update setup.yml * Update setup.yml * what the heck Co-authored-by: calvingsmith <4283930+calvingsmith@users.noreply.github.com> Co-authored-by: Calvin Smith <calvingsmith@users.noreply.github.com> Fixes for Issues 54 and 55 (#56) * add fixes * add survey for org id updated version (#58) add rhel9 (#18) check-install missing packages (#63) * check-install missing packages * updated subcription manager installation * move subscription manager install up Bump ansible.controller version (#60) * bump * bumperino * corrected * Update requirements.yml * Update requirements.yml * Update requirements.yml --------- Co-authored-by: willtome <willtome@gmail.com> fix selinux variables (#66) Integration of Content Lab for AWS (#67) * add jobs * role name * scm * naming * add new jobs * update URL * add playbook * add keypair * fix spaces * update setup * add rhel9 * change to main branch
This commit is contained in:
willtome
@@ -0,0 +1,4 @@
|
||||
---
|
||||
instance_name: "{{ inventory_hostname | regex_replace('_','-') }}"
|
||||
activation_key: "{{ 'RHEL' + ansible_distribution_major_version + '_' + env }}"
|
||||
rex_user: root # "{{ ansible_user }}"
|
||||
@@ -0,0 +1,67 @@
|
||||
---
|
||||
- name: verify operating system
|
||||
assert:
|
||||
that:
|
||||
- ansible_os_family == 'RedHat'
|
||||
- (ansible_distribution_major_version == '7') or (ansible_distribution_major_version == '8')
|
||||
|
||||
- name: set hostname
|
||||
hostname:
|
||||
name: "{{ instance_name }}"
|
||||
|
||||
- name: remove rhui client packages
|
||||
yum:
|
||||
name:
|
||||
- google-rhui-client*
|
||||
- rh-amazon-rhui-client*
|
||||
state: removed
|
||||
|
||||
- name: get current repos
|
||||
command:
|
||||
cmd: ls /etc/yum.repos.d/
|
||||
register: repos
|
||||
changed_when: False
|
||||
|
||||
- name: remove existing rhui repos
|
||||
file:
|
||||
path: "/etc/yum.repos.d/{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ repos.stdout_lines }}"
|
||||
|
||||
- name: install satellite certificate
|
||||
yum:
|
||||
name: "{{ satellite_url }}/pub/katello-ca-consumer-latest.noarch.rpm"
|
||||
state: present
|
||||
validate_certs: no
|
||||
disable_gpg_check: true
|
||||
|
||||
- name: register system via subscription-mangler
|
||||
redhat_subscription:
|
||||
state: present
|
||||
activationkey: "{{ activation_key }}"
|
||||
consumer_name: "{{ instance_name }}"
|
||||
org_id: "{{ org_id | default('Default_Organization')}}"
|
||||
throttle: 1
|
||||
|
||||
- name: include repos
|
||||
include_vars: "vars/{{ ansible_distribution + ansible_distribution_major_version }}.yml"
|
||||
|
||||
- name: enable repos
|
||||
rhsm_repository:
|
||||
name: "{{ rhsm_enabled_repos }}"
|
||||
state: enabled
|
||||
|
||||
- name: install satellite client
|
||||
yum:
|
||||
name:
|
||||
- katello-host-tools
|
||||
- katello-host-tools-tracer
|
||||
state: latest
|
||||
|
||||
- name: enable remote execution
|
||||
authorized_key:
|
||||
user: "{{ rex_user }}"
|
||||
state: present
|
||||
key: "{{ satellite_url }}:9090/ssh/pubkey"
|
||||
validate_certs: no
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
rhsm_enabled_repos:
|
||||
- rhel-7-server-rpms
|
||||
#- rhel-7-server-satellite-maintenance-6.11-rpms
|
||||
@@ -0,0 +1,5 @@
|
||||
---
|
||||
rhsm_enabled_repos:
|
||||
- rhel-8-for-x86_64-baseos-rpms
|
||||
- rhel-8-for-x86_64-appstream-rpms
|
||||
- satellite-client-6-for-rhel-8-x86_64-rpms
|
||||
@@ -0,0 +1,17 @@
|
||||
# Change Log
|
||||
All notable changes to this project will be documented in this file.
|
||||
## [0.0.1] - 20/03/2018 - First Release
|
||||
### Added
|
||||
- Install required packages
|
||||
- Obtain data from satellite API
|
||||
- Configure crontab and config.yaml
|
||||
|
||||
### Changed
|
||||
|
||||
### Removed
|
||||
|
||||
### Pending
|
||||
- Allow a list of policies to be applied (only one is allowed at the moment)
|
||||
- Get schedule from the policy instead of configure it using parameters
|
||||
- Configure URI tasks to ask capsule instead of Satellite (for hosts without network access to the satellite api)
|
||||
- Add tests to vars to be correctly formatted
|
||||
@@ -0,0 +1,21 @@
|
||||
MIT License
|
||||
|
||||
Copyright (c) 2018 morenod
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
@@ -0,0 +1,45 @@
|
||||
# Openscap client configuration Role
|
||||
|
||||
## About
|
||||
|
||||
Role created to configure a client to execute openscap policies based on the information obtained from a Red Hat Satellite/Foreman Host.
|
||||
|
||||
Steps and configuration changes obtained from the [foreman_scap_client puppet module](https://github.com/theforeman/puppet-foreman_scap_client)
|
||||
|
||||
The role has to be executed with root permission, using the root user or via sudo because it will modify system parameters.
|
||||
|
||||
## Ansible Requirements
|
||||
|
||||
RPM Repositories have to be enabled and containing required packages.
|
||||
|
||||
## Configuration parameters
|
||||
|
||||
### Required vars to be overwritten
|
||||
|
||||
- `satellite_server`: Used to obtain policy parameters
|
||||
- `satellite_username`: Used to obtain policy parameters
|
||||
- `satellite_password`: Used to obtain policy parameters
|
||||
- `capsule_server`: Used to configure openscap client config.yaml file
|
||||
- `capsule_port`: Used to configure openscap client config.yaml file
|
||||
- `policy_name`: Name of the SCAP Policy to be configured
|
||||
|
||||
## Example playbook
|
||||
|
||||
```yml
|
||||
---
|
||||
- name: openscap client
|
||||
hosts: <<host list>>
|
||||
remote_user: <<user>>
|
||||
gather_facts: true
|
||||
become: yes
|
||||
become_user: root
|
||||
become_method: sudo
|
||||
vars:
|
||||
satellite_server: satellite.example.com
|
||||
satellite_username`: admin
|
||||
satellite_password`: verycomplexpassword
|
||||
capsule_server`: capsule.example.com
|
||||
policy_name`: 'rhel7-pci'
|
||||
roles:
|
||||
- ansible-ipaRegister
|
||||
```
|
||||
@@ -0,0 +1,12 @@
|
||||
foreman_server_url: "{{ lookup('env', 'SATELLITE_SERVER') }}"
|
||||
foreman_username: "{{ lookup('env', 'SATELLITE_USERNAME') }}"
|
||||
foreman_password: "{{ lookup('env', 'SATELLITE_PASSWORD') }}"
|
||||
foreman_validate_certs: "{{ lookup('env', 'FOREMAN_VALIDATE_CERTS') | default(true) }}"
|
||||
capsule_server: "{{ foreman_server_url }}"
|
||||
capsule_port: '9090'
|
||||
policy_name: 'all'
|
||||
policy_scan: "{{ policy_name }}"
|
||||
crontab_hour: 2
|
||||
crontab_minute: 0
|
||||
crontab_weekdays: 0
|
||||
foreman_operations_scap_client_secure_logging: true
|
||||
@@ -0,0 +1,3 @@
|
||||
galaxy_info:
|
||||
author: morenod
|
||||
description: Role created to configure a client to execute openscap policies based on the information obtained from a Red Hat Satellite/Foreman Host.
|
||||
@@ -0,0 +1,85 @@
|
||||
---
|
||||
- name: Install openscap client packages
|
||||
yum:
|
||||
name:
|
||||
- openscap-scanner
|
||||
- rubygem-foreman_scap_client
|
||||
state: present
|
||||
|
||||
- name: Get Policy parameters
|
||||
uri:
|
||||
url: "{{ foreman_server_url }}/api/v2/compliance/policies"
|
||||
method: GET
|
||||
user: "{{ foreman_username }}"
|
||||
password: "{{ foreman_password }}"
|
||||
force_basic_auth: yes
|
||||
body_format: json
|
||||
validate_certs: False
|
||||
register: policies
|
||||
no_log: "{{ foreman_operations_scap_client_secure_logging }}"
|
||||
|
||||
- name: Build policy {{ policy_name }} parameters
|
||||
set_fact:
|
||||
policy: "{{ policy | default([]) }} + {{ [item] }}"
|
||||
loop: "{{policies.json.results}}"
|
||||
when: item.name in policy_name or policy_name == 'all'
|
||||
|
||||
- name: Fail if no policy found with required name
|
||||
fail:
|
||||
when: policy is not defined
|
||||
|
||||
- name: Get scap content information
|
||||
uri:
|
||||
url: "{{ foreman_server_url }}/api/v2/compliance/scap_contents/{{item.scap_content_id}}"
|
||||
method: GET
|
||||
user: "{{ foreman_username }}"
|
||||
password: "{{ foreman_password }}"
|
||||
force_basic_auth: yes
|
||||
body_format: json
|
||||
validate_certs: False
|
||||
register: scapcontents
|
||||
loop: "{{ policy }}"
|
||||
no_log: "{{ foreman_operations_scap_client_secure_logging }}"
|
||||
|
||||
- name: Get tailoring content information
|
||||
uri:
|
||||
url: "{{ foreman_server_url }}/api/v2/compliance/tailoring_files/{{item.tailoring_file_id}}"
|
||||
method: GET
|
||||
user: "{{ foreman_username }}"
|
||||
password: "{{ foreman_password }}"
|
||||
force_basic_auth: yes
|
||||
body_format: json
|
||||
validate_certs: False
|
||||
register: tailoringfiles
|
||||
when: item.tailoring_file_id | int > 0 | d(False)
|
||||
loop: "{{ policy }}"
|
||||
no_log: "{{ foreman_operations_scap_client_secure_logging }}"
|
||||
|
||||
- name: Build scap content parameters
|
||||
set_fact:
|
||||
scap_content: "{{ scap_content | default({}) | combine({item.json.id: item.json }) }}"
|
||||
loop: "{{ scapcontents.results }}"
|
||||
|
||||
- name: Build tailoring content parameters
|
||||
set_fact:
|
||||
tailoring_files: "{{ tailoring_files | default({}) | combine({item.json.id: item.json }) }}"
|
||||
when: item.json is defined
|
||||
loop: "{{ tailoringfiles.results }}"
|
||||
|
||||
- name: Apply openscap client configuration template
|
||||
template:
|
||||
src: openscap_client_config.yaml.j2
|
||||
dest: /etc/foreman_scap_client/config.yaml
|
||||
mode: 0644
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
#- name: Configure execution crontab
|
||||
# cron:
|
||||
# name: "Openscap Execution"
|
||||
# cron_file: 'foreman_openscap_client'
|
||||
# job: '/usr/bin/foreman_scap_client {{policy.id}} > /dev/null'
|
||||
# weekday: "{{crontab_weekdays}}"
|
||||
# hour: "{{crontab_hour}}"
|
||||
# minute: "{{crontab_minute}}"
|
||||
# user: root
|
||||
@@ -0,0 +1,47 @@
|
||||
# Foreman proxy to which reports should be uploaded
|
||||
:server: {{ capsule_server | urlsplit('hostname') }}
|
||||
:port: {{ capsule_port }}
|
||||
|
||||
## SSL specific options ##
|
||||
# Client CA file.
|
||||
# It could be Puppet CA certificate (e.g., '/var/lib/puppet/ssl/certs/ca.pem')
|
||||
# Or (recommended for client reporting to Katello) subscription manager CA file, (e.g., '/etc/rhsm/ca/katello-server-ca.pem')
|
||||
:ca_file: '/etc/rhsm/ca/katello-server-ca.pem'
|
||||
# Client host certificate.
|
||||
# It could be Puppet agent host certificate (e.g., '/var/lib/puppet/ssl/certs/myhost.example.com.pem')
|
||||
# Or (recommended for client reporting to Katello) consumer certificate (e.g., '/etc/pki/consumer/cert.pem')
|
||||
:host_certificate: '/etc/pki/consumer/cert.pem'
|
||||
#
|
||||
# Client private key
|
||||
# It could be Puppet agent private key (e.g., '/var/lib/puppet/ssl/private_keys/myhost.example.com.pem')
|
||||
# Or (recommended for client reporting to Katello) consumer private key (e.g., '/etc/pki/consumer/key.pem')
|
||||
:host_private_key: '/etc/pki/consumer/key.pem'
|
||||
# policy (key is id as in Foreman)
|
||||
{% for item in policy %}
|
||||
{{ item.id }}:
|
||||
{% if item.tailoring_file_id | int > 0 | d(False) %}
|
||||
{% for profile in tailoring_files[item.tailoring_file_id].tailoring_file_profiles %}
|
||||
{% if profile.id == item.tailoring_file_profile_id %}
|
||||
:profile: {{profile.profile_id}}
|
||||
{% endif%}
|
||||
{% endfor %}
|
||||
:content_path: '/var/lib/openscap/content/{{scap_content[item.scap_content_id].digest}}.xml'
|
||||
# Download path
|
||||
# A path to download SCAP content from proxy
|
||||
:download_path: '/compliance/policies/{{item.id}}/content/{{scap_content[item.scap_content_id].digest}}'
|
||||
:tailoring_path: '/var/lib/openscap/content/{{tailoring_files[item.tailoring_file_id].digest}}.xml'
|
||||
:tailoring_download_path: '/compliance/policies/{{item.id}}/tailoring/{{tailoring_files[item.tailoring_file_id].digest}}'
|
||||
{% else %}
|
||||
{% for profile in scap_content[item.scap_content_id].scap_content_profiles %}
|
||||
{% if profile.id == item.scap_content_profile_id %}
|
||||
:profile: {{profile.profile_id}}
|
||||
{% endif%}
|
||||
{% endfor %}
|
||||
:content_path: '/var/lib/openscap/content/{{scap_content[item.scap_content_id].digest}}.xml'
|
||||
# Download path
|
||||
# A path to download SCAP content from proxy
|
||||
:download_path: '/compliance/policies/{{item.id}}/content/{{scap_content[item.scap_content_id].digest}}'
|
||||
:tailoring_path: ''
|
||||
:tailoring_download_path: ''
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
Reference in New Issue
Block a user