add compliance

add job template fix I add extra vars add documentation Added contributing doc (#2) add contributing doc cleaning up docs add suggested usage log demo DERP network demos change role name source update add hub creds add readme add main readme typo, no biggie (#23) https://knowyourmeme.com/memes/but-its-honest-work add notification fix var fix var fix var fix vars fix vars fix vars fix vars fix vars add telemetry update telemetry add feedback add feedback add feedback update windows stuff bugs bugs bugs bugs add assert add groups update AD jobs random pass pin version for comm.gen Add landing page (#25) * work on landing page * work on landing page * work on landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * add files * derp * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add ee * add ee * add ee * fix landing page * fix landing page * fix landing page * fix landing page * fix landing page * remove commented out sections Increased the Idle Time Force Log Out (#28) * increased timeout * sdf * asdf * corrected key Instruqt Refactor (#40) * work on landing page * work on landing page * work on landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * add files * derp * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add ee * add ee * add ee * fix landing page * fix landing page * fix landing page * fix landing page * fix landing page * remove commented out sections * remove default ee * set local admin password * set ee for fact scan * fall back to default ee for patching * check for valid org_id * check for valid org_id * check admin username * add remote_user * credssp * ntlm Add network report job template (#44) * Network report Linux demo updates bblasco pt1 (#45) * Improved description of Ansible group to address issue #29 * Ensured "at" package is present rather than latest for Issue #31 * Added timesync as a second example role to run (Issue #37) Co-authored-by: Benjamin Blasco <bblasco@redhat.com> Added task to print STDOUT lines from script (Issue #33) (#46) Co-authored-by: Benjamin Blasco <bblasco@redhat.com> Added Insights Compliance Scan (Issue #49) (#51) Co-authored-by: Benjamin Blasco <bblasco@redhat.com> Linux demo updates bblasco podman (#47) * Switched from using podman volumes to file path (issue #36) * Improved readability of output * Added a sensible default message for web server (Issue #36) Co-authored-by: Benjamin Blasco <bblasco@redhat.com> Run insights scan (skip errors if not configured) (Issue #32) (#48) * Run insights scan (skip errors if not configured) (Issue #32) * Improved Insights client checks to use facts defined by redhatinsights.insights.insights_client role * Fixed missed call to debug module * Updated message for clarity Co-authored-by: Benjamin Blasco <bblasco@redhat.com> Issue 52 (#53) * add fact scan * add fact scan * update patching role * dont ask limit * add become Add Satellite Demos (#41) * add satellite demos * move satellite vars to setup.yml * fix var * fix playbook path * remove async * fix = * fix condition * fix lookup * add credential * update tools version * fix scap role * add satellite setup * add satellite stuff * remove local * stupid * stupid * params * these vars arent right * these vars arent right * add compliance workflow * work on landing page * work on landing page * work on landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * add files * derp * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add ee * add ee * add ee * fix landing page * fix landing page * fix landing page * fix landing page * fix landing page * remove commented out sections * remove default ee * set local admin password * set ee for fact scan * fall back to default ee for patching * check for valid org_id * check for valid org_id * no gpg * no gpg * add satllite stuff * update cred type * update cred type * raw * raw * work on landing page * work on landing page * work on landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * landing page * add files * derp * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add link * add ee * add ee * add ee * fix landing page * fix landing page * fix landing page * fix landing page * fix landing page * remove commented out sections * remove default ee * set local admin password * set ee for fact scan * fall back to default ee for patching * check for valid org_id * check for valid org_id * no gpg * no gpg * add satllite stuff * update cred type * update cred type * raw * raw * raw * merge satellite * fix vars * fix vars * fix vars * fix vars * add publish * add lifecycle and actviation keys * workaround for publish issue * use module to publish * use module to publish * use module to publish * use module to publish * change sat version * change sat version * change sat version * remove maint repos * launch sat setup * reorder * reorder * moar inventory * add manifest refresh * add telemetry * run linux setup * parent efcf729fa0 author willtome <willtome@gmail.com> 1663173584 -0400 committer willtome <willtome@gmail.com> 1668183942 -0500 parent efcf729fa0 author willtome <willtome@gmail.com> 1663173584 -0400 committer willtome <willtome@gmail.com> 1668183785 -0500 parent efcf729fa0 author willtome <willtome@gmail.com> 1663173584 -0400 committer willtome <willtome@gmail.com> 1668183318 -0500 parent efcf729fa0 author willtome <willtome@gmail.com> 1663173584 -0400 committer willtome <willtome@gmail.com> 1668182787 -0500 parent efcf729fa0 author willtome <willtome@gmail.com> 1663173584 -0400 committer willtome <willtome@gmail.com> 1668182651 -0500 add satellite demos work on landing page landing page landing page landing page landing page landing page landing page landing page landing page landing page landing page landing page add files derp add link add link add link add link add link add link add link add link add link add link add link add link add ee add ee add ee fix landing page fix landing page fix landing page fix landing page fix landing page remove commented out sections remove default ee set local admin password set ee for fact scan fall back to default ee for patching check for valid org_id check for valid org_id no gpg no gpg add satllite stuff update cred type update cred type raw raw raw add satellite demos move satellite vars to setup.yml fix var fix playbook path remove async fix = fix condition fix lookup add credential update tools version fix scap role add satellite setup add satellite stuff remove local stupid stupid params these vars arent right these vars arent right add compliance workflow work on landing page work on landing page work on landing page landing page landing page landing page landing page landing page landing page landing page landing page landing page landing page landing page add files derp add link add link add link add link add link add link add link add link add link add link add link add link add ee add ee add ee fix landing page fix landing page fix landing page fix landing page fix landing page remove commented out sections remove default ee set local admin password set ee for fact scan fall back to default ee for patching check for valid org_id check for valid org_id no gpg no gpg update cred type update cred type raw merge satellite fix vars fix vars fix vars fix vars add publish add lifecycle and actviation keys workaround for publish issue use module to publish use module to publish use module to publish use module to publish change sat version change sat version change sat version remove maint repos launch sat setup reorder reorder moar inventory add manifest refresh add telemetry run linux setup * Updates to node1 (#42) clean up satellite config clean up server registration add web console job Co-authored-by: Calvin Smith <calvingsmith@users.noreply.github.com> * add rhel 8 tailoring * add ee * dont verify certs * Update setup.yml * Update setup.yml * what the heck Co-authored-by: calvingsmith <4283930+calvingsmith@users.noreply.github.com> Co-authored-by: Calvin Smith <calvingsmith@users.noreply.github.com> Fixes for Issues 54 and 55 (#56) * add fixes * add survey for org id updated version (#58) add rhel9 (#18) check-install missing packages (#63) * check-install missing packages * updated subcription manager installation * move subscription manager install up Bump ansible.controller version (#60) * bump * bumperino * corrected * Update requirements.yml * Update requirements.yml * Update requirements.yml --------- Co-authored-by: willtome <willtome@gmail.com> fix selinux variables (#66) Integration of Content Lab for AWS (#67) * add jobs * role name * scm * naming * add new jobs * update URL * add playbook * add keypair * fix spaces * update setup * add rhel9 * change to main branch
2022-06-28 14:30:47 -04:00
parent 8acff9c9b1
commit b670b6e780
110 changed files with 4644 additions and 433 deletions
--- a/linux/README.md
+++ b/linux/README.md
@@ -0,0 +1,91 @@
+# Linux Demos
+
+## Table of Contents
+- [Linux Demos](#linux-demos)
+  - [Table of Contents](#table-of-contents)
+  - [About These Demos](#about-these-demos)
+    - [Jobs](#jobs)
+    - [Inventory](#inventory)
+  - [Post Setup Job Steps](#post-setup-job-steps)
+    - [Add Red Hat account details](#add-red-hat-account-details)
+    - [Update Credentials for Insights Inventory](#update-credentials-for-insights-inventory)
+    - [Add Variables for System Roles](#add-variables-for-system-roles)
+  - [Suggested Usage](#suggested-usage)
+
+## About These Demos
+This category of demos shows examples of linux operations and management with Ansible Automation Platform. The list of demos can be found below. See the [Suggested Usage](#suggested-usage) section of this document for recommendations on how to best use these demos.
+
+### Jobs
+- [**Linux / Register**](ec2_register.yml) - Register a RHEL server with Red Hat Portal and Insights
+- [**Linux / Troubleshoot**](tshoot.yml) - Run troubleshooting commands to find top CPU and memory users on the system
+- [**Linux / Temporary Sudo**](temp_sudo.yml) - Grant temporary sudo access to a user on the system with time based cleanup
+- [**Linux / Patching**](patching.yml) - Apply updates and/or generate patch report for linux systems
+- [**Linux / Start Service**](service_start.yml) - Start a service on a system
+- [**Linux / Stop Service**](service_stop.yml) - Stop a service on a system
+- [**Linux / Run Shell Script**](run_script.yml) - Run a shell script or command on a system
+- [**Linux / Fact Scan**](https://github.com/ansible/awx-facts-playbooks/blob/master/scan_facts.yml) - Run a fact, package, and service scan against a system and store in fact cache
+- [**Linux / Podman Webserver**](podman.yml) - Install and run a Podman webserver with given text on the home page
+- [**Linux / System Roles**](system_roles.yml) - Apply Linux system roles to servers. Must provide variables and role names.
+- [**Linux / Compliance Enforce**](compliance.yml) - Apply remediation to meet the requirements of a compliance baseline
+- [**Linux / Insights Compliance Scan**](insights_compliance_scan.yml) - Run a Compliance scan based on the configuration in [Red Hat Insights][https://console.redhat.com]
+
+### Inventory
+
+A dymanic inventory is created to pull inventory hosts from Red Hat Insights. The Systems will be added by their host name therefore adding duplicate systems will cause conflicts in the inventory. Only systems with the tag `purpose=demo` in Red Hat Insights will be added to this inventory. Groups will be created for other tags given to the system.
+
+Groups will also be created for systems with missing security, enhancement and bug updates. The inventory configuration is governed by the [inventory.insights.yml](inventory.insights.yml) file.
+
+> Remember to delete systems from your Red Hat account when you are done with the demo to avoid conflicts with future demos using the same names.
+
+## Post Setup Job Steps
+After running the setup job template, there are a few steps required to make the demos fully functional. See the post setup steps below.
+
+> These steps may differ in your environment
+
+### Add Red Hat account details
+To register systems to the Red Hat portal and Insights, edit `extra_vars` on the `Linux / Register` job to include your org_id and an [activation key](https://access.redhat.com/management/activation_keys) to use when registering the systems.
+
+### Update Credentials for Insights Inventory
+Navigate to the Credentials section and update the `Insights Inventory` credential with your Red Hat Portal login.
+
+### Add Variables for System Roles
+Edit the `Linux / System Roles` job to include the list of roles that you wish to apply and the variables applicable for each role. See documentation [here](https://console.redhat.com/ansible/automation-hub/repo/published/redhat/rhel_system_roles) for configuring System Roles.
+
+## Suggested Usage
+**Linux / Register** - Use this job to register systems to Red Hat Insights for showing Advisor recommendations and dynamic inventory.  Note that the "Ansible Group" will create an AAP inventory group, as well as tag hosts with that group name in Insights.
+
+**Linux / Troubleshoot** - Use this job to show incident response troubleshooting and basic running of commands with an Ansible Playbook.
+
+**Linux / Temporary Sudo** - Use this job to show how to grant sudo access with automated cleanup to a server. The user must exist on the system. Using the student user is a good example (ie. student1)
+
+**Linux / Patching** - Use this job to apply updates or audit for missing updates and produce an html report of systems with missing updates. See the end of the job for the URL to view the report. In other environments this report could be uploaded to a wiki, email, other system. This demo also shows installing a webserver on a linux server. The report is places on the system defined by the `report_server` variable. By default, `report_server` is configured as `node1`. This may be overridden with `extra_vars` on the Job Template.
+
+**Linux / Run Shell Script** - Use this job to demonstrate running shell commands or an existing shell script across a group of systems as root. This can be preferred over using Ad-Hoc commands due to the ability to control usage with RBAC. This is helpful in showing the scalable of execution of an existing shell script. It is always recommended to convert shell scripts to playbooks over time. Example usage would be getting the public key used in the environment with the command `cat .ssh/authorized_keys`.
+
+**Linux / Fact Scan** - Use this job to demonstrate the use of the Ansible Fact Cache, Ansible facts, and the ability to query installed packages and running services on a system.
+
+**Linux / Podman Webserver** - Use this job show managing individual containers with Podman via an Ansible Playbook.
+
+**Linux / System Roles** - This job demonstrates running [RHEL System Roles with AAP. See the documentation [here](https://console.redhat.com/ansible/automation-hub/repo/published/redhat/rhel_system_roles) for how to configure system roles with variables by editing the extra_vars on the job template.
+
+Example 1:
+```
+system_roles:
+  - selinux
+
+selinux_state: enforcing
+```
+
+Example 2 (less invasive, and runs faster):
+```
+system_roles:
+  - timesync
+
+timesync_ntp_servers:
+  - hostname: pool.ntp.org
+    pool: yes
+    iburst: yes
+```
+**Linux / Compliance** - Apply compliance profile hardening configuration from [here](https://galaxy.ansible.com/RedHatOfficial). BE AWARE: this could have unintended results based on the current state of your machine. Always test on a single machine before distributing at scale. For example, AWS instances have NOPASSWD allowed for sudo. Running STIG compliance without adding `sudo_remove_nopasswd: false` to extra_vars on the job template will lock you out of the machine. This variable is configured on the job template by default for this reason.
+
+**Linux / Insights Compliance Scan** - Scan the system according to the compliance profile configured via [Red Hat Insights](https://console.redhat.com). NOTE: This job will fail if the systems haven't been registered with Insights and associated with a relevant compliance profile. A survey when running the job will ask if you have configured all systems with a compliance profile, and effectively skip all tasks in the job template if the answer is "No".
--- a/linux/compliance.yml
+++ b/linux/compliance.yml
@@ -0,0 +1,14 @@
+---
+- hosts: "{{ HOSTS }}"
+  become: true
+  vars:
+    compliance_profile: undef
+
+  tasks:
+    - name: Check OS Type
+      assert:
+        that: "ansible_os_family == 'RedHat'"
+
+    - name: Run Compliance Profile
+      include_role:
+        name: "redhatofficial.rhel{{ ansible_distribution_major_version }}_{{ compliance_profile }}"
--- a/linux/ec2_register.yml
+++ b/linux/ec2_register.yml
@@ -3,10 +3,26 @@
  become: yes

  tasks:
+  - name: check for vars
+    assert:
+      that:
+        - org_id is defined
+        - activation_key is defined
+        - org_id != ''
+        - activation_key != ''
+        - org_id != 'undef'
+        - activation_key != 'undef'
+
  - name: set hostname
    hostname:
      name: "{{ inventory_hostname | regex_replace('_','-')}}"

+# Install subscription-manager if it's not there
+  - name: Install subscription-manager
+    ansible.builtin.yum:
+      name: subscription-manager
+      state: present
+
  - name: remove rhui client packages
    yum:
      name: rh-amazon-rhui-client*
@@ -30,6 +46,7 @@
      name: "https://{{ sat_url }}/pub/katello-ca-consumer-latest.noarch.rpm"
      state: present
      validate_certs: no
+      disable_gpg_check: true
    when: sat_url is defined

  - name: manage repos with subscription mangler
@@ -44,12 +61,6 @@
      activationkey: "{{ activation_key }}"
      org_id: "{{ org_id }}"

-  - name: disable htb repo
-    community.general.rhsm_repository:
-      name: rhel-7-server-htb*
-      state: disabled
-    ignore_errors: yes
-
  - name: configure Red Hat insights
    import_role:
      name: redhat.insights.insights_client
@@ -58,4 +69,4 @@
      insights_tags:
        env: "{{ env }}"
        purpose: demo
-        group: "{{ ansible_group }}"
+        group: "{{ insights_tag }}"
--- a/linux/fact_scan.yml
+++ b/linux/fact_scan.yml
@@ -0,0 +1,12 @@
+---
+- hosts: "{{ HOSTS }}"
+  become: yes
+
+  tasks:
+  - name: get packages
+    ansible.builtin.package_facts:
+
+  - name: get services
+    ansible.builtin.service_facts:
+
+  
--- a/linux/insights_compliance_scan.yml
+++ b/linux/insights_compliance_scan.yml
@@ -0,0 +1,24 @@
+---
+- hosts: "{{ HOSTS }}"
+  become: true
+  vars:
+    #compliance_profile: undef
+
+  tasks:
+    - name: Check OS Type
+      assert:
+        that: "ansible_os_family == 'RedHat'"
+
+    - name: Check variable values
+      debug:
+        msg: "Value of compliance_profile_configured is {{ compliance_profile_configured }}"
+
+    - name: Run Insights Compliance scan
+      import_role:
+        name: redhat.insights.compliance
+      when: compliance_profile_configured == "Yes"
+
+    - name: Notify user that Compliance scan is not being attempted
+      debug:
+        msg: "User has not confirmed that all hosts are associated with an Insights Compliance profile. Scan aborted."
+      when: compliance_profile_configured == "No"
--- a/linux/patching.yml
+++ b/linux/patching.yml
@@ -5,34 +5,39 @@
    report_server: node1
  
  tasks:
+# Install yum-utils if it's not there
+  - name: Install yum-utils
+    ansible.builtin.yum:
+      name: yum-utils
+      state: latest
+
  - include_role:
      name: demo.patching.patch_linux

+  - name: Tell user when Insights Client is not configured
+    debug:
+      msg: "Insights client does not appear to be configured. Scan will be skipped"
+    when:
+      - ansible_local.insights.system_id is not defined
+
+  - name: Run the Insights Client Scan
+    command: insights-client
+    when:
+      - not ansible_check_mode
+      - ansible_local.insights.system_id is defined
+
  - block:
-    - yum:
-        name: httpd
-        state: latest
-      check_mode: no
-
-    - file:
-        path: /var/www/html/reports/
-        state: directory
-      check_mode: no
-
-    - copy:
-        dest: /var/www/html/reports/.htaccess
-        content: Options +Indexes
-      check_mode: no
-
-    - service:
-        name: httpd
-        state: started
-      check_mode: no

    - include_role:
-        name: demo.patching.report_linux
+        name: "{{ item }}"
+      loop:
+        - demo.patching.report_server
+        - demo.patching.report_linux
+        - demo.patching.report_linux_patching

    - include_role:
-        name: demo.patching.report_linux_patching
+        name: demo.patching.report_server
+        tasks_from: linux_landing_page
+        
    delegate_to: "{{ report_server }}"
-    run_once: yes
+    run_once: yes
--- a/linux/podman.yml
+++ b/linux/podman.yml
@@ -1,6 +1,7 @@
 ---
 - name: Podman
  hosts: "{{ HOSTS }}"
+
  vars:
    volume_path: podman
    message: undef
@@ -28,7 +29,7 @@
      image: docker.io/httpd
      state: started
      volume:
-        - "{{ volume_path }}:/usr/local/apache2/htdocs"
+        - "./{{ volume_path }}/:/usr/local/apache2/htdocs:z"
      ports:
        - "8080:80"

@@ -47,5 +48,7 @@
  - name: Output
    ansible.builtin.debug:
      msg: 
+        - "Output of podman ps command:"
        - "{{ podman_output.stdout_lines }}"
-        - "{{ web_output.content }}"
+        - "Contents of web page:"
+        - "{{ web_output.content }}"
--- a/linux/run_script.yml
+++ b/linux/run_script.yml
@@ -9,7 +9,12 @@
  tasks:
    - name: Run Shell Script
      shell: "{{ shell_script }}"
+      register: shell_output
+
+    - name: Print script output
+      debug:
+        var: shell_output.stdout_lines

    - debug:
        msg: You should really consider converting this script to a playbook!
-      run_once: yes
+      run_once: yes
--- a/linux/service_start.yml
+++ b/linux/service_start.yml
@@ -1,5 +1,6 @@
 ---
 - hosts: "{{ HOSTS }}"
+  become: yes
  vars:
    service_name: undef

--- a/linux/service_stop.yml
+++ b/linux/service_stop.yml
@@ -1,5 +1,6 @@
 ---
 - hosts: "{{ HOSTS }}"
+  become: yes
  vars:
    service_name: undef

@@ -11,4 +12,4 @@
    service:
      name: "{{ service_name }}"
      state: stopped
-    when: service_name + '.service' in services
+    when: service_name + '.service' in services
--- a/linux/setup.yml
+++ b/linux/setup.yml
@@ -1,8 +1,8 @@
 ---
-user_message: |
-  Be sure to update the 'activation_key' and 'org_id' extra variables for 'LINUX / Register'. https://access.redhat.com/management/activation_keys
-
-  Update Credential for Insights Inventory with Red Hat account.
+user_message:
+  - Be sure to update the 'activation_key' and 'org_id' extra variables for 'LINUX / Register with Insights'. https://access.redhat.com/management/activation_keys
+  - Update Credential for Insights Inventory with Red Hat account.
+  - Add variables for system_roles. https://console.redhat.com/ansible/automation-hub/repo/published/redhat/rhel_system_roles
 controller_components:
  - projects
  - credential_types
@@ -10,14 +10,8 @@ controller_components:
  - inventory_sources
  - job_templates

-controller_projects:
-  - name: Fact Scan
-    organization: Default
-    scm_type: git
-    scm_url: 'https://github.com/ansible/awx-facts-playbooks.git'
-
 controller_credential_types:
-  - name: "Insights Collection"
+  - name: Insights Collection
    kind: cloud
    inputs:
      fields:
@@ -49,20 +43,21 @@ controller_inventory_sources:
    source_path: linux/inventory.insights.yml
    credential: Insights Inventory

-
 controller_templates:
-  - name: "LINUX / Register"
+  - name: "LINUX / Register with Insights"
    job_type: run
    inventory: "Workshop Inventory"
    project: "Ansible official demo project"
    playbook: "linux/ec2_register.yml"
-    execution_environment: Default execution environment
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
    credentials:
    - "Workshop Credential"
    survey_enabled: true
    extra_vars:
-      activation_key: undef
-      org_id: undef
+      activation_key: !unsafe "RHEL{{ ansible_distribution_major_version }}_{{ env }}"
+      org_id: REPLACEME
    survey:
      name: ''
      description: ''
@@ -79,16 +74,23 @@ controller_templates:
            - QA
            - Prod
          required: true
-        - question_name: Ansible Group
+        - question_name: Ansible Inventory Group (and Insights tag) to be created
          type: text
-          variable: ansible_group
+          variable: insights_tag
          required: true
+        - question_name: Org ID
+          type: text
+          variable: org_id
+          required: true
+
  - name: "LINUX / Troubleshoot"
    job_type: run
    inventory: "Workshop Inventory"
    project: "Ansible official demo project"
    playbook: "linux/tshoot.yml"
-    execution_environment: Default execution environment
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
    use_fact_cache: true
    credentials:
    - "Workshop Credential"
@@ -101,12 +103,15 @@ controller_templates:
          type: text
          variable: HOSTS
          required: true
+
  - name: "LINUX / Temporary Sudo"
    job_type: run
    inventory: "Workshop Inventory"
    project: "Ansible official demo project"
    playbook: "linux/temp_sudo.yml"
-    execution_environment: Default execution environment
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
    credentials:
    - "Workshop Credential"
    survey_enabled: true
@@ -127,14 +132,17 @@ controller_templates:
          variable: sudo_time
          default: 10
          required: true
+
  - name: "LINUX / Patching"
-    job_type: run
+    job_type: check
    inventory: "Workshop Inventory"
    project: "Ansible official demo project"
    playbook: "linux/patching.yml"
    execution_environment: Default execution environment
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
    use_fact_cache: true
-    job_type: check
    ask_job_type_on_launch: yes
    credentials:
    - "Workshop Credential"
@@ -147,12 +155,15 @@ controller_templates:
          type: text
          variable: HOSTS
          required: true
+
  - name: "LINUX / Start Service"
    job_type: run
    inventory: "Workshop Inventory"
    project: "Ansible official demo project"
    playbook: "linux/service_start.yml"
-    execution_environment: Default execution environment
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
    use_fact_cache: true
    credentials:
    - "Workshop Credential"
@@ -169,12 +180,15 @@ controller_templates:
          type: text
          variable: service_name
          required: true
+
  - name: "LINUX / Stop Service"
    job_type: run
    inventory: "Workshop Inventory"
    project: "Ansible official demo project"
    playbook: "linux/service_stop.yml"
-    execution_environment: Default execution environment
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
    use_fact_cache: true
    credentials:
    - "Workshop Credential"
@@ -191,12 +205,15 @@ controller_templates:
          type: text
          variable: service_name
          required: true
+
  - name: "LINUX / Run Shell Script"
    job_type: run
    inventory: "Workshop Inventory"
    project: "Ansible official demo project"
    playbook: "linux/run_script.yml"
-    execution_environment: Default execution environment
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
    credentials:
    - "Workshop Credential"
    survey_enabled: true
@@ -212,21 +229,36 @@ controller_templates:
          type: textarea
          variable: shell_script
          required: true
+
  - name: "LINUX / Fact Scan"
-    project: Fact Scan
-    playbook: scan_facts.yml
+    project: "Ansible official demo project"
+    playbook: linux/fact_scan.yml
    inventory: Workshop Inventory
    execution_environment: Default execution environment
-    ask_limit_on_launch: true
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
    use_fact_cache: true
    credentials:
      - Workshop Credential
+    survey_enabled: true
+    survey:
+      name: ''
+      description: ''
+      spec:
+        - question_name: Server Name or Pattern
+          type: text
+          variable: HOSTS
+          required: true
+
  - name: "LINUX / Podman Webserver"
    job_type: run
    inventory: "Workshop Inventory"
    project: "Ansible official demo project"
    playbook: "linux/podman.yml"
-    execution_environment: Default execution environment
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
    credentials:
    - "Workshop Credential"
    survey_enabled: true
@@ -242,16 +274,23 @@ controller_templates:
          type: textarea
          variable: message
          required: true
+          default: "This is Apache webserver running in a container with podman"
+
  - name: "LINUX / System Roles"
    job_type: run
    inventory: "Workshop Inventory"
    project: "Ansible official demo project"
    playbook: "linux/system_roles.yml"
-    execution_environment: Default execution environment
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
    diff_mode: yes
    ask_job_type_on_launch: yes
    extra_vars:
-      system_roles: undef
+      system_roles:
+        - selinux
+      selinux_policy: targeted
+      selinux_state: enforcing
    credentials:
    - "Workshop Credential"
    survey_enabled: true
@@ -262,4 +301,91 @@ controller_templates:
        - question_name: Server Name or Pattern
          type: text
          variable: HOSTS
-          required: true
+          required: true
+
+  - name: "LINUX / Install Web Console (cockpit)"
+    job_type: run
+    inventory: "Workshop Inventory"
+    project: "Ansible official demo project"
+    playbook: "linux/system_roles.yml"
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    diff_mode: yes
+    ask_job_type_on_launch: yes
+    extra_vars:
+      system_roles: 
+        - cockpit
+    credentials:
+      - "Workshop Credential"
+    survey_enabled: true
+    survey:
+      name: ''
+      description: ''
+      spec:
+        - question_name: Server Name or Pattern
+          type: text
+          variable: HOSTS
+          required: true
+        - question_name: Cockpit package load
+          type: multiplechoice
+          variable: cockpit_packages
+          default: minimal
+          choices:
+            - default
+            - minimal
+            - full
+          required: true
+
+  - name: "LINUX / Compliance Enforce"
+    job_type: run
+    inventory: "Workshop Inventory"
+    project: "Ansible official demo project"
+    playbook: "linux/compliance.yml"
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    credentials:
+    - "Workshop Credential"
+    extra_vars:
+      sudo_remove_nopasswd: false
+    survey_enabled: true
+    survey:
+      name: ''
+      description: ''
+      spec:
+        - question_name: Server Name or Pattern
+          type: text
+          variable: HOSTS
+          required: true
+        - question_name: Compliance Profile
+          type: multiplechoice
+          variable: compliance_profile
+          required: true
+          choices:
+            - stig
+
+  - name: "LINUX / Insights Compliance Scan"
+    job_type: run
+    inventory: "Workshop Inventory"
+    project: "Ansible official demo project"
+    playbook: "linux/insights_compliance_scan.yml"
+    credentials:
+    - "Workshop Credential"
+    survey_enabled: true
+    survey:
+      name: ''
+      description: ''
+      spec:
+        - question_name: Server Name or Pattern
+          type: text
+          variable: HOSTS
+          required: true
+        - question_name: Have you associated a compliance profile in the Insights Console for all hosts to be scanned?  If not, then the scan will fail.
+          type: multiplechoice
+          variable: compliance_profile_configured
+          required: true
+          choices:
+            - "Yes"
+            - "No"
+          default: "No"
--- a/linux/system_roles.yml
+++ b/linux/system_roles.yml
@@ -1,6 +1,7 @@
 ---
 - name: Apply RHEL System Roles
  hosts: "{{ HOSTS }}"
+  become: true
  vars:
    system_roles: undef

--- a/linux/temp_sudo.yml
+++ b/linux/temp_sudo.yml
@@ -18,7 +18,7 @@
    - name: Check Cleanup package
      yum:
        name: at
-        state: latest
+        state: present

    - name: Check Cleanup Service
      service: