ptoal/product-demos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: ptoal:csv-inventory
Branches Tags
ptoal:main ptoal:fix_ci ptoal:cnv_fixes2 ptoal:jce/cloud-cleanup ptoal:jce/firewalld-fix ptoal:fix_aws_groups ptoal:windows_change_pass ptoal:jce/multi-arch-ee ptoal:abandon-galaxy ptoal:wtome-devspaces ptoal:jce/devcontainer ptoal:jce/ansible-cfg ptoal:jce/disa-update ptoal:jce/apd-org ptoal:jce/session-timeout ptoal:jce/az-fix ptoal:collection ptoal:wtome/2.5 ptoal:usr_app ptoal:wtome/windows-bsod ptoal:jce/goals ptoal:small_fixes ptoal:azure-finops ptoal:csv-inventory ptoal:gitlab_ver ptoal:creds-exist ptoal:rhpd_test ptoal:rhc ptoal:master
ptoal:test ptoal:TEST
..
compare: ptoal:jce/ansible-cfg
Branches Tags
ptoal:main ptoal:fix_ci ptoal:cnv_fixes2 ptoal:jce/cloud-cleanup ptoal:jce/firewalld-fix ptoal:fix_aws_groups ptoal:windows_change_pass ptoal:jce/multi-arch-ee ptoal:abandon-galaxy ptoal:wtome-devspaces ptoal:jce/devcontainer ptoal:jce/ansible-cfg ptoal:jce/disa-update ptoal:jce/apd-org ptoal:jce/session-timeout ptoal:jce/az-fix ptoal:collection ptoal:wtome/2.5 ptoal:usr_app ptoal:wtome/windows-bsod ptoal:jce/goals ptoal:small_fixes ptoal:azure-finops ptoal:csv-inventory ptoal:gitlab_ver ptoal:creds-exist ptoal:rhpd_test ptoal:rhc ptoal:master
ptoal:test ptoal:TEST

43 Commits
csv-invent ... jce/ansibl

Author SHA1 Message Date
Matthew Fernandez
3c437804de Merge branch 'main' into jce/ansible-cfg 2025-05-05 11:11:39 -06:00
Chris Edillon
4285a68f3e Update DISA supplemental roles for RHEL STIG (#238) 2025-05-05 11:11:14 -06:00
Chris Edillon
b26c44a4d3 Merge branch 'main' into jce/ansible-cfg 2025-05-01 17:57:31 -04:00
Matthew Fernandez
7cfb27600f Add Compliance Workflow (#219) 
Co-authored-by: Matt Fernandez <matferna@matferna-mac.lab.cheeseburgia.com>
Co-authored-by: Chris Edillon <67980205+jce-redhat@users.noreply.github.com>
 2025-05-01 17:46:06 -04:00
Matthew Fernandez
3400e73675 Rename Windows ec2 instance for #235 (#236) 
pushed the EE's, merging
 2025-04-29 13:05:13 -06:00
Chris Edillon
d98afd7a7f Update collection and role paths in ansible.cfg 2025-03-19 16:52:58 -04:00
Todd Ruch
0b1904e727 Updated Windows job templates to use the Product Demos EE (#231) 
Co-authored-by: Todd Ruch <truch@redhat.com>
 2025-03-19 16:48:08 -04:00
Todd Ruch
53b180d43e Updated to include the available chart versions and add an instance deployment message (#230) 
Co-authored-by: Todd Ruch <truch@redhat.com>
 2025-03-12 14:28:47 -06:00
Chris Edillon
3b4fa650b3 Add availability zone mapping for VPC subnet (#220) 2025-02-18 11:25:57 -05:00
Todd Ruch
a9b940958d Added check_mode: false to ensure yum utils is installed regardless of check mode (#217) 
Co-authored-by: Todd Ruch <truch@redhat.com>
Co-authored-by: Chris Edillon <67980205+jce-redhat@users.noreply.github.com>
 2025-01-27 15:16:54 -05:00
Chris Edillon
a9dbf33655 Added network.backup collection to 2.5 EE (#211) 2025-01-20 11:20:57 -05:00
Todd Ruch
53fa6fa359 Added Network Backups to show using validated content to back up network devices (#214) 
Co-authored-by: Todd Ruch <truch@redhat.com>
 2025-01-13 14:47:32 -07:00
Zach LeBlanc
39d2d0f283 Upgade pywinrm to fix Windows workloads for AAP 2.5 EE running Python 3.11 (#207) 2024-12-17 15:11:06 -05:00
Matthew Fernandez
3137ce1090 Add RHDP dependencies to APD EE definition (#203) 2024-11-18 16:18:54 -05:00
Matthew Fernandez
5581e790f6 A few small bug fixes around OCP CNV demos (#202) 2024-11-12 08:47:39 -07:00
Chris Edillon
90d28aabbe Resolved firewalld issue on patch report server (#200) 2024-11-11 15:04:03 -07:00
shebistar
b523a48b23 Update chart version for gitlab to 8.5.1 (#199) 2024-11-11 11:02:47 -05:00
Matthew Fernandez
d085007b55 Update APD EE for use with AgnosticD (#198) 2024-11-05 11:53:57 -05:00
Matthew Fernandez
c98732009c update common to use new default EE (#197) 2024-10-28 14:14:27 -06:00
Chris Edillon
0f1e4828a3 apply single-demo fix to multi-demo JT (#196) 2024-10-28 13:35:06 -04:00
Chris Edillon
fbb6d95736 added 2.5 EE to build script (#195) 2024-10-28 13:10:31 -04:00
Chris Edillon
1e266f457a hotfix: disable controller_configuration check 
see https://github.com/redhat-cop/infra.aap_configuration/issues/942
 2024-10-28 12:58:31 -04:00
Chris Edillon
fd9405ef02 Switch to the new product demos EE and bootstrap repo (#194) 2024-10-28 11:58:30 -04:00
Chris Edillon
fe006bdb9e Fix latest pre-commit errors (#189) 2024-10-22 09:55:55 -04:00
Sean Cavanaugh
a257597a7d Fix Cloud Report (#190) 2024-09-24 09:28:42 -04:00
Chris Edillon
6c65b53ac9 added local build script for product demos EEs (#184) 2024-09-23 15:15:53 -04:00
Todd Ruch
a359559cb2 Resolve issue #107 to restore network report demo (#175) 
Co-authored-by: Todd Ruch <truch@redhat.com>
Co-authored-by: Chris Edillon <67980205+jce-redhat@users.noreply.github.com>
 2024-09-18 11:27:11 -04:00
Zach LeBlanc
0c4030d932 Specify Windows image owner to prevent licensing error (#185) 
Closes #186
 2024-09-18 11:11:31 -04:00
Matthew Fernandez
ae7f24e8a4 Updating openshift/README.md to include recently added demos (#183) 
Yay docs
 2024-09-09 12:37:04 -06:00
Chris Edillon
c192aa2c55 Fixed linting issues causing GitHub action failures (#180) 2024-08-30 10:51:28 -04:00
Matthew Fernandez
28eb5be812 Adding a workflow to patch CNV instances with snapshot and restore on failure. (#171) 2024-08-29 15:34:43 -04:00
Zach LeBlanc
8a99b66adc Workflow to setup Windows Domain with DC and hosts (#168) 
Co-authored-by: willtome <wtome@redhat.com>
Co-authored-by: Chris Edillon <67980205+jce-redhat@users.noreply.github.com>
 2024-08-29 14:15:40 -04:00
Chris Edillon
035f815486 Added set_stats example to cloud workflow (#173) 2024-08-27 09:46:35 -04:00
Chris Edillon
552acdcb6c Updated versions of compliance-related roles (#170) 2024-08-20 13:30:48 -04:00
Chris Edillon
40515ac65b Create common prerequisites configuration (#169) 2024-08-16 14:07:59 -04:00
Todd Ruch
70d7c46604 Resolves NETWORK / DISA STIG job logging error (#164) 2024-08-12 15:18:11 -04:00
Chris Edillon
7455e7fa70 Removed release process from contributor guidelines (#167) 2024-08-12 15:11:51 -04:00
Matthew Fernandez
d80cc0ac7a Fix 'Delete VM' JT to actually delete VMs and remove unnecessary CNV … (#162) 2024-08-05 15:04:33 -04:00
Chris Edillon
120fe3068f Update pre-commit actions to latest versions (#159) 2024-07-22 15:35:35 -04:00
Matthew Fernandez
0babde7960 Add EDA Controller Job template (#155) 
Co-authored-by: Chris Edillon <67980205+jce-redhat@users.noreply.github.com>
 2024-07-22 15:34:57 -04:00
Matthew Fernandez
4588ef9892 Fix ocp-v inventory to match changes upstream (#157) 2024-07-22 15:33:29 -04:00
Chris Edillon
19de077c3b create report server instance (#153) 2024-07-18 14:45:57 -04:00
Matthew Fernandez
716f2fa74b add some small fixes (#156) 2024-06-25 12:55:29 -06:00
102 changed files with 14691 additions and 4081 deletions
Expand all files Collapse all files

1
.ansible-lint
View File

@@ -10,3 +10,4 @@ exclude_paths:
- collections/ansible_collections/demo/compliance/roles/
- roles/redhatofficial.*
- .github/
- execution_environments/ee_contexts/

BIN
.github/images/setup_domain_final_state.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 157 KiB

BIN
.github/images/setup_domain_workflow.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 120 KiB

BIN
.github/images/setup_domain_workflow_domain.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 98 KiB

BIN
.github/images/setup_domain_workflow_inventory.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 62 KiB

11
.github/workflows/pre-commit.yml vendored
View File

@@ -5,13 +5,16 @@ on:
- pull_request_target
env:
ANSIBLE_GALAXY_SERVER_AH_TOKEN: ${{ secrets.ANSIBLE_GALAXY_SERVER_AH_TOKEN }}
ANSIBLE_GALAXY_SERVER_CERTIFIED_TOKEN: ${{ secrets.ANSIBLE_GALAXY_SERVER_CERTIFIED_TOKEN }}
ANSIBLE_GALAXY_SERVER_VALIDATED_TOKEN: ${{ secrets.ANSIBLE_GALAXY_SERVER_VALIDATED_TOKEN }}
jobs:
pre-commit:
name: pre-commit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v3
- uses: pre-commit/action@v3.0.0
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
- uses: pre-commit/action@v3.0.1
...

7
.gitignore vendored
View File

@@ -7,6 +7,9 @@ choose_demo_example_aws.yml
.ansible.cfg
*.gz
*artifact*.json
**/roles/*
!**/roles/requirements.yml
roles/*
!roles/requirements.yml
.deployment_id
.cache/
.ansible/
**/tmp/

3
.pre-commit-config.yaml
View File

@@ -3,8 +3,8 @@ repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
hooks:
- id: end-of-file-fixer
- id: trailing-whitespace
exclude: rhel[89]STIG/.*$
- id: check-yaml
exclude: \.j2.(yaml|yml)$|\.(yaml|yml).j2$
@@ -26,4 +26,5 @@ repos:
rev: 23.11.0
hooks:
- id: black
exclude: rhel[89]STIG/.*$
...

12
CHANGELOG.md
View File

@@ -1,12 +0,0 @@
# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [v-0.0.1](https://github.com/ansible/product-demos/-/tree/v-0.0.1) - 2024-01-12
### Added
- Initial release ([1af584b4ea6d77812bfcb2f6474fee6ee1b13666](https://github.com/ansible/product-demos/-/commit/1af584b4ea6d77812bfcb2f6474fee6ee1b13666))

81
CONTRIBUTING.md
View File

@@ -18,6 +18,7 @@ This document aims to outline the requirements for the various forms of contribu
- PRs should be rebased against the `main` branch to avoid conflicts.
- PRs should not impact more than a single directory/demo section.
- PRs should not rely on external infrastructure or configuration unless the dependency is automated or specified in the `user_message` of `setup.yml`.
- PR titles should describe the work done in the PR. Titles should not be generic ("Added new demo") and should not refer to an issue number ("Fix for issue #123").
## Adding a New Demo
1) Create a new branch based on main. (eg. `git checkout -b <branch name>`)
@@ -31,7 +32,7 @@ This document aims to outline the requirements for the various forms of contribu
1) You can copy paste an existing one and edit it.
2) Ensure you edit the name, playbook path, survey etc.
5) Add any needed roles/collections to the [requirements.yml](/collections/requirements.yml)
6) Test via [demo.redhat.com](https://demo.redhat.com/catalog?item=babylon-catalog-prod/sandboxes-gpte.aap-product-demos.prod&utm_source=webapp&utm_medium=share-link), specify your branch name within the project configuration.
6) Test via [demo.redhat.com](https://demo.redhat.com/catalog?search=product&item=babylon-catalog-prod%2Fopenshift-cnv.aap-product-demos-cnv.prod), specifying your branch name within the project configuration.
> NOTE: demo.redhat.com is available to Red Hat Associates and Partners with a valid account.
@@ -43,13 +44,10 @@ This document aims to outline the requirements for the various forms of contribu
---
user_message: ''
controller_components:
- job_templates
controller_templates:
...
```
- `controller_components` can be any of the roles defined [here](https://github.com/redhat-cop/controller_configuration/tree/devel/roles)
- Configuration variables can be from any of the roles defined in the [infra.controller_configuration collection](https://github.com/redhat-cop/controller_configuration/tree/devel/roles)
- Add variables for each component listed
3) Include a README.md in the subdirectory
@@ -72,76 +70,3 @@ Copy the token value and execute the following command:
```bash
export ANSIBLE_GALAXY_SERVER_AH_TOKEN=<token>
```
## Release Process
We follow a structured release process for this project. Here are the steps involved:
1. **Create a Release Branch:**
- Start by creating a new release branch from the `main` branch.
```bash
git checkout -b release/v-<version>
```
2. **Update Changelog:**
- Open the `CHANGELOG.md` file to manually add your change to the appropriate section.
- Our changelog follows the [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) format and includes the following categories of changes:
- `Added` for new features.
- `Changed` for changes in existing functionality.
- `Deprecated` for features that will be removed in upcoming releases.
- `Fixed` for bug fixes.
- `Removed` for deprecated features that were removed.
- `Security` for security-related changes.
- Add a new entry under the relevant category. Include a brief summary of the change and the merge request commit tag.
```markdown
## [Unreleased]
### Added
- New feature or enhancement ([Merge Request Commit](https://github.com/ansible/product-demos/-/commit/<commit-hash>))
```
- Replace `<commit-hash>` with the actual commit hash from the merge request.
3. **Commit Changes:**
- Commit the changes made to the `CHANGELOG.md` file.
```bash
git add CHANGELOG.md
git commit -m "Update CHANGELOG for release <version>"
```
4. **Create a Pull Request:**
- Open a pull request from the release branch to the `main` branch.
5. **Review and Merge:**
- Review the pull request and merge it into the `main` branch.
6. **Tag the Release:**
- Once the pull request is merged, tag the release with the version number.
```bash
git tag -a v-<version> -m "Release <version>"
git push origin v-<version>
```
7. **Publish the Release:**
- After the successful completion of the pull request and merging into the `main` branch, an automatic GitHub Action will be triggered to publish the release.
The GitHub Action will perform the following steps:
- Parse the `CHANGELOG.md` file.
- Generate a release note based on the changes.
- Attach relevant files (such as `LICENSE`, `CHANGELOG.md`, and the generated `CHANGELOG.txt`) to the GitHub Release.
No manual intervention is required for this step; the GitHub Action will handle the release process automatically.
8. **Cleanup:**
- Delete the release branch.
```bash
git branch -d release/v-<version>
```

14
README.md
View File

@@ -1,16 +1,18 @@
[![Lab](https://img.shields.io/badge/Try%20Me-EE0000?style=for-the-badge&logo=redhat&logoColor=white)](https://red.ht/aap-product-demos)
[![Dev Spaces](https://img.shields.io/badge/Customize%20Here-0078d7.svg?style=for-the-badge&logo=visual-studio-code&logoColor=white)](https://workspaces.openshift.com/f?url=https://github.com/ansible/product-demos)
[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)
# Official Ansible Product Demos
This is a centralized location for Ansible Product Demos. This project is a collection of use cases implemented with Ansible for use with the Ansible Automation Platform.
This is a centralized location for Ansible Product Demos. This project is a collection of use cases implemented with Ansible for use with the [Ansible Automation Platform](https://www.redhat.com/en/technologies/management/ansible).
| Demo Name | Description |
|-----------|-------------|
| [Linux](linux/README.md) | Repository of demos for RHEL and Linux automation |
| [Windows](windows/README.md) | Repository of demos for Windows Server automation |
| [Cloud](cloud/README.md) | Demo for infrastructure and cloud provisioning automation |
| [Network](network/README.md) | Ansible Network automation demos |
| [Network](network/README.md) | Network automation demos |
| [OpenShift](openshift/README.md) | OpenShift automation demos |
| [Satellite](satellite/README.md) | Demos of automation with Red Hat Satellite Server |
## Contributions
@@ -19,7 +21,7 @@ If you would like to contribute to this project please refer to [contribution gu
## Using this project
This project is tested for compatibility with the [demo.redhat.com Product Demos Sandbox]([red.ht/aap-product-demos](https://demo.redhat.com/catalog?item=babylon-catalog-prod/sandboxes-gpte.aap-product-demos.prod&utm_source=webapp&utm_medium=share-link)) lab environment. To use with other Ansible Controller installations, review the [prerequisite documentation](https://github.com/RedHatGov/ansible-tower-samples).
This project is tested for compatibility with the [demo.redhat.com Ansible Product Demos](https://demo.redhat.com/catalog?search=product+demos&item=babylon-catalog-prod%2Fopenshift-cnv.aap-product-demos-cnv.prod) lab environment. To use with other Ansible Automation Platform installations, review the [prerequisite documentation](https://github.com/ansible/product-demos-bootstrap).
> NOTE: demo.redhat.com is available to Red Hat Associates and Partners with a valid account.
@@ -37,7 +39,7 @@ This project is tested for compatibility with the [demo.redhat.com Product Demos
- Image: quay.io/acme_corp/product-demos-ee:latest
- Pull: Only pull the image if not present before running
3. If it is not already created for you, create a Project called `Ansible official demo project` with this repo as a source. NOTE: if you are using a fork, be sure that you have the correct URL. Update the project.
3. If it is not already created for you, create a Project called `Ansible Product Demos` with this repo as a source. NOTE: if you are using a fork, be sure that you have the correct URL. Update the project.
4. Finally, Create a Job Template called `Setup` with the following configuration:
@@ -57,8 +59,8 @@ This project is tested for compatibility with the [demo.redhat.com Product Demos
Can't find what you're looking for? Customize this repo to make it your own.
1. Create a fork of this repo.
2. Update the URL of the `Ansible official demo project` in the Controller.
3. Make changes as needed and run the **Setup** job
2. Update the URL of the `Ansible Project Demos` in the Controller.
3. Make changes as needed and run the **Product Demos | Single demo setup** job
See the [contribution guide](CONTRIBUTING.md) for more details on how to customize the project.

16
ansible.cfg
View File

@@ -1,16 +1,20 @@
[defaults]
collections_path=./collections
roles_path=./roles
collections_path=./collections:/usr/share/ansible/collections
roles_path=./roles:/usr/share/ansible/roles
[galaxy]
server_list = ah,galaxy
server_list = certified,validated,galaxy
[galaxy_server.ah]
[galaxy_server.certified]
# Grab a token at https://console.redhat.com/ansible/automation-hub/token
# Then define it using ANSIBLE_GALAXY_SERVER_AH_TOKEN=""
# Then define it in the ANSIBLE_GALAXY_SERVER_CERTIFIED_TOKEN environment variable
url=https://console.redhat.com/api/automation-hub/content/published/
auth_url=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
[galaxy_server.validated]
# Define the token in the ANSIBLE_GALAXY_SERVER_VALIDATED_TOKEN environment variable
url=https://console.redhat.com/api/automation-hub/content/validated/
auth_url=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
[galaxy_server.galaxy]
url=https://galaxy.ansible.com/

21
cloud/README.md
View File

@@ -10,7 +10,7 @@
- [Configure Credentials](#configure-credentials)
- [Add Workshop Credential Password](#add-workshop-credential-password)
- [Remove Inventory Variables](#remove-inventory-variables)
- [Getting your Puiblic Key for Create Keypair Job](#getting-your-puiblic-key-for-create-keypair-job)
- [Getting your Public Key for Create Keypair Job](#getting-your-public-key-for-create-keypair-job)
- [Suggested Usage](#suggested-usage)
- [Known Issues](#known-issues)
@@ -19,12 +19,11 @@ This category of demos shows examples of multi-cloud provisioning and management
### Jobs
- [**Cloud / Create Infra**](create_infra.yml) - Creates a VPC with required routing and firewall rules for provisioning VMs
- [**Cloud / Create Keypair**](aws_key.yml) - Creates a keypair for connecting to EC2 instances
- [**Cloud / Create VM**](create_vm.yml) - Create a VM based on a [blueprint](blueprints/) in the selected cloud provider
- [**Cloud / Destroy VM**](destroy_vm.yml) - Destroy a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be deleted.
- [**Cloud / Snapshot EC2**](snapshot_ec2.yml) - Snapshot a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be snapshot.
- [**Cloud / Restore EC2 from Snapshot**](snapshot_ec2.yml) - Restore a VM that has been created in a cloud provider. By default, volumes will be restored from their latest snapshot. VM must be imported into dynamic inventory to be patched.
- [**Cloud / AWS / Create VM**](create_vm.yml) - Create a VM based on a [blueprint](blueprints/) in the selected cloud provider
- [**Cloud / AWS / Destroy VM**](destroy_vm.yml) - Destroy a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be deleted.
- [**Cloud / AWS / Snapshot EC2**](snapshot_ec2.yml) - Snapshot a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be snapshot.
- [**Cloud / AWS / Restore EC2 from Snapshot**](snapshot_ec2.yml) - Restore a VM that has been created in a cloud provider. By default, volumes will be restored from their latest snapshot. VM must be imported into dynamic inventory to be patched.
- [**Cloud / Resize EC2**](resize_ec2.yml) - Re-size an EC2 instance.
### Inventory
@@ -49,21 +48,23 @@ After running the setup job template, there are a few steps required to make the
1) Remove Workshop Inventory variables on the Details page of the inventory. Required until [RFE](https://github.com/ansible/workshops/issues/1597]) is complete
### Getting your Puiblic Key for Create Keypair Job
### Getting your Public Key for Create Keypair Job
1) Connect to the command line of your Controller server. This is easiest to do by opening the VS Code Web Editor from the landing page where you found the Controller login details.
2) Open a Terminal Window in the VS Code Web Editor.
3) SSH to one of your linux nodes (eg. `ssh node1`). This should log you into the node as `ec2-user`
3) SSH to one of your linux nodes (eg. `ssh aws_rhel9`). This should log you into the node as `ec2-user`
4) `cat .ssh/authorized_keys` and copy the key listed including the `ssh-rsa` prefix
## Suggested Usage
**Cloud / Create Keypair** - The Create Keypair job creates an EC2 keypair which can be used when creating EC2 instances to enable SSH access.
**Deploy Cloud Stack in AWS** - This workflow builds out many helpful and convient resources in AWS. Given an AWS region, key, and some organizational paremetres for tagging it builds a default VPC, keypair, five VMs (three RHEL and two Windows), and even provides a report for cloud stats. It is the typical starting point for using Ansible Product-Demos in AWS.
**Cloud / Create VM** - The Create VM job builds a VM in the given provider based on the included `demo.cloud` collection. VM [blueprints](blueprints/) define variables for each provider that override the defaults in the collection. When creating VMs it is recommended to follow naming conventions that can be used as host patterns. (eg. VM names: `win1`, `win2`, `win3`. Host Pattern: `win*` )
**Cloud / AWS / Patch EC2 Workflow** - Create a VPC and one or more linux VM(s) in AWS using the `Cloud / Create VPC` and `Cloud / Create VM` templates. Run the workflow and observe the instance snapshots followed by patching operation. Optionally, use the survey to force a patch failure in order to demonstrate the restore path. At this time, the workflow does not support patching Windows instances.
**Cloud / AWS / Resize EC2** - Given an EC2 instance, change its size. This takes an AWS region, target host pattern, and a target instance size as parameters. As a final step, this job refreshes the AWS inventory so the re-created instance is accessible from AAP.
## Known Issues
Azure does not work without a custom execution environment that includes the Azure dependencies.

5
cloud/aws_key.yml
View File

@@ -23,3 +23,8 @@
state: present
tags:
owner: "{{ aws_keypair_owner }}"
- name: Set VPC stats
ansible.builtin.set_stats:
data:
stat_aws_key_pair: '{{ aws_key_name }}'

34
cloud/create_vpc.yml
View File

@@ -2,6 +2,7 @@
- name: Create Cloud Infra
hosts: localhost
gather_facts: false
vars:
aws_vpc_name: aws-test-vpc
aws_owner_tag: default
@@ -13,6 +14,27 @@
aws_subnet_name: aws-test-subnet
aws_rt_name: aws-test-rt
# map of availability zones to use per region, added since not all
# instance types are available in all AZs. must match the drop-down
# list for the create_vm_aws_region variable described in cloud/setup.yml
_azs:
us-east-1:
- us-east-1a
- us-east-1b
- us-east-1c
us-east-2:
- us-east-2a
- us-east-2b
- us-east-2c
us-west-1:
# us-west-1a not available when last checked 20250218
- us-west-1b
- us-west-1c
us-west-2:
- us-west-2a
- us-west-2b
- us-west-2c
tasks:
- name: Create VPC
amazon.aws.ec2_vpc_net:
@@ -95,12 +117,13 @@
owner: "{{ aws_owner_tag }}"
purpose: "{{ aws_purpose_tag }}"
- name: Create a subnet on the VPC
- name: Create a subnet in the VPC
amazon.aws.ec2_vpc_subnet:
state: present
vpc_id: "{{ aws_vpc.vpc.id }}"
cidr: "{{ aws_subnet_cidr }}"
region: "{{ create_vm_aws_region }}"
az: "{{ _azs[create_vm_aws_region] | shuffle | first }}"
map_public: true
tags:
Name: "{{ aws_subnet_name }}"
@@ -122,3 +145,12 @@
Name: "{{ aws_rt_name }}"
owner: "{{ aws_owner_tag }}"
purpose: "{{ aws_purpose_tag }}"
- name: Set VPC stats
ansible.builtin.set_stats:
data:
stat_aws_region: '{{ create_vm_aws_region }}'
stat_aws_vpc_id: '{{ aws_vpc.vpc.id }}'
stat_aws_vpc_cidr: '{{ aws_vpc_cidr_block }}'
stat_aws_subnet_id: '{{ aws_subnet.subnet.id }}'
stat_aws_subnet_cidr: '{{ aws_subnet_cidr }}'

18
cloud/display-ec2-stats.yml Normal file
View File

@@ -0,0 +1,18 @@
---
- name: Display EC2 stats
hosts: localhost
gather_facts: false
tasks:
- name: Display stats for EC2 VPC and key pair
ansible.builtin.debug:
var: '{{ item }}'
loop:
- stat_aws_region
- stat_aws_key_pair
- stat_aws_vpc_id
- stat_aws_vpc_cidr
- stat_aws_subnet_id
- stat_aws_subnet_cidr
...

10
cloud/resize_ec2.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: Resize ec2 instances
hosts: "{{ _hosts | default(omit) }}"
gather_facts: false
tasks:
- name: Include snapshot role
ansible.builtin.include_role:
name: "demo.cloud.aws"
tasks_from: resize_ec2

317
cloud/setup.yml
View File

@@ -3,82 +3,6 @@ _deployment_id: "{{ lookup('file', playbook_dir + '/.deployment_id') }}"
user_message:
controller_execution_environments:
- name: Cloud Services Execution Environment
image: quay.io/scottharwell/cloud-ee:latest
controller_projects:
- name: Ansible Cloud Content Lab - AWS
organization: Default
scm_type: git
wait: true
scm_url: https://github.com/ansible-content-lab/aws.infrastructure_config_demos.git
default_environment: Cloud Services Execution Environment
controller_credentials:
- name: AWS
credential_type: Amazon Web Services
organization: Default
update_secrets: false
state: exists
inputs:
username: REPLACEME
password: REPLACEME
# - name: Azure
# credential_type: Microsoft Azure Resource Manager
# organization: Default
# update_secrets: false
# inputs:
# subscription: REPLACEME
controller_inventory_sources:
- name: AWS Inventory
organization: Default
source: ec2
inventory: Demo Inventory
credential: AWS
overwrite: true
source_vars:
hostnames:
- tag:Name
compose:
ansible_host: public_ip_address
ansible_user: 'ec2-user'
groups:
cloud_aws: true
os_linux: tags.blueprint.startswith('rhel')
keyed_groups:
- key: platform
prefix: os
- key: tags.blueprint
prefix: blueprint
- key: tags.owner
prefix: owner
# - name: Azure Inventory
# organization: Default
# source: azure_rm
# inventory: Demo Inventory
# credential: Azure
# execution_environment: Ansible Engine 2.9 execution environment
# overwrite: true
# source_vars:
# hostnames:
# - tags.Name
# - default
# keyed_groups:
# - key: os_profile.system
# prefix: os
# conditional_groups:
# cloud_azure: true
controller_groups:
- name: cloud_aws
inventory: Demo Inventory
variables:
ansible_user: ec2-user
controller_templates:
- name: Cloud / AWS / Create Peer Infrastructure
job_type: run
@@ -140,168 +64,21 @@ controller_templates:
extra_vars:
aws_region: us-east-1
- name: Cloud / AWS / Create VPC
job_type: run
organization: Default
credentials:
- AWS
project: Ansible official demo project
playbook: cloud/create_vpc.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: AWS Region
type: multiplechoice
variable: create_vm_aws_region
required: true
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- question_name: Owner
type: text
variable: aws_owner_tag
required: true
- name: Cloud / AWS / Create VM
job_type: run
organization: Default
credentials:
- AWS
- Demo Credential
project: Ansible Cloud Content Lab - AWS
playbook: playbooks/create_vm.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
allow_simultaneous: true
survey:
name: ''
description: ''
spec:
- question_name: AWS Region
type: multiplechoice
variable: create_vm_aws_region
required: true
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- question_name: Name
type: text
variable: create_vm_vm_name
required: true
- question_name: Owner
type: text
variable: create_vm_vm_owner
required: true
- question_name: Deployment
type: text
variable: create_vm_vm_deployment
required: true
- question_name: Environment
type: multiplechoice
variable: create_vm_vm_environment
required: true
choices:
- Dev
- QA
- Prod
- question_name: Blueprint
type: multiplechoice
variable: vm_blueprint
required: true
choices:
- windows_core
- windows_full
- rhel9
- rhel8
- rhel7
- al2023
- question_name: Subnet
type: text
variable: create_vm_aws_vpc_subnet_name
required: true
default: aws-test-subnet
- question_name: Security Group
type: text
variable: create_vm_aws_securitygroup_name
required: true
default: aws-test-sg
- question_name: SSH Keypair
type: text
variable: create_vm_aws_keypair_name
required: true
default: aws-test-key
- question_name: AWS Instance Type (defaults to blueprint value)
type: text
variable: create_vm_aws_instance_size
required: false
- question_name: AWS Image Filter (defaults to blueprint value)
type: text
variable: create_vm_aws_image_filter
required: false
- name: Cloud / AWS / Delete VM
job_type: run
organization: Default
credentials:
- AWS
- Demo Credential
project: Ansible Cloud Content Lab - AWS
playbook: playbooks/delete_inventory_vm.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Name or Pattern
type: text
variable: _hosts
required: true
- name: Cloud / AWS / VPC Report
job_type: run
organization: Default
credentials:
- AWS
project: Ansible Cloud Content Lab - AWS
playbook: playbooks/create_reports.yml
project: Ansible Cloud AWS Demos
playbook: playbooks/cloud_report.yml
inventory: Demo Inventory
execution_environment: Cloud Services Execution Environment
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
extra_vars:
aws_report: vpc
reports_aws_bucket_name: reports-pd-{{ _deployment_id }}
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: AWS Region
type: multiplechoice
variable: create_vm_aws_region
required: true
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
reports_aws_region: "us-east-1"
- name: Cloud / AWS / Tags Report
job_type: run
@@ -332,51 +109,12 @@ controller_templates:
- us-west-1
- us-west-2
- name: Cloud / AWS / Create Keypair
job_type: run
organization: Default
credentials:
- AWS
project: Ansible official demo project
playbook: cloud/aws_key.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: AWS Region
type: multiplechoice
variable: create_vm_aws_region
required: true
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- question_name: Keypair Name
type: text
variable: aws_key_name
required: true
default: aws-test-key
- question_name: Keypair Public Key
type: textarea
variable: aws_public_key
required: true
- question_name: Owner
type: text
variable: aws_keypair_owner
required: true
- name: Cloud / AWS / Snapshot EC2
job_type: run
organization: Default
credentials:
- AWS
project: Ansible official demo project
project: Ansible Product Demos
playbook: cloud/snapshot_ec2.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
@@ -407,7 +145,7 @@ controller_templates:
organization: Default
credentials:
- AWS
project: Ansible official demo project
project: Ansible Product Demos
playbook: cloud/restore_ec2.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
@@ -433,10 +171,22 @@ controller_templates:
variable: _hosts
required: false
- name: Cloud / AWS / Display EC2 Stats
job_type: run
organization: Default
credentials:
- AWS
project: Ansible Product Demos
playbook: cloud/display-ec2-stats.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
- name: "LINUX / Patching"
job_type: check
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "linux/patching.yml"
execution_environment: Default execution environment
notification_templates_started: Telemetry
@@ -503,19 +253,24 @@ controller_workflows:
- identifier: Create Keypair
unified_job_template: Cloud / AWS / Create Keypair
success_nodes:
- VPC Report
- EC2 Stats
failure_nodes:
- Ticket - Keypair Failed
- identifier: Create VPC
unified_job_template: Cloud / AWS / Create VPC
success_nodes:
- VPC Report
- EC2 Stats
failure_nodes:
- Ticket - VPC Failed
- identifier: Ticket - Keypair Failed
unified_job_template: 'SUBMIT FEEDBACK'
extra_data:
feedback: Failed to create AWS keypair
- identifier: EC2 Stats
unified_job_template: Cloud / AWS / Display EC2 Stats
all_parents_must_converge: true
always_nodes:
- VPC Report
- identifier: VPC Report
unified_job_template: Cloud / AWS / VPC Report
all_parents_must_converge: true
@@ -524,10 +279,11 @@ controller_workflows:
- Deploy RHEL8 Blueprint
- Deploy RHEL9 Blueprint
- Deploy Windows Core Blueprint
- Deploy Report Server
- identifier: Deploy Windows GUI Blueprint
unified_job_template: Cloud / AWS / Create VM
extra_data:
create_vm_vm_name: aws_dc
create_vm_vm_name: aws-dc
vm_blueprint: windows_full
success_nodes:
- Update Inventory
@@ -560,10 +316,15 @@ controller_workflows:
- Update Inventory
failure_nodes:
- Ticket - Instance Failed
- identifier: Ticket - VPC Failed
unified_job_template: 'SUBMIT FEEDBACK'
- identifier: Deploy Report Server
unified_job_template: Cloud / AWS / Create VM
extra_data:
feedback: Failed to create AWS VPC
create_vm_vm_name: reports
vm_blueprint: rhel9
success_nodes:
- Update Inventory
failure_nodes:
- Ticket - Instance Failed
- identifier: Update Inventory
unified_job_template: AWS Inventory
success_nodes:
@@ -574,6 +335,10 @@ controller_workflows:
feedback: Failed to create AWS instance
- identifier: Tag Report
unified_job_template: Cloud / AWS / Tags Report
- identifier: Ticket - VPC Failed
unified_job_template: 'SUBMIT FEEDBACK'
extra_data:
feedback: Failed to create AWS VPC
- name: Cloud / AWS / Patch EC2 Workflow
description: A workflow to patch ec2 instances with snapshot and restore on failure.
@@ -603,7 +368,7 @@ controller_workflows:
default: os_linux
simplified_workflow_nodes:
- identifier: Project Sync
unified_job_template: Ansible official demo project
unified_job_template: Ansible Product Demos
success_nodes:
- Take Snapshot
- identifier: Inventory Sync

45
collections/ansible_collections/demo/cloud/roles/aws/tasks/resize_ec2.yml Normal file
View File

@@ -0,0 +1,45 @@
---
# parameters
# instance_type: new instance type, e.g. t3.large
- name: AWS | RESIZE VM
delegate_to: localhost
vars:
controller_dependency_check: false # noqa: var-naming[no-role-prefix]
controller_inventory_sources:
- name: AWS Inventory
inventory: Demo Inventory
organization: Default
wait: true
block:
- name: AWS | RESIZE EC2 | assert required vars
ansible.builtin.assert:
that:
- instance_id is defined
- aws_region is defined
fail_msg: "instance_id, aws_region is required for resize operations"
- name: AWS | RESIZE EC2 | shutdown instance
amazon.aws.ec2_instance:
instance_ids: "{{ instance_id }}"
region: "{{ aws_region }}"
state: stopped
wait: true
- name: AWS | RESIZE EC2 | update instance type
amazon.aws.ec2_instance:
region: "{{ aws_region }}"
instance_ids: "{{ instance_id }}"
instance_type: "{{ instance_type }}"
wait: true
- name: AWS | RESIZE EC2 | start instance
amazon.aws.ec2_instance:
instance_ids: "{{ instance_id }}"
region: "{{ aws_region }}"
state: started
wait: true
- name: Synchronize inventory
run_once: true
ansible.builtin.include_role:
name: infra.controller_configuration.inventory_source_update

32
collections/ansible_collections/demo/compliance/roles/iosxeSTIG/tasks/main.yml
View File

@@ -137,14 +137,14 @@
- (cmd_result.stdout|join('\n')).find('ip dns server') != -1
- iosxeSTIG_stigrule_215823_Manage
# R-215823 CISC-ND-000470
- name : stigrule_215823_disable_identd
ignore_errors: "{{ ignore_all_errors }}"
notify: "save configuration"
ios_config:
defaults: yes
lines: "{{ iosxeSTIG_stigrule_215823_disable_identd_Lines }}"
when:
- iosxeSTIG_stigrule_215823_Manage
# - name : stigrule_215823_disable_identd
# ignore_errors: "{{ ignore_all_errors }}"
# notify: "save configuration"
# ios_config:
# defaults: yes
# lines: "{{ iosxeSTIG_stigrule_215823_disable_identd_Lines }}"
# when:
# - iosxeSTIG_stigrule_215823_Manage
# R-215823 CISC-ND-000470
- name : stigrule_215823_disable_finger
ignore_errors: "{{ ignore_all_errors }}"
@@ -378,9 +378,9 @@
- name : stigrule_215837_host
ignore_errors: "{{ ignore_all_errors }}"
notify: "save configuration"
ios_logging:
dest: host
name: "{{ iosxeSTIG_stigrule_215837_host_Name }}"
ios_config:
lines:
- "logging {{ iosxeSTIG_stigrule_215837_host_Name }}"
when: iosxeSTIG_stigrule_215837_Manage
# R-215837 CISC-ND-001000
# Please configure name IP address to a valid one.
@@ -397,16 +397,18 @@
- name : stigrule_215838_ntp_server_1
ignore_errors: "{{ ignore_all_errors }}"
notify: "save configuration"
ios_ntp:
server: "{{ iosxeSTIG_stigrule_215838_ntp_server_1_Server }}"
cisco.ios.ios_config:
lines:
- "ntp server {{ iosxeSTIG_stigrule_215838_ntp_server_1_Server }}"
when: iosxeSTIG_stigrule_215838_Manage
# R-215838 CISC-ND-001030
# Replace ntp servers' IP address before enabling.
- name : stigrule_215838_ntp_server_2
ignore_errors: "{{ ignore_all_errors }}"
notify: "save configuration"
ios_ntp:
server: "{{ iosxeSTIG_stigrule_215838_ntp_server_2_Server }}"
cisco.ios.ios_config:
lines:
- "ntp server {{ iosxeSTIG_stigrule_215838_ntp_server_2_Server }}"
when: iosxeSTIG_stigrule_215838_Manage
# R-215840 CISC-ND-001050
# service timestamps log datetime localtime is set in 215817.

67
collections/ansible_collections/demo/compliance/roles/rhel8STIG/callback_plugins/stig_xml.py
View File

@@ -1,5 +1,4 @@
from __future__ import absolute_import, division, print_function
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
from ansible.plugins.callback import CallbackBase
@@ -12,82 +11,76 @@ import os
import xml.etree.ElementTree as ET
import xml.dom.minidom
class CallbackModule(CallbackBase):
CALLBACK_VERSION = 2.0
CALLBACK_TYPE = "xml"
CALLBACK_NAME = "stig_xml"
CALLBACK_TYPE = 'xml'
CALLBACK_NAME = 'stig_xml'
CALLBACK_NEEDS_WHITELIST = True
def _get_STIG_path(self):
cwd = os.path.abspath(".")
cwd = os.path.abspath('.')
for dirpath, dirs, files in os.walk(cwd):
if os.path.sep + "files" in dirpath and ".xml" in files[0]:
if os.path.sep + 'files' in dirpath and '.xml' in files[0]:
return os.path.join(cwd, dirpath, files[0])
def __init__(self):
super(CallbackModule, self).__init__()
self.rules = {}
self.stig_path = os.environ.get("STIG_PATH")
self.XML_path = os.environ.get("XML_PATH")
self.stig_path = os.environ.get('STIG_PATH')
self.XML_path = os.environ.get('XML_PATH')
if self.stig_path is None:
self.stig_path = self._get_STIG_path()
self._display.display("Using STIG_PATH: {}".format(self.stig_path))
self._display.display('Using STIG_PATH: {}'.format(self.stig_path))
if self.XML_path is None:
self.XML_path = tempfile.mkdtemp() + "/xccdf-results.xml"
self._display.display("Using XML_PATH: {}".format(self.XML_path))
self._display.display('Using XML_PATH: {}'.format(self.XML_path))
print("Writing: {}".format(self.XML_path))
STIG_name = os.path.basename(self.stig_path)
ET.register_namespace("cdf", "http://checklists.nist.gov/xccdf/1.2")
self.tr = ET.Element("{http://checklists.nist.gov/xccdf/1.2}TestResult")
self.tr.set(
"id",
"xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}".format(STIG_name),
)
ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2')
self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult')
self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name))
endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime())
self.tr.set("end-time", endtime)
tg = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}target")
self.tr.set('end-time', endtime)
tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target')
tg.text = platform.node()
def _get_rev(self, nid):
with open(self.stig_path, "r") as f:
r = "SV-{}r(?P<rev>\d+)_rule".format(nid)
with open(self.stig_path, 'r') as f:
r = 'SV-{}r(?P<rev>\d+)_rule'.format(nid)
m = re.search(r, f.read())
if m:
rev = m.group("rev")
rev = m.group('rev')
else:
rev = "0"
rev = '0'
return rev
def v2_runner_on_ok(self, result):
name = result._task.get_name()
m = re.search("stigrule_(?P<id>\d+)", name)
m = re.search('stigrule_(?P<id>\d+)', name)
if m:
nid = m.group("id")
nid = m.group('id')
else:
return
rev = self._get_rev(nid)
key = "{}r{}".format(nid, rev)
if self.rules.get(key, "Unknown") != False:
if self.rules.get(key, 'Unknown') != False:
self.rules[key] = result.is_changed()
def v2_playbook_on_stats(self, stats):
for rule, changed in self.rules.items():
state = "fail" if changed else "pass"
rr = ET.SubElement(
self.tr, "{http://checklists.nist.gov/xccdf/1.2}rule-result"
)
rr.set("idref", "xccdf_mil.disa.stig_rule_SV-{}_rule".format(rule))
rs = ET.SubElement(rr, "{http://checklists.nist.gov/xccdf/1.2}result")
state = 'fail' if changed else 'pass'
rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result')
rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule))
rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result')
rs.text = state
passing = len(self.rules) - sum(self.rules.values())
sc = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}score")
sc.set("maximum", str(len(self.rules)))
sc.set("system", "urn:xccdf:scoring:flat-unweighted")
sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score')
sc.set('maximum', str(len(self.rules)))
sc.set('system', 'urn:xccdf:scoring:flat-unweighted')
sc.text = str(passing)
with open(self.XML_path, "wb") as f:
with open(self.XML_path, 'wb') as f:
out = ET.tostring(self.tr)
pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding="utf-8")
pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8')
f.write(pretty)

34
collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml
View File

@@ -3,7 +3,7 @@ rhel8STIG_stigrule_230225_Manage: True
rhel8STIG_stigrule_230225_banner_Line: banner /etc/issue
# R-230226 RHEL-08-010050
rhel8STIG_stigrule_230226_Manage: True
rhel8STIG_stigrule_230226__etc_dconf_db_local_d_01_banner_message_Value: '''You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'''
rhel8STIG_stigrule_230226__etc_dconf_db_local_d_01_banner_message_Value: "''You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.''"
# R-230227 RHEL-08-010060
rhel8STIG_stigrule_230227_Manage: True
rhel8STIG_stigrule_230227__etc_issue_Dest: /etc/issue
@@ -43,9 +43,6 @@ rhel8STIG_stigrule_230241_policycoreutils_State: installed
# R-230244 RHEL-08-010200
rhel8STIG_stigrule_230244_Manage: True
rhel8STIG_stigrule_230244_ClientAliveCountMax_Line: ClientAliveCountMax 1
# R-230252 RHEL-08-010291
rhel8STIG_stigrule_230252_Manage: True
rhel8STIG_stigrule_230252__etc_sysconfig_sshd_Line: '# CRYPTO_POLICY='
# R-230255 RHEL-08-010294
rhel8STIG_stigrule_230255_Manage: True
rhel8STIG_stigrule_230255__etc_crypto_policies_back_ends_opensslcnf_config_Line: 'MinProtocol = TLSv1.2'
@@ -138,19 +135,9 @@ rhel8STIG_stigrule_230346__etc_security_limits_conf_Line: '* hard maxlogins 10'
# R-230347 RHEL-08-020030
rhel8STIG_stigrule_230347_Manage: True
rhel8STIG_stigrule_230347__etc_dconf_db_local_d_00_screensaver_Value: 'true'
# R-230348 RHEL-08-020040
rhel8STIG_stigrule_230348_Manage: True
rhel8STIG_stigrule_230348_ensure_tmux_is_installed_State: installed
rhel8STIG_stigrule_230348__etc_tmux_conf_Line: 'set -g lock-command vlock'
# R-230349 RHEL-08-020041
rhel8STIG_stigrule_230349_Manage: True
rhel8STIG_stigrule_230349__etc_bashrc_Line: '[ -n "$PS1" -a -z "$TMUX" ] && exec tmux'
# R-230352 RHEL-08-020060
rhel8STIG_stigrule_230352_Manage: True
rhel8STIG_stigrule_230352__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 900'
# R-230353 RHEL-08-020070
rhel8STIG_stigrule_230353_Manage: True
rhel8STIG_stigrule_230353__etc_tmux_conf_Line: 'set -g lock-after-time 900'
# R-230354 RHEL-08-020080
rhel8STIG_stigrule_230354_Manage: True
rhel8STIG_stigrule_230354__etc_dconf_db_local_d_locks_session_Line: '/org/gnome/desktop/screensaver/lock-delay'
@@ -232,9 +219,6 @@ rhel8STIG_stigrule_230394__etc_audit_auditd_conf_Line: 'name_format = hostname'
# R-230395 RHEL-08-030063
rhel8STIG_stigrule_230395_Manage: True
rhel8STIG_stigrule_230395__etc_audit_auditd_conf_Line: 'log_format = ENRICHED'
# R-230396 RHEL-08-030070
rhel8STIG_stigrule_230396_Manage: True
rhel8STIG_stigrule_230396__etc_audit_auditd_conf_Line: 'log_group = root'
# R-230398 RHEL-08-030090
# A duplicate of 230396
# duplicate of 230396
@@ -341,8 +325,8 @@ rhel8STIG_stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b32_Line: '
rhel8STIG_stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b64_Line: '-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng'
# R-230439 RHEL-08-030361
rhel8STIG_stigrule_230439_Manage: True
rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32_Line: '-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -k module_chng'
rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64_Line: '-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -k module_chng'
rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32_Line: '-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete'
rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64_Line: '-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete'
# R-230444 RHEL-08-030370
rhel8STIG_stigrule_230444_Manage: True
rhel8STIG_stigrule_230444__etc_audit_rules_d_audit_rules__usr_bin_gpasswd_Line: '-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd'
@@ -438,7 +422,8 @@ rhel8STIG_stigrule_230527_Manage: True
rhel8STIG_stigrule_230527_RekeyLimit_Line: RekeyLimit 1G 1h
# R-230529 RHEL-08-040170
rhel8STIG_stigrule_230529_Manage: True
rhel8STIG_stigrule_230529_systemctl_mask_ctrl_alt_del_target_Command: systemctl mask ctrl-alt-del.target
rhel8STIG_stigrule_230529_ctrl_alt_del_target_disable_Enabled: false
rhel8STIG_stigrule_230529_ctrl_alt_del_target_mask_Masked: true
# R-230531 RHEL-08-040172
rhel8STIG_stigrule_230531_Manage: True
rhel8STIG_stigrule_230531__etc_systemd_system_conf_Value: 'none'
@@ -520,6 +505,9 @@ rhel8STIG_stigrule_244523__usr_lib_systemd_system_emergency_service_Value: '-/us
# R-244525 RHEL-08-010201
rhel8STIG_stigrule_244525_Manage: True
rhel8STIG_stigrule_244525_ClientAliveInterval_Line: ClientAliveInterval 600
# R-244526 RHEL-08-010287
rhel8STIG_stigrule_244526_Manage: True
rhel8STIG_stigrule_244526__etc_sysconfig_sshd_Line: '# CRYPTO_POLICY='
# R-244527 RHEL-08-010472
rhel8STIG_stigrule_244527_Manage: True
rhel8STIG_stigrule_244527_rng_tools_State: installed
@@ -532,9 +520,6 @@ rhel8STIG_stigrule_244535__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 5'
# R-244536 RHEL-08-020032
rhel8STIG_stigrule_244536_Manage: True
rhel8STIG_stigrule_244536__etc_dconf_db_local_d_02_login_screen_Value: 'true'
# R-244537 RHEL-08-020039
rhel8STIG_stigrule_244537_Manage: True
rhel8STIG_stigrule_244537_tmux_State: installed
# R-244538 RHEL-08-020081
rhel8STIG_stigrule_244538_Manage: True
rhel8STIG_stigrule_244538__etc_dconf_db_local_d_locks_session_idle_delay_Line: '/org/gnome/desktop/session/idle-delay'
@@ -569,3 +554,6 @@ rhel8STIG_stigrule_244553_net_ipv4_conf_all_accept_redirects_Value: 0
# R-244554 RHEL-08-040286
rhel8STIG_stigrule_244554_Manage: True
rhel8STIG_stigrule_244554__etc_sysctl_d_99_sysctl_conf_Line: 'net.core.bpf_jit_harden = 2'
# R-256974 RHEL-08-010358
rhel8STIG_stigrule_256974_Manage: True
rhel8STIG_stigrule_256974_mailx_State: installed

2395
collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R9_Manual-xccdf.xml → collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V2R3_Manual-xccdf.xml
View File

File diff suppressed because one or more lines are too long

19
collections/ansible_collections/demo/compliance/roles/rhel8STIG/handlers/main.yml
View File

@@ -6,6 +6,25 @@
service:
name: sshd
state: restarted
- name: rsyslog_restart
service:
name: rsyslog
state: restarted
- name: sysctl_load_settings
command: sysctl --system
- name: daemon_reload
systemd:
daemon_reload: true
- name: networkmanager_reload
service:
name: NetworkManager
state: reloaded
- name: logind_restart
service:
name: systemd-logind
state: restarted
- name: with_faillock_enable
command: authselect enable-feature with-faillock
- name: do_reboot
reboot:
pre_reboot_delay: 60

272
collections/ansible_collections/demo/compliance/roles/rhel8STIG/tasks/main.yml
View File

@@ -4,7 +4,7 @@
- name: stigrule_230225_banner
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)banner\s+'
regexp: '(?i)^\s*banner\s+'
line: "{{ rhel8STIG_stigrule_230225_banner_Line }}"
notify: ssh_restart
when:
@@ -82,22 +82,12 @@
- name: stigrule_230244_ClientAliveCountMax
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)ClientAliveCountMax\s+'
regexp: '(?i)^\s*ClientAliveCountMax\s+'
line: "{{ rhel8STIG_stigrule_230244_ClientAliveCountMax_Line }}"
notify: ssh_restart
when:
- rhel8STIG_stigrule_230244_Manage
- "'openssh-server' in packages"
# R-230252 RHEL-08-010291
- name: stigrule_230252__etc_sysconfig_sshd
lineinfile:
path: /etc/sysconfig/sshd
regexp: '^# CRYPTO_POLICY='
line: "{{ rhel8STIG_stigrule_230252__etc_sysconfig_sshd_Line }}"
create: yes
notify: do_reboot
when:
- rhel8STIG_stigrule_230252_Manage
# R-230255 RHEL-08-010294
- name: stigrule_230255__etc_crypto_policies_back_ends_opensslcnf_config
lineinfile:
@@ -111,6 +101,7 @@
- name: stigrule_230256__etc_crypto_policies_back_ends_gnutls_config
lineinfile:
path: /etc/crypto-policies/back-ends/gnutls.config
regexp: '^\+VERS'
line: "{{ rhel8STIG_stigrule_230256__etc_crypto_policies_back_ends_gnutls_config_Line }}"
create: yes
when:
@@ -249,7 +240,7 @@
- name: stigrule_230288_StrictModes
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)StrictModes\s+'
regexp: '(?i)^\s*StrictModes\s+'
line: "{{ rhel8STIG_stigrule_230288_StrictModes_Line }}"
notify: ssh_restart
when:
@@ -259,7 +250,7 @@
- name: stigrule_230290_IgnoreUserKnownHosts
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)IgnoreUserKnownHosts\s+'
regexp: '(?i)^\s*IgnoreUserKnownHosts\s+'
line: "{{ rhel8STIG_stigrule_230290_IgnoreUserKnownHosts_Line }}"
notify: ssh_restart
when:
@@ -269,7 +260,7 @@
- name: stigrule_230291_KerberosAuthentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)KerberosAuthentication\s+'
regexp: '(?i)^\s*KerberosAuthentication\s+'
line: "{{ rhel8STIG_stigrule_230291_KerberosAuthentication_Line }}"
notify: ssh_restart
when:
@@ -279,7 +270,7 @@
- name: stigrule_230296_PermitRootLogin
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)PermitRootLogin\s+'
regexp: '(?i)^\s*PermitRootLogin\s+'
line: "{{ rhel8STIG_stigrule_230296_PermitRootLogin_Line }}"
notify: ssh_restart
when:
@@ -395,7 +386,7 @@
- name: stigrule_230330_PermitUserEnvironment
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)PermitUserEnvironment\s+'
regexp: '(?i)^\s*PermitUserEnvironment\s+'
line: "{{ rhel8STIG_stigrule_230330_PermitUserEnvironment_Line }}"
notify: ssh_restart
when:
@@ -422,28 +413,6 @@
when:
- rhel8STIG_stigrule_230347_Manage
- "'dconf' in packages"
# R-230348 RHEL-08-020040
- name: stigrule_230348_ensure_tmux_is_installed
yum:
name: tmux
state: "{{ rhel8STIG_stigrule_230348_ensure_tmux_is_installed_State }}"
when: rhel8STIG_stigrule_230348_Manage
# R-230348 RHEL-08-020040
- name: stigrule_230348__etc_tmux_conf
lineinfile:
path: /etc/tmux.conf
line: "{{ rhel8STIG_stigrule_230348__etc_tmux_conf_Line }}"
create: yes
when:
- rhel8STIG_stigrule_230348_Manage
# R-230349 RHEL-08-020041
- name: stigrule_230349__etc_bashrc
lineinfile:
path: /etc/bashrc
line: "{{ rhel8STIG_stigrule_230349__etc_bashrc_Line }}"
create: yes
when:
- rhel8STIG_stigrule_230349_Manage
# R-230352 RHEL-08-020060
- name: stigrule_230352__etc_dconf_db_local_d_00_screensaver
ini_file:
@@ -456,20 +425,13 @@
when:
- rhel8STIG_stigrule_230352_Manage
- "'dconf' in packages"
# R-230353 RHEL-08-020070
- name: stigrule_230353__etc_tmux_conf
lineinfile:
path: /etc/tmux.conf
line: "{{ rhel8STIG_stigrule_230353__etc_tmux_conf_Line }}"
create: yes
when:
- rhel8STIG_stigrule_230353_Manage
# R-230354 RHEL-08-020080
- name: stigrule_230354__etc_dconf_db_local_d_locks_session
lineinfile:
path: /etc/dconf/db/local.d/locks/session
line: "{{ rhel8STIG_stigrule_230354__etc_dconf_db_local_d_locks_session_Line }}"
create: yes
notify: dconf_update
when:
- rhel8STIG_stigrule_230354_Manage
# R-230357 RHEL-08-020110
@@ -602,7 +564,7 @@
- name: stigrule_230382_PrintLastLog
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)PrintLastLog\s+'
regexp: '(?i)^\s*PrintLastLog\s+'
line: "{{ rhel8STIG_stigrule_230382_PrintLastLog_Line }}"
notify: ssh_restart
when:
@@ -618,7 +580,7 @@
when:
- rhel8STIG_stigrule_230383_Manage
# R-230386 RHEL-08-030000
- name : stigrule_230386__etc_audit_rules_d_audit_rules_execve_euid_b32
- name: stigrule_230386__etc_audit_rules_d_audit_rules_execve_euid_b32
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv$'
@@ -626,7 +588,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230386_Manage
# R-230386 RHEL-08-030000
- name : stigrule_230386__etc_audit_rules_d_audit_rules_execve_euid_b64
- name: stigrule_230386__etc_audit_rules_d_audit_rules_execve_euid_b64
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv$'
@@ -634,7 +596,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230386_Manage
# R-230386 RHEL-08-030000
- name : stigrule_230386__etc_audit_rules_d_audit_rules_execve_egid_b32
- name: stigrule_230386__etc_audit_rules_d_audit_rules_execve_egid_b32
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv$'
@@ -642,7 +604,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230386_Manage
# R-230386 RHEL-08-030000
- name : stigrule_230386__etc_audit_rules_d_audit_rules_execve_egid_b64
- name: stigrule_230386__etc_audit_rules_d_audit_rules_execve_egid_b64
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv$'
@@ -726,18 +688,8 @@
notify: auditd_restart
when:
- rhel8STIG_stigrule_230395_Manage
# R-230396 RHEL-08-030070
- name: stigrule_230396__etc_audit_auditd_conf
lineinfile:
path: /etc/audit/auditd.conf
regexp: '^log_group = '
line: "{{ rhel8STIG_stigrule_230396__etc_audit_auditd_conf_Line }}"
create: yes
notify: auditd_restart
when:
- rhel8STIG_stigrule_230396_Manage
# R-230402 RHEL-08-030121
- name : stigrule_230402__etc_audit_rules_d_audit_rules_e2
- name: stigrule_230402__etc_audit_rules_d_audit_rules_e2
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-e 2$'
@@ -745,7 +697,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230402_Manage
# R-230403 RHEL-08-030122
- name : stigrule_230403__etc_audit_rules_d_audit_rules_loginuid_immutable
- name: stigrule_230403__etc_audit_rules_d_audit_rules_loginuid_immutable
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^--loginuid-immutable$'
@@ -753,7 +705,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230403_Manage
# R-230404 RHEL-08-030130
- name : stigrule_230404__etc_audit_rules_d_audit_rules__etc_shadow
- name: stigrule_230404__etc_audit_rules_d_audit_rules__etc_shadow
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-w /etc/shadow -p wa -k identity$'
@@ -761,7 +713,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230404_Manage
# R-230405 RHEL-08-030140
- name : stigrule_230405__etc_audit_rules_d_audit_rules__etc_security_opasswd
- name: stigrule_230405__etc_audit_rules_d_audit_rules__etc_security_opasswd
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-w /etc/security/opasswd -p wa -k identity$'
@@ -769,7 +721,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230405_Manage
# R-230406 RHEL-08-030150
- name : stigrule_230406__etc_audit_rules_d_audit_rules__etc_passwd
- name: stigrule_230406__etc_audit_rules_d_audit_rules__etc_passwd
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-w /etc/passwd -p wa -k identity$'
@@ -777,7 +729,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230406_Manage
# R-230407 RHEL-08-030160
- name : stigrule_230407__etc_audit_rules_d_audit_rules__etc_gshadow
- name: stigrule_230407__etc_audit_rules_d_audit_rules__etc_gshadow
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-w /etc/gshadow -p wa -k identity$'
@@ -785,7 +737,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230407_Manage
# R-230408 RHEL-08-030170
- name : stigrule_230408__etc_audit_rules_d_audit_rules__etc_group
- name: stigrule_230408__etc_audit_rules_d_audit_rules__etc_group
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-w /etc/group -p wa -k identity$'
@@ -793,7 +745,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230408_Manage
# R-230409 RHEL-08-030171
- name : stigrule_230409__etc_audit_rules_d_audit_rules__etc_sudoers
- name: stigrule_230409__etc_audit_rules_d_audit_rules__etc_sudoers
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-w /etc/sudoers -p wa -k identity$'
@@ -801,7 +753,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230409_Manage
# R-230410 RHEL-08-030172
- name : stigrule_230410__etc_audit_rules_d_audit_rules__etc_sudoers_d_
- name: stigrule_230410__etc_audit_rules_d_audit_rules__etc_sudoers_d_
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-w /etc/sudoers.d/ -p wa -k identity$'
@@ -815,7 +767,7 @@
state: "{{ rhel8STIG_stigrule_230411_audit_State }}"
when: rhel8STIG_stigrule_230411_Manage
# R-230412 RHEL-08-030190
- name : stigrule_230412__etc_audit_rules_d_audit_rules__usr_bin_su
- name: stigrule_230412__etc_audit_rules_d_audit_rules__usr_bin_su
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change$'
@@ -823,7 +775,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230412_Manage
# R-230413 RHEL-08-030200
- name : stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b32_unset
- name: stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b32_unset
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -831,7 +783,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230413_Manage
# R-230413 RHEL-08-030200
- name : stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b64_unset
- name: stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b64_unset
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -839,7 +791,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230413_Manage
# R-230413 RHEL-08-030200
- name : stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b32
- name: stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b32
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod$'
@@ -847,7 +799,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230413_Manage
# R-230413 RHEL-08-030200
- name : stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b64
- name: stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b64
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod$'
@@ -855,7 +807,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230413_Manage
# R-230418 RHEL-08-030250
- name : stigrule_230418__etc_audit_rules_d_audit_rules__usr_bin_chage
- name: stigrule_230418__etc_audit_rules_d_audit_rules__usr_bin_chage
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage$'
@@ -863,7 +815,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230418_Manage
# R-230419 RHEL-08-030260
- name : stigrule_230419__etc_audit_rules_d_audit_rules__usr_bin_chcon
- name: stigrule_230419__etc_audit_rules_d_audit_rules__usr_bin_chcon
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -871,7 +823,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230419_Manage
# R-230421 RHEL-08-030280
- name : stigrule_230421__etc_audit_rules_d_audit_rules__usr_bin_ssh_agent
- name: stigrule_230421__etc_audit_rules_d_audit_rules__usr_bin_ssh_agent
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh$'
@@ -879,7 +831,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230421_Manage
# R-230422 RHEL-08-030290
- name : stigrule_230422__etc_audit_rules_d_audit_rules__usr_bin_passwd
- name: stigrule_230422__etc_audit_rules_d_audit_rules__usr_bin_passwd
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd$'
@@ -887,7 +839,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230422_Manage
# R-230423 RHEL-08-030300
- name : stigrule_230423__etc_audit_rules_d_audit_rules__usr_bin_mount
- name: stigrule_230423__etc_audit_rules_d_audit_rules__usr_bin_mount
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount$'
@@ -895,7 +847,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230423_Manage
# R-230424 RHEL-08-030301
- name : stigrule_230424__etc_audit_rules_d_audit_rules__usr_bin_umount
- name: stigrule_230424__etc_audit_rules_d_audit_rules__usr_bin_umount
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount$'
@@ -903,7 +855,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230424_Manage
# R-230425 RHEL-08-030302
- name : stigrule_230425__etc_audit_rules_d_audit_rules_mount_b32
- name: stigrule_230425__etc_audit_rules_d_audit_rules_mount_b32
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount$'
@@ -911,7 +863,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230425_Manage
# R-230425 RHEL-08-030302
- name : stigrule_230425__etc_audit_rules_d_audit_rules_mount_b64
- name: stigrule_230425__etc_audit_rules_d_audit_rules_mount_b64
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount$'
@@ -919,7 +871,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230425_Manage
# R-230426 RHEL-08-030310
- name : stigrule_230426__etc_audit_rules_d_audit_rules__usr_sbin_unix_update
- name: stigrule_230426__etc_audit_rules_d_audit_rules__usr_sbin_unix_update
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -927,7 +879,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230426_Manage
# R-230427 RHEL-08-030311
- name : stigrule_230427__etc_audit_rules_d_audit_rules__usr_sbin_postdrop
- name: stigrule_230427__etc_audit_rules_d_audit_rules__usr_sbin_postdrop
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -935,7 +887,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230427_Manage
# R-230428 RHEL-08-030312
- name : stigrule_230428__etc_audit_rules_d_audit_rules__usr_sbin_postqueue
- name: stigrule_230428__etc_audit_rules_d_audit_rules__usr_sbin_postqueue
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -943,7 +895,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230428_Manage
# R-230429 RHEL-08-030313
- name : stigrule_230429__etc_audit_rules_d_audit_rules__usr_sbin_semanage
- name: stigrule_230429__etc_audit_rules_d_audit_rules__usr_sbin_semanage
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -951,7 +903,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230429_Manage
# R-230430 RHEL-08-030314
- name : stigrule_230430__etc_audit_rules_d_audit_rules__usr_sbin_setfiles
- name: stigrule_230430__etc_audit_rules_d_audit_rules__usr_sbin_setfiles
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -959,7 +911,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230430_Manage
# R-230431 RHEL-08-030315
- name : stigrule_230431__etc_audit_rules_d_audit_rules__usr_sbin_userhelper
- name: stigrule_230431__etc_audit_rules_d_audit_rules__usr_sbin_userhelper
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -967,7 +919,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230431_Manage
# R-230432 RHEL-08-030316
- name : stigrule_230432__etc_audit_rules_d_audit_rules__usr_sbin_setsebool
- name: stigrule_230432__etc_audit_rules_d_audit_rules__usr_sbin_setsebool
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -975,7 +927,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230432_Manage
# R-230433 RHEL-08-030317
- name : stigrule_230433__etc_audit_rules_d_audit_rules__usr_sbin_unix_chkpwd
- name: stigrule_230433__etc_audit_rules_d_audit_rules__usr_sbin_unix_chkpwd
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -983,7 +935,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230433_Manage
# R-230434 RHEL-08-030320
- name : stigrule_230434__etc_audit_rules_d_audit_rules__usr_libexec_openssh_ssh_keysign
- name: stigrule_230434__etc_audit_rules_d_audit_rules__usr_libexec_openssh_ssh_keysign
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh$'
@@ -991,7 +943,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230434_Manage
# R-230435 RHEL-08-030330
- name : stigrule_230435__etc_audit_rules_d_audit_rules__usr_bin_setfacl
- name: stigrule_230435__etc_audit_rules_d_audit_rules__usr_bin_setfacl
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -999,7 +951,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230435_Manage
# R-230436 RHEL-08-030340
- name : stigrule_230436__etc_audit_rules_d_audit_rules__usr_sbin_pam_timestamp_check
- name: stigrule_230436__etc_audit_rules_d_audit_rules__usr_sbin_pam_timestamp_check
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check$'
@@ -1007,7 +959,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230436_Manage
# R-230437 RHEL-08-030350
- name : stigrule_230437__etc_audit_rules_d_audit_rules__usr_bin_newgrp
- name: stigrule_230437__etc_audit_rules_d_audit_rules__usr_bin_newgrp
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd$'
@@ -1015,7 +967,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230437_Manage
# R-230438 RHEL-08-030360
- name : stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b32
- name: stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b32
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng$'
@@ -1023,7 +975,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230438_Manage
# R-230438 RHEL-08-030360
- name : stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b64
- name: stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b64
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng$'
@@ -1031,23 +983,23 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230438_Manage
# R-230439 RHEL-08-030361
- name : stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32
- name: stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -k module_chng$'
regexp: '^-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete$'
line: "{{ rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32_Line }}"
notify: auditd_restart
when: rhel8STIG_stigrule_230439_Manage
# R-230439 RHEL-08-030361
- name : stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64
- name: stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -k module_chng$'
regexp: '^-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete$'
line: "{{ rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64_Line }}"
notify: auditd_restart
when: rhel8STIG_stigrule_230439_Manage
# R-230444 RHEL-08-030370
- name : stigrule_230444__etc_audit_rules_d_audit_rules__usr_bin_gpasswd
- name: stigrule_230444__etc_audit_rules_d_audit_rules__usr_bin_gpasswd
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd$'
@@ -1055,7 +1007,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230444_Manage
# R-230446 RHEL-08-030390
- name : stigrule_230446__etc_audit_rules_d_audit_rules_delete_module_b32
- name: stigrule_230446__etc_audit_rules_d_audit_rules_delete_module_b32
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng$'
@@ -1063,7 +1015,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230446_Manage
# R-230446 RHEL-08-030390
- name : stigrule_230446__etc_audit_rules_d_audit_rules_delete_module_b64
- name: stigrule_230446__etc_audit_rules_d_audit_rules_delete_module_b64
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng$'
@@ -1071,7 +1023,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230446_Manage
# R-230447 RHEL-08-030400
- name : stigrule_230447__etc_audit_rules_d_audit_rules__usr_bin_crontab
- name: stigrule_230447__etc_audit_rules_d_audit_rules__usr_bin_crontab
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab$'
@@ -1079,7 +1031,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230447_Manage
# R-230448 RHEL-08-030410
- name : stigrule_230448__etc_audit_rules_d_audit_rules__usr_bin_chsh
- name: stigrule_230448__etc_audit_rules_d_audit_rules__usr_bin_chsh
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd$'
@@ -1087,7 +1039,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230448_Manage
# R-230449 RHEL-08-030420
- name : stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EPERM_b32
- name: stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EPERM_b32
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access$'
@@ -1095,7 +1047,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230449_Manage
# R-230449 RHEL-08-030420
- name : stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EPERM_b64
- name: stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EPERM_b64
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access$'
@@ -1103,7 +1055,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230449_Manage
# R-230449 RHEL-08-030420
- name : stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EACCES_b32
- name: stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EACCES_b32
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access$'
@@ -1111,7 +1063,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230449_Manage
# R-230449 RHEL-08-030420
- name : stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EACCES_b64
- name: stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EACCES_b64
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access$'
@@ -1119,7 +1071,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230449_Manage
# R-230455 RHEL-08-030480
- name : stigrule_230455__etc_audit_rules_d_audit_rules_chown_b32
- name: stigrule_230455__etc_audit_rules_d_audit_rules_chown_b32
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -1127,7 +1079,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230455_Manage
# R-230455 RHEL-08-030480
- name : stigrule_230455__etc_audit_rules_d_audit_rules_chown_b64
- name: stigrule_230455__etc_audit_rules_d_audit_rules_chown_b64
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -1135,7 +1087,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230455_Manage
# R-230456 RHEL-08-030490
- name : stigrule_230456__etc_audit_rules_d_audit_rules_chmod_b32
- name: stigrule_230456__etc_audit_rules_d_audit_rules_chmod_b32
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -1143,7 +1095,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230456_Manage
# R-230456 RHEL-08-030490
- name : stigrule_230456__etc_audit_rules_d_audit_rules_chmod_b64
- name: stigrule_230456__etc_audit_rules_d_audit_rules_chmod_b64
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -1151,7 +1103,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230456_Manage
# R-230462 RHEL-08-030550
- name : stigrule_230462__etc_audit_rules_d_audit_rules__usr_bin_sudo
- name: stigrule_230462__etc_audit_rules_d_audit_rules__usr_bin_sudo
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd$'
@@ -1159,7 +1111,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230462_Manage
# R-230463 RHEL-08-030560
- name : stigrule_230463__etc_audit_rules_d_audit_rules__usr_sbin_usermod
- name: stigrule_230463__etc_audit_rules_d_audit_rules__usr_sbin_usermod
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod$'
@@ -1167,7 +1119,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230463_Manage
# R-230464 RHEL-08-030570
- name : stigrule_230464__etc_audit_rules_d_audit_rules__usr_bin_chacl
- name: stigrule_230464__etc_audit_rules_d_audit_rules__usr_bin_chacl
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -1175,7 +1127,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230464_Manage
# R-230465 RHEL-08-030580
- name : stigrule_230465__etc_audit_rules_d_audit_rules__usr_bin_kmod
- name: stigrule_230465__etc_audit_rules_d_audit_rules__usr_bin_kmod
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules$'
@@ -1183,7 +1135,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230465_Manage
# R-230466 RHEL-08-030590
- name : stigrule_230466__etc_audit_rules_d_audit_rules__var_log_faillock
- name: stigrule_230466__etc_audit_rules_d_audit_rules__var_log_faillock
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-w /var/log/faillock -p wa -k logins$'
@@ -1191,7 +1143,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230466_Manage
# R-230467 RHEL-08-030600
- name : stigrule_230467__etc_audit_rules_d_audit_rules__var_log_lastlog
- name: stigrule_230467__etc_audit_rules_d_audit_rules__var_log_lastlog
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-w /var/log/lastlog -p wa -k logins$'
@@ -1314,7 +1266,7 @@
when: rhel8STIG_stigrule_230505_Manage
# R-230506 RHEL-08-040110
- name: check if wireless network adapters are disabled
shell: "[[ $(nmcli radio wifi) == 'enabled' ]]"
shell: "[[ $(nmcli radio wifi) == 'enabled' ]]"
changed_when: False
check_mode: no
register: cmd_result
@@ -1348,20 +1300,40 @@
- name: stigrule_230527_RekeyLimit
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)RekeyLimit\s+'
regexp: '(?i)^\s*RekeyLimit\s+'
line: "{{ rhel8STIG_stigrule_230527_RekeyLimit_Line }}"
notify: ssh_restart
when:
- rhel8STIG_stigrule_230527_Manage
- "'openssh-server' in packages"
# R-230529 RHEL-08-040170
- name: stigrule_230529_systemctl_mask_ctrl_alt_del_target
systemd:
- name: check if ctrl-alt-del.target is installed
shell: ! systemctl list-unit-files | grep "^ctrl-alt-del.target[ \t]\+"
changed_when: False
check_mode: no
register: result
failed_when: result.rc > 1
- name: stigrule_230529_ctrl_alt_del_target_disable
systemd_service:
name: ctrl-alt-del.target
enabled: no
masked: yes
enabled: "{{ rhel8STIG_stigrule_230529_ctrl_alt_del_target_disable_Enabled }}"
when:
- rhel8STIG_stigrule_230529_Manage
- result.rc == 0
# R-230529 RHEL-08-040170
- name: check if ctrl-alt-del.target is installed
shell: ! systemctl list-unit-files | grep "^ctrl-alt-del.target[ \t]\+"
changed_when: False
check_mode: no
register: result
failed_when: result.rc > 1
- name: stigrule_230529_ctrl_alt_del_target_mask
systemd_service:
name: ctrl-alt-del.target
masked: "{{ rhel8STIG_stigrule_230529_ctrl_alt_del_target_mask_Masked }}"
when:
- rhel8STIG_stigrule_230529_Manage
- result.rc == 0
# R-230531 RHEL-08-040172
- name: stigrule_230531__etc_systemd_system_conf
ini_file:
@@ -1382,7 +1354,7 @@
when: rhel8STIG_stigrule_230533_Manage
# R-230535 RHEL-08-040210
- name: check if ipv6 is enabled
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
changed_when: False
check_mode: no
register: cmd_result
@@ -1410,7 +1382,7 @@
- rhel8STIG_stigrule_230537_Manage
# R-230538 RHEL-08-040240
- name: check if ipv6 is enabled
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
changed_when: False
check_mode: no
register: cmd_result
@@ -1424,7 +1396,7 @@
- cmd_result.rc == 0
# R-230539 RHEL-08-040250
- name: check if ipv6 is enabled
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
changed_when: False
check_mode: no
register: cmd_result
@@ -1445,7 +1417,7 @@
- rhel8STIG_stigrule_230540_Manage
# R-230540 RHEL-08-040260
- name: check if ipv6 is enabled
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
changed_when: False
check_mode: no
register: cmd_result
@@ -1459,7 +1431,7 @@
- cmd_result.rc == 0
# R-230541 RHEL-08-040261
- name: check if ipv6 is enabled
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
changed_when: False
check_mode: no
register: cmd_result
@@ -1473,7 +1445,7 @@
- cmd_result.rc == 0
# R-230542 RHEL-08-040262
- name: check if ipv6 is enabled
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
changed_when: False
check_mode: no
register: cmd_result
@@ -1494,7 +1466,7 @@
- rhel8STIG_stigrule_230543_Manage
# R-230544 RHEL-08-040280
- name: check if ipv6 is enabled
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
changed_when: False
check_mode: no
register: cmd_result
@@ -1569,7 +1541,7 @@
- name: stigrule_230555_X11Forwarding
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)X11Forwarding\s+'
regexp: '(?i)^\s*X11Forwarding\s+'
line: "{{ rhel8STIG_stigrule_230555_X11Forwarding_Line }}"
notify: ssh_restart
when:
@@ -1579,7 +1551,7 @@
- name: stigrule_230556_X11UseLocalhost
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)X11UseLocalhost\s+'
regexp: '(?i)^\s*X11UseLocalhost\s+'
line: "{{ rhel8STIG_stigrule_230556_X11UseLocalhost_Line }}"
notify: ssh_restart
when:
@@ -1635,12 +1607,22 @@
- name: stigrule_244525_ClientAliveInterval
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)ClientAliveInterval\s+'
regexp: '(?i)^\s*ClientAliveInterval\s+'
line: "{{ rhel8STIG_stigrule_244525_ClientAliveInterval_Line }}"
notify: ssh_restart
when:
- rhel8STIG_stigrule_244525_Manage
- "'openssh-server' in packages"
# R-244526 RHEL-08-010287
- name: stigrule_244526__etc_sysconfig_sshd
lineinfile:
path: /etc/sysconfig/sshd
regexp: '^# CRYPTO_POLICY='
line: "{{ rhel8STIG_stigrule_244526__etc_sysconfig_sshd_Line }}"
create: yes
notify: do_reboot
when:
- rhel8STIG_stigrule_244526_Manage
# R-244527 RHEL-08-010472
- name: stigrule_244527_rng_tools
yum:
@@ -1651,7 +1633,7 @@
- name: stigrule_244528_GSSAPIAuthentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)GSSAPIAuthentication\s+'
regexp: '(?i)^\s*GSSAPIAuthentication\s+'
line: "{{ rhel8STIG_stigrule_244528_GSSAPIAuthentication_Line }}"
notify: ssh_restart
when:
@@ -1681,18 +1663,13 @@
when:
- rhel8STIG_stigrule_244536_Manage
- "'dconf' in packages"
# R-244537 RHEL-08-020039
- name: stigrule_244537_tmux
yum:
name: tmux
state: "{{ rhel8STIG_stigrule_244537_tmux_State }}"
when: rhel8STIG_stigrule_244537_Manage
# R-244538 RHEL-08-020081
- name: stigrule_244538__etc_dconf_db_local_d_locks_session_idle_delay
lineinfile:
path: /etc/dconf/db/local.d/locks/session
line: "{{ rhel8STIG_stigrule_244538__etc_dconf_db_local_d_locks_session_idle_delay_Line }}"
create: yes
notify: dconf_update
when:
- rhel8STIG_stigrule_244538_Manage
# R-244539 RHEL-08-020082
@@ -1701,6 +1678,7 @@
path: /etc/dconf/db/local.d/locks/session
line: "{{ rhel8STIG_stigrule_244539__etc_dconf_db_local_d_locks_session_lock_enabled_Line }}"
create: yes
notify: dconf_update
when:
- rhel8STIG_stigrule_244539_Manage
# R-244542 RHEL-08-030181
@@ -1798,3 +1776,9 @@
create: yes
when:
- rhel8STIG_stigrule_244554_Manage
# R-256974 RHEL-08-010358
- name: stigrule_256974_mailx
yum:
name: mailx
state: "{{ rhel8STIG_stigrule_256974_mailx_State }}"
when: rhel8STIG_stigrule_256974_Manage

86
collections/ansible_collections/demo/compliance/roles/rhel9STIG/callback_plugins/stig_xml.py Normal file
View File

@@ -0,0 +1,86 @@
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
from ansible.plugins.callback import CallbackBase
from time import gmtime, strftime
import platform
import tempfile
import re
import sys
import os
import xml.etree.ElementTree as ET
import xml.dom.minidom
class CallbackModule(CallbackBase):
CALLBACK_VERSION = 2.0
CALLBACK_TYPE = 'xml'
CALLBACK_NAME = 'stig_xml'
CALLBACK_NEEDS_WHITELIST = True
def _get_STIG_path(self):
cwd = os.path.abspath('.')
for dirpath, dirs, files in os.walk(cwd):
if os.path.sep + 'files' in dirpath and '.xml' in files[0]:
return os.path.join(cwd, dirpath, files[0])
def __init__(self):
super(CallbackModule, self).__init__()
self.rules = {}
self.stig_path = os.environ.get('STIG_PATH')
self.XML_path = os.environ.get('XML_PATH')
if self.stig_path is None:
self.stig_path = self._get_STIG_path()
self._display.display('Using STIG_PATH: {}'.format(self.stig_path))
if self.XML_path is None:
self.XML_path = tempfile.mkdtemp() + "/xccdf-results.xml"
self._display.display('Using XML_PATH: {}'.format(self.XML_path))
print("Writing: {}".format(self.XML_path))
STIG_name = os.path.basename(self.stig_path)
ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2')
self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult')
self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name))
endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime())
self.tr.set('end-time', endtime)
tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target')
tg.text = platform.node()
def _get_rev(self, nid):
with open(self.stig_path, 'r') as f:
r = 'SV-{}r(?P<rev>\d+)_rule'.format(nid)
m = re.search(r, f.read())
if m:
rev = m.group('rev')
else:
rev = '0'
return rev
def v2_runner_on_ok(self, result):
name = result._task.get_name()
m = re.search('stigrule_(?P<id>\d+)', name)
if m:
nid = m.group('id')
else:
return
rev = self._get_rev(nid)
key = "{}r{}".format(nid, rev)
if self.rules.get(key, 'Unknown') != False:
self.rules[key] = result.is_changed()
def v2_playbook_on_stats(self, stats):
for rule, changed in self.rules.items():
state = 'fail' if changed else 'pass'
rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result')
rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule))
rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result')
rs.text = state
passing = len(self.rules) - sum(self.rules.values())
sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score')
sc.set('maximum', str(len(self.rules)))
sc.set('system', 'urn:xccdf:scoring:flat-unweighted')
sc.text = str(passing)
with open(self.XML_path, 'wb') as f:
out = ET.tostring(self.tr)
pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8')
f.write(pretty)

984
collections/ansible_collections/demo/compliance/roles/rhel9STIG/defaults/main.yml Normal file
View File

@@ -0,0 +1,984 @@
# R-257779 RHEL-09-211020
rhel9STIG_stigrule_257779_Manage: True
rhel9STIG_stigrule_257779__etc_issue_Dest: /etc/issue
rhel9STIG_stigrule_257779__etc_issue_Content: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
'
# R-257783 RHEL-09-211040
rhel9STIG_stigrule_257783_Manage: True
rhel9STIG_stigrule_257783_systemd_journald_enable_Enabled: yes
rhel9STIG_stigrule_257783_systemd_journald_start_State: started
# R-257784 RHEL-09-211045
rhel9STIG_stigrule_257784_Manage: True
rhel9STIG_stigrule_257784__etc_systemd_system_conf_Value: 'none'
# R-257785 RHEL-09-211050
rhel9STIG_stigrule_257785_Manage: True
rhel9STIG_stigrule_257785_ctrl_alt_del_target_disable_Enabled: false
rhel9STIG_stigrule_257785_ctrl_alt_del_target_mask_Masked: true
# R-257786 RHEL-09-211055
rhel9STIG_stigrule_257786_Manage: True
rhel9STIG_stigrule_257786_debug_shell_service_disable_Enabled: false
rhel9STIG_stigrule_257786_debug_shell_service_mask_Masked: true
# R-257790 RHEL-09-212025
rhel9STIG_stigrule_257790_Manage: True
rhel9STIG_stigrule_257790__boot_grub2_grub_cfg_group_owner_Dest: /boot/grub2/grub.cfg
rhel9STIG_stigrule_257790__boot_grub2_grub_cfg_group_owner_Group: root
# R-257791 RHEL-09-212030
rhel9STIG_stigrule_257791_Manage: True
rhel9STIG_stigrule_257791__boot_grub2_grub_cfg_owner_Dest: /boot/grub2/grub.cfg
rhel9STIG_stigrule_257791__boot_grub2_grub_cfg_owner_Owner: root
# R-257797 RHEL-09-213010
rhel9STIG_stigrule_257797_Manage: True
rhel9STIG_stigrule_257797_kernel_dmesg_restrict_Value: 1
rhel9STIG_stigrule_257797_kernel_dmesg_restrict_File: /etc/sysctl.d/99-sysctl.conf
# R-257798 RHEL-09-213015
rhel9STIG_stigrule_257798_Manage: True
rhel9STIG_stigrule_257798_kernel_perf_event_paranoid_Value: 2
rhel9STIG_stigrule_257798_kernel_perf_event_paranoid_File: /etc/sysctl.d/99-sysctl.conf
# R-257799 RHEL-09-213020
rhel9STIG_stigrule_257799_Manage: True
rhel9STIG_stigrule_257799_kernel_kexec_load_disabled_Value: 1
rhel9STIG_stigrule_257799_kernel_kexec_load_disabled_File: /etc/sysctl.d/99-sysctl.conf
# R-257800 RHEL-09-213025
rhel9STIG_stigrule_257800_Manage: True
rhel9STIG_stigrule_257800_kernel_kptr_restrict_Value: 1
rhel9STIG_stigrule_257800_kernel_kptr_restrict_File: /etc/sysctl.d/99-sysctl.conf
# R-257801 RHEL-09-213030
rhel9STIG_stigrule_257801_Manage: True
rhel9STIG_stigrule_257801_fs_protected_hardlinks_Value: 1
rhel9STIG_stigrule_257801_fs_protected_hardlinks_File: /etc/sysctl.d/99-sysctl.conf
# R-257802 RHEL-09-213035
rhel9STIG_stigrule_257802_Manage: True
rhel9STIG_stigrule_257802_fs_protected_symlinks_Value: 1
rhel9STIG_stigrule_257802_fs_protected_symlinks_File: /etc/sysctl.d/99-sysctl.conf
# R-257803 RHEL-09-213040
rhel9STIG_stigrule_257803_Manage: True
rhel9STIG_stigrule_257803_kernel_core_pattern_Value: '|/bin/false'
rhel9STIG_stigrule_257803_kernel_core_pattern_File: /etc/sysctl.d/99-sysctl.conf
# R-257804 RHEL-09-213045
rhel9STIG_stigrule_257804_Manage: True
rhel9STIG_stigrule_257804__etc_modprobe_d_atm_conf_install_atm__bin_false_Line: 'install atm /bin/false'
rhel9STIG_stigrule_257804__etc_modprobe_d_atm_conf_blacklist_atm_Line: 'blacklist atm'
# R-257805 RHEL-09-213050
rhel9STIG_stigrule_257805_Manage: True
rhel9STIG_stigrule_257805__etc_modprobe_d_can_conf_install_can__bin_false_Line: 'install can /bin/false'
rhel9STIG_stigrule_257805__etc_modprobe_d_can_conf_blacklist_can_Line: 'blacklist can'
# R-257806 RHEL-09-213055
rhel9STIG_stigrule_257806_Manage: True
rhel9STIG_stigrule_257806__etc_modprobe_d_firewire_core_conf_install_firewire_core__bin_false_Line: 'install firewire-core /bin/false'
rhel9STIG_stigrule_257806__etc_modprobe_d_firewire_core_conf_blacklist_firewire_core_Line: 'blacklist firewire-core'
# R-257807 RHEL-09-213060
rhel9STIG_stigrule_257807_Manage: True
rhel9STIG_stigrule_257807__etc_modprobe_d_sctp_conf_install_sctp__bin_false_Line: 'install sctp /bin/false'
rhel9STIG_stigrule_257807__etc_modprobe_d_sctp_conf_blacklist_sctp_Line: 'blacklist sctp'
# R-257808 RHEL-09-213065
rhel9STIG_stigrule_257808_Manage: True
rhel9STIG_stigrule_257808__etc_modprobe_d_tipc_conf_install_tipc__bin_false_Line: 'install tipc /bin/false'
rhel9STIG_stigrule_257808__etc_modprobe_d_tipc_conf_blacklist_tipc_Line: 'blacklist tipc'
# R-257809 RHEL-09-213070
rhel9STIG_stigrule_257809_Manage: True
rhel9STIG_stigrule_257809_kernel_randomize_va_space_Value: 2
rhel9STIG_stigrule_257809_kernel_randomize_va_space_File: /etc/sysctl.d/99-sysctl.conf
# R-257810 RHEL-09-213075
rhel9STIG_stigrule_257810_Manage: True
rhel9STIG_stigrule_257810_kernel_unprivileged_bpf_disabled_Value: 1
rhel9STIG_stigrule_257810_kernel_unprivileged_bpf_disabled_File: /etc/sysctl.d/99-sysctl.conf
# R-257811 RHEL-09-213080
rhel9STIG_stigrule_257811_Manage: True
rhel9STIG_stigrule_257811_kernel_yama_ptrace_scope_Value: 1
rhel9STIG_stigrule_257811_kernel_yama_ptrace_scope_File: /etc/sysctl.d/99-sysctl.conf
# R-257812 RHEL-09-213085
rhel9STIG_stigrule_257812_Manage: True
rhel9STIG_stigrule_257812__etc_systemd_coredump_conf_Line: 'ProcessSizeMax=0'
# R-257813 RHEL-09-213090
rhel9STIG_stigrule_257813_Manage: True
rhel9STIG_stigrule_257813__etc_systemd_coredump_conf_Line: 'Storage=none'
# R-257814 RHEL-09-213095
rhel9STIG_stigrule_257814_Manage: True
rhel9STIG_stigrule_257814__etc_security_limits_conf_Line: '* hard core 0'
# R-257815 RHEL-09-213100
rhel9STIG_stigrule_257815_Manage: True
rhel9STIG_stigrule_257815_systemd_coredump_socket_disable_Enabled: false
rhel9STIG_stigrule_257815_systemd_coredump_socket_mask_Daemon_Reload: true
rhel9STIG_stigrule_257815_systemd_coredump_socket_mask_Masked: true
# R-257816 RHEL-09-213105
rhel9STIG_stigrule_257816_Manage: True
rhel9STIG_stigrule_257816_user_max_user_namespaces_Value: 0
rhel9STIG_stigrule_257816_user_max_user_namespaces_File: /etc/sysctl.d/99-sysctl.conf
# R-257818 RHEL-09-213115
rhel9STIG_stigrule_257818_Manage: True
rhel9STIG_stigrule_257818_kdump_disable_Enabled: false
rhel9STIG_stigrule_257818_kdump_mask_Masked: true
# R-257820 RHEL-09-214015
rhel9STIG_stigrule_257820_Manage: True
rhel9STIG_stigrule_257820__etc_dnf_dnf_conf_Value: '1'
# R-257821 RHEL-09-214020
rhel9STIG_stigrule_257821_Manage: True
rhel9STIG_stigrule_257821__etc_dnf_dnf_conf_Value: '1'
# R-257824 RHEL-09-214035
rhel9STIG_stigrule_257824_Manage: True
rhel9STIG_stigrule_257824__etc_dnf_dnf_conf_Value: '1'
# R-257825 RHEL-09-215010
rhel9STIG_stigrule_257825_Manage: True
rhel9STIG_stigrule_257825_subscription_manager_State: installed
# R-257827 RHEL-09-215020
rhel9STIG_stigrule_257827_Manage: True
rhel9STIG_stigrule_257827_sendmail_State: removed
# R-257828 RHEL-09-215025
rhel9STIG_stigrule_257828_Manage: True
rhel9STIG_stigrule_257828_nfs_utils_State: removed
# R-257829 RHEL-09-215030
rhel9STIG_stigrule_257829_Manage: True
rhel9STIG_stigrule_257829_ypserv_State: removed
# R-257830 RHEL-09-215035
rhel9STIG_stigrule_257830_Manage: True
rhel9STIG_stigrule_257830_rsh_server_State: removed
# R-257831 RHEL-09-215040
rhel9STIG_stigrule_257831_Manage: True
rhel9STIG_stigrule_257831_telnet_server_State: removed
# R-257832 RHEL-09-215045
rhel9STIG_stigrule_257832_Manage: True
rhel9STIG_stigrule_257832_gssproxy_State: removed
# R-257833 RHEL-09-215050
rhel9STIG_stigrule_257833_Manage: True
rhel9STIG_stigrule_257833_iprutils_State: removed
# R-257834 RHEL-09-215055
rhel9STIG_stigrule_257834_Manage: True
rhel9STIG_stigrule_257834_tuned_State: removed
# R-257835 RHEL-09-215060
rhel9STIG_stigrule_257835_Manage: True
rhel9STIG_stigrule_257835_tftp_server_State: removed
# R-257836 RHEL-09-215065
rhel9STIG_stigrule_257836_Manage: True
rhel9STIG_stigrule_257836_quagga_State: removed
# R-257838 RHEL-09-215075
rhel9STIG_stigrule_257838_Manage: True
rhel9STIG_stigrule_257838_openssl_pkcs11_State: installed
# R-257839 RHEL-09-215080
rhel9STIG_stigrule_257839_Manage: True
rhel9STIG_stigrule_257839_gnutls_utils_State: installed
# R-257840 RHEL-09-215085
rhel9STIG_stigrule_257840_Manage: True
rhel9STIG_stigrule_257840_nss_tools_State: installed
# R-257841 RHEL-09-215090
rhel9STIG_stigrule_257841_Manage: True
rhel9STIG_stigrule_257841_rng_tools_State: installed
# R-257842 RHEL-09-215095
rhel9STIG_stigrule_257842_Manage: True
rhel9STIG_stigrule_257842_s_nail_State: installed
# R-257849 RHEL-09-231040
rhel9STIG_stigrule_257849_Manage: True
rhel9STIG_stigrule_257849_autofs_service_disable_Enabled: false
rhel9STIG_stigrule_257849_autofs_service_mask_Masked: true
# R-257880 RHEL-09-231195
rhel9STIG_stigrule_257880_Manage: True
rhel9STIG_stigrule_257880__etc_modprobe_d_cramfs_conf_install_cramfs__bin_false_Line: 'install cramfs /bin/false'
rhel9STIG_stigrule_257880__etc_modprobe_d_cramfs_conf_blacklist_cramfs_Line: 'blacklist cramfs'
# R-257885 RHEL-09-232025
rhel9STIG_stigrule_257885_Manage: True
rhel9STIG_stigrule_257885__var_log_mode_Dest: /var/log
rhel9STIG_stigrule_257885__var_log_mode_Mode: '0755'
# R-257886 RHEL-09-232030
rhel9STIG_stigrule_257886_Manage: True
rhel9STIG_stigrule_257886__var_log_messages_mode_Dest: /var/log/messages
rhel9STIG_stigrule_257886__var_log_messages_mode_Mode: '0640'
# R-257891 RHEL-09-232055
rhel9STIG_stigrule_257891_Manage: True
rhel9STIG_stigrule_257891__etc_group_mode_Dest: /etc/group
rhel9STIG_stigrule_257891__etc_group_mode_Mode: '0644'
# R-257892 RHEL-09-232060
rhel9STIG_stigrule_257892_Manage: True
rhel9STIG_stigrule_257892__etc_group__mode_Dest: /etc/group-
rhel9STIG_stigrule_257892__etc_group__mode_Mode: '0644'
# R-257893 RHEL-09-232065
rhel9STIG_stigrule_257893_Manage: True
rhel9STIG_stigrule_257893__etc_gshadow_mode_Dest: /etc/gshadow
rhel9STIG_stigrule_257893__etc_gshadow_mode_Mode: '0000'
# R-257894 RHEL-09-232070
rhel9STIG_stigrule_257894_Manage: True
rhel9STIG_stigrule_257894__etc_gshadow__mode_Dest: /etc/gshadow-
rhel9STIG_stigrule_257894__etc_gshadow__mode_Mode: '0000'
# R-257895 RHEL-09-232075
rhel9STIG_stigrule_257895_Manage: True
rhel9STIG_stigrule_257895__etc_passwd_mode_Dest: /etc/passwd
rhel9STIG_stigrule_257895__etc_passwd_mode_Mode: '0644'
# R-257896 RHEL-09-232080
rhel9STIG_stigrule_257896_Manage: True
rhel9STIG_stigrule_257896__etc_passwd__mode_Dest: /etc/passwd-
rhel9STIG_stigrule_257896__etc_passwd__mode_Mode: '0644'
# R-257897 RHEL-09-232085
rhel9STIG_stigrule_257897_Manage: True
rhel9STIG_stigrule_257897__etc_shadow__mode_Dest: /etc/shadow-
rhel9STIG_stigrule_257897__etc_shadow__mode_Mode: '0000'
# R-257898 RHEL-09-232090
rhel9STIG_stigrule_257898_Manage: True
rhel9STIG_stigrule_257898__etc_group_owner_Dest: /etc/group
rhel9STIG_stigrule_257898__etc_group_owner_Owner: root
# R-257899 RHEL-09-232095
rhel9STIG_stigrule_257899_Manage: True
rhel9STIG_stigrule_257899__etc_group_group_owner_Dest: /etc/group
rhel9STIG_stigrule_257899__etc_group_group_owner_Group: root
# R-257900 RHEL-09-232100
rhel9STIG_stigrule_257900_Manage: True
rhel9STIG_stigrule_257900__etc_group__owner_Dest: /etc/group-
rhel9STIG_stigrule_257900__etc_group__owner_Owner: root
# R-257901 RHEL-09-232105
rhel9STIG_stigrule_257901_Manage: True
rhel9STIG_stigrule_257901__etc_group__group_owner_Dest: /etc/group-
rhel9STIG_stigrule_257901__etc_group__group_owner_Group: root
# R-257902 RHEL-09-232110
rhel9STIG_stigrule_257902_Manage: True
rhel9STIG_stigrule_257902__etc_gshadow_owner_Dest: /etc/gshadow
rhel9STIG_stigrule_257902__etc_gshadow_owner_Owner: root
# R-257903 RHEL-09-232115
rhel9STIG_stigrule_257903_Manage: True
rhel9STIG_stigrule_257903__etc_gshadow_group_owner_Dest: /etc/gshadow
rhel9STIG_stigrule_257903__etc_gshadow_group_owner_Group: root
# R-257904 RHEL-09-232120
rhel9STIG_stigrule_257904_Manage: True
rhel9STIG_stigrule_257904__etc_gshadow__owner_Dest: /etc/gshadow-
rhel9STIG_stigrule_257904__etc_gshadow__owner_Owner: root
# R-257905 RHEL-09-232125
rhel9STIG_stigrule_257905_Manage: True
rhel9STIG_stigrule_257905__etc_gshadow__group_owner_Dest: /etc/gshadow-
rhel9STIG_stigrule_257905__etc_gshadow__group_owner_Group: root
# R-257906 RHEL-09-232130
rhel9STIG_stigrule_257906_Manage: True
rhel9STIG_stigrule_257906__etc_passwd_owner_Dest: /etc/passwd
rhel9STIG_stigrule_257906__etc_passwd_owner_Owner: root
# R-257907 RHEL-09-232135
rhel9STIG_stigrule_257907_Manage: True
rhel9STIG_stigrule_257907__etc_passwd_group_owner_Dest: /etc/passwd
rhel9STIG_stigrule_257907__etc_passwd_group_owner_Group: root
# R-257908 RHEL-09-232140
rhel9STIG_stigrule_257908_Manage: True
rhel9STIG_stigrule_257908__etc_passwd__owner_Dest: /etc/passwd-
rhel9STIG_stigrule_257908__etc_passwd__owner_Owner: root
# R-257909 RHEL-09-232145
rhel9STIG_stigrule_257909_Manage: True
rhel9STIG_stigrule_257909__etc_passwd__group_owner_Dest: /etc/passwd-
rhel9STIG_stigrule_257909__etc_passwd__group_owner_Group: root
# R-257910 RHEL-09-232150
rhel9STIG_stigrule_257910_Manage: True
rhel9STIG_stigrule_257910__etc_shadow_owner_Dest: /etc/shadow
rhel9STIG_stigrule_257910__etc_shadow_owner_Owner: root
# R-257911 RHEL-09-232155
rhel9STIG_stigrule_257911_Manage: True
rhel9STIG_stigrule_257911__etc_shadow_group_owner_Dest: /etc/shadow
rhel9STIG_stigrule_257911__etc_shadow_group_owner_Group: root
# R-257912 RHEL-09-232160
rhel9STIG_stigrule_257912_Manage: True
rhel9STIG_stigrule_257912__etc_shadow__owner_Dest: /etc/shadow-
rhel9STIG_stigrule_257912__etc_shadow__owner_Owner: root
# R-257913 RHEL-09-232165
rhel9STIG_stigrule_257913_Manage: True
rhel9STIG_stigrule_257913__etc_shadow__group_owner_Dest: /etc/shadow-
rhel9STIG_stigrule_257913__etc_shadow__group_owner_Group: root
# R-257914 RHEL-09-232170
rhel9STIG_stigrule_257914_Manage: True
rhel9STIG_stigrule_257914__var_log_owner_Dest: /var/log
rhel9STIG_stigrule_257914__var_log_owner_Owner: root
# R-257915 RHEL-09-232175
rhel9STIG_stigrule_257915_Manage: True
rhel9STIG_stigrule_257915__var_log_group_owner_Dest: /var/log
rhel9STIG_stigrule_257915__var_log_group_owner_Group: root
# R-257916 RHEL-09-232180
rhel9STIG_stigrule_257916_Manage: True
rhel9STIG_stigrule_257916__var_log_messages_owner_Dest: /var/log/messages
rhel9STIG_stigrule_257916__var_log_messages_owner_Owner: root
# R-257917 RHEL-09-232185
rhel9STIG_stigrule_257917_Manage: True
rhel9STIG_stigrule_257917__var_log_messages_group_owner_Dest: /var/log/messages
rhel9STIG_stigrule_257917__var_log_messages_group_owner_Group: root
# R-257934 RHEL-09-232270
rhel9STIG_stigrule_257934_Manage: True
rhel9STIG_stigrule_257934__etc_shadow_mode_Dest: /etc/shadow
rhel9STIG_stigrule_257934__etc_shadow_mode_Mode: '0000'
# R-257935 RHEL-09-251010
rhel9STIG_stigrule_257935_Manage: True
rhel9STIG_stigrule_257935_firewalld_State: installed
# R-257936 RHEL-09-251015
rhel9STIG_stigrule_257936_Manage: True
rhel9STIG_stigrule_257936_firewalld_enable_Enabled: yes
rhel9STIG_stigrule_257936_firewalld_start_State: started
# R-257939 RHEL-09-251030
rhel9STIG_stigrule_257939_Manage: True
rhel9STIG_stigrule_257939__etc_firewalld_firewalld_conf_Line: 'FirewallBackend=nftables'
# R-257942 RHEL-09-251045
rhel9STIG_stigrule_257942_Manage: True
rhel9STIG_stigrule_257942_net_core_bpf_jit_harden_Value: 2
rhel9STIG_stigrule_257942_net_core_bpf_jit_harden_File: /etc/sysctl.d/99-sysctl.conf
# R-257943 RHEL-09-252010
rhel9STIG_stigrule_257943_Manage: True
rhel9STIG_stigrule_257943_chrony_State: installed
# R-257944 RHEL-09-252015
rhel9STIG_stigrule_257944_Manage: True
rhel9STIG_stigrule_257944_chronyd_enable_Enabled: yes
rhel9STIG_stigrule_257944_chronyd_start_State: started
# R-257946 RHEL-09-252025
rhel9STIG_stigrule_257946_Manage: True
rhel9STIG_stigrule_257946__etc_chrony_conf_Line: 'port 0'
# R-257947 RHEL-09-252030
rhel9STIG_stigrule_257947_Manage: True
rhel9STIG_stigrule_257947__etc_chrony_conf_Line: 'cmdport 0'
# R-257949 RHEL-09-252040
rhel9STIG_stigrule_257949_Manage: True
rhel9STIG_stigrule_257949__etc_NetworkManager_NetworkManager_conf_Value: 'none'
# R-257954 RHEL-09-252065
rhel9STIG_stigrule_257954_Manage: True
rhel9STIG_stigrule_257954_libreswan_State: installed
# R-257957 RHEL-09-253010
rhel9STIG_stigrule_257957_Manage: True
rhel9STIG_stigrule_257957_net_ipv4_tcp_syncookies_Value: 1
rhel9STIG_stigrule_257957_net_ipv4_tcp_syncookies_File: /etc/sysctl.d/99-sysctl.conf
# R-257958 RHEL-09-253015
rhel9STIG_stigrule_257958_Manage: True
rhel9STIG_stigrule_257958_net_ipv4_conf_all_accept_redirects_Value: 0
rhel9STIG_stigrule_257958_net_ipv4_conf_all_accept_redirects_File: /etc/sysctl.d/99-sysctl.conf
# R-257959 RHEL-09-253020
rhel9STIG_stigrule_257959_Manage: True
rhel9STIG_stigrule_257959_net_ipv4_conf_all_accept_source_route_Value: 0
rhel9STIG_stigrule_257959_net_ipv4_conf_all_accept_source_route_File: /etc/sysctl.d/99-sysctl.conf
# R-257960 RHEL-09-253025
rhel9STIG_stigrule_257960_Manage: True
rhel9STIG_stigrule_257960_net_ipv4_conf_all_log_martians_Value: 1
rhel9STIG_stigrule_257960_net_ipv4_conf_all_log_martians_File: /etc/sysctl.d/99-sysctl.conf
# R-257961 RHEL-09-253030
rhel9STIG_stigrule_257961_Manage: True
rhel9STIG_stigrule_257961_net_ipv4_conf_default_log_martians_Value: 1
rhel9STIG_stigrule_257961_net_ipv4_conf_default_log_martians_File: /etc/sysctl.d/99-sysctl.conf
# R-257962 RHEL-09-253035
rhel9STIG_stigrule_257962_Manage: True
rhel9STIG_stigrule_257962_net_ipv4_conf_all_rp_filter_Value: 1
rhel9STIG_stigrule_257962_net_ipv4_conf_all_rp_filter_File: /etc/sysctl.d/99-sysctl.conf
# R-257963 RHEL-09-253040
rhel9STIG_stigrule_257963_Manage: True
rhel9STIG_stigrule_257963_net_ipv4_conf_default_accept_redirects_Value: 0
rhel9STIG_stigrule_257963_net_ipv4_conf_default_accept_redirects_File: /etc/sysctl.d/99-sysctl.conf
# R-257964 RHEL-09-253045
rhel9STIG_stigrule_257964_Manage: True
rhel9STIG_stigrule_257964_net_ipv4_conf_default_accept_source_route_Value: 0
rhel9STIG_stigrule_257964_net_ipv4_conf_default_accept_source_route_File: /etc/sysctl.d/99-sysctl.conf
# R-257965 RHEL-09-253050
rhel9STIG_stigrule_257965_Manage: True
rhel9STIG_stigrule_257965_net_ipv4_conf_default_rp_filter_Value: 1
rhel9STIG_stigrule_257965_net_ipv4_conf_default_rp_filter_File: /etc/sysctl.d/99-sysctl.conf
# R-257966 RHEL-09-253055
rhel9STIG_stigrule_257966_Manage: True
rhel9STIG_stigrule_257966_net_ipv4_icmp_echo_ignore_broadcasts_Value: 1
rhel9STIG_stigrule_257966_net_ipv4_icmp_echo_ignore_broadcasts_File: /etc/sysctl.d/99-sysctl.conf
# R-257967 RHEL-09-253060
rhel9STIG_stigrule_257967_Manage: True
rhel9STIG_stigrule_257967_net_ipv4_icmp_ignore_bogus_error_responses_Value: 1
rhel9STIG_stigrule_257967_net_ipv4_icmp_ignore_bogus_error_responses_File: /etc/sysctl.d/99-sysctl.conf
# R-257968 RHEL-09-253065
rhel9STIG_stigrule_257968_Manage: True
rhel9STIG_stigrule_257968_net_ipv4_conf_all_send_redirects_Value: 0
rhel9STIG_stigrule_257968_net_ipv4_conf_all_send_redirects_File: /etc/sysctl.d/99-sysctl.conf
# R-257969 RHEL-09-253070
rhel9STIG_stigrule_257969_Manage: True
rhel9STIG_stigrule_257969_net_ipv4_conf_default_send_redirects_Value: 0
rhel9STIG_stigrule_257969_net_ipv4_conf_default_send_redirects_File: /etc/sysctl.d/99-sysctl.conf
# R-257970 RHEL-09-253075
rhel9STIG_stigrule_257970_Manage: True
rhel9STIG_stigrule_257970_net_ipv4_conf_all_forwarding_Value: 0
rhel9STIG_stigrule_257970_net_ipv4_conf_all_forwarding_File: /etc/sysctl.d/99-sysctl.conf
# R-257971 RHEL-09-254010
rhel9STIG_stigrule_257971_Manage: True
rhel9STIG_stigrule_257971_net_ipv6_conf_all_accept_ra_Value: 0
rhel9STIG_stigrule_257971_net_ipv6_conf_all_accept_ra_File: /etc/sysctl.d/99-sysctl.conf
# R-257972 RHEL-09-254015
rhel9STIG_stigrule_257972_Manage: True
rhel9STIG_stigrule_257972_net_ipv6_conf_all_accept_redirects_Value: 0
rhel9STIG_stigrule_257972_net_ipv6_conf_all_accept_redirects_File: /etc/sysctl.d/99-sysctl.conf
# R-257973 RHEL-09-254020
rhel9STIG_stigrule_257973_Manage: True
rhel9STIG_stigrule_257973_net_ipv6_conf_all_accept_source_route_Value: 0
rhel9STIG_stigrule_257973_net_ipv6_conf_all_accept_source_route_File: /etc/sysctl.d/99-sysctl.conf
# R-257974 RHEL-09-254025
rhel9STIG_stigrule_257974_Manage: True
rhel9STIG_stigrule_257974_net_ipv6_conf_all_forwarding_Value: 0
rhel9STIG_stigrule_257974_net_ipv6_conf_all_forwarding_File: /etc/sysctl.d/99-sysctl.conf
# R-257975 RHEL-09-254030
rhel9STIG_stigrule_257975_Manage: True
rhel9STIG_stigrule_257975_net_ipv6_conf_default_accept_ra_Value: 0
rhel9STIG_stigrule_257975_net_ipv6_conf_default_accept_ra_File: /etc/sysctl.d/99-sysctl.conf
# R-257976 RHEL-09-254035
rhel9STIG_stigrule_257976_Manage: True
rhel9STIG_stigrule_257976_net_ipv6_conf_default_accept_redirects_Value: 0
rhel9STIG_stigrule_257976_net_ipv6_conf_default_accept_redirects_File: /etc/sysctl.d/99-sysctl.conf
# R-257977 RHEL-09-254040
rhel9STIG_stigrule_257977_Manage: True
rhel9STIG_stigrule_257977_net_ipv6_conf_default_accept_source_route_Value: 0
rhel9STIG_stigrule_257977_net_ipv6_conf_default_accept_source_route_File: /etc/sysctl.d/99-sysctl.conf
# R-257978 RHEL-09-255010
rhel9STIG_stigrule_257978_Manage: True
rhel9STIG_stigrule_257978_openssh_server_State: installed
# R-257979 RHEL-09-255015
rhel9STIG_stigrule_257979_Manage: True
rhel9STIG_stigrule_257979_sshd_enable_Enabled: yes
rhel9STIG_stigrule_257979_sshd_start_State: started
# R-257980 RHEL-09-255020
rhel9STIG_stigrule_257980_Manage: True
rhel9STIG_stigrule_257980_openssh_clients_State: installed
# R-257981 RHEL-09-255025
rhel9STIG_stigrule_257981_Manage: True
rhel9STIG_stigrule_257981_Banner_Line: Banner /etc/issue
# R-257982 RHEL-09-255030
rhel9STIG_stigrule_257982_Manage: True
rhel9STIG_stigrule_257982_LogLevel_Line: LogLevel VERBOSE
# R-257983 RHEL-09-255035
rhel9STIG_stigrule_257983_Manage: True
rhel9STIG_stigrule_257983_PubkeyAuthentication_Line: PubkeyAuthentication yes
# R-257984 RHEL-09-255040
rhel9STIG_stigrule_257984_Manage: True
rhel9STIG_stigrule_257984_PermitEmptyPasswords_Line: PermitEmptyPasswords no
# R-257985 RHEL-09-255045
rhel9STIG_stigrule_257985_Manage: True
rhel9STIG_stigrule_257985_PermitRootLogin_Line: PermitRootLogin no
# R-257986 RHEL-09-255050
rhel9STIG_stigrule_257986_Manage: True
rhel9STIG_stigrule_257986_UsePAM_Line: UsePAM yes
# R-257992 RHEL-09-255080
rhel9STIG_stigrule_257992_Manage: True
rhel9STIG_stigrule_257992_HostbasedAuthentication_Line: HostbasedAuthentication no
# R-257993 RHEL-09-255085
rhel9STIG_stigrule_257993_Manage: True
rhel9STIG_stigrule_257993_PermitUserEnvironment_Line: PermitUserEnvironment no
# R-257994 RHEL-09-255090
rhel9STIG_stigrule_257994_Manage: True
rhel9STIG_stigrule_257994_RekeyLimit_Line: RekeyLimit 1G 1h
# R-257995 RHEL-09-255095
rhel9STIG_stigrule_257995_Manage: True
rhel9STIG_stigrule_257995_ClientAliveCountMax_Line: ClientAliveCountMax 1
# R-257996 RHEL-09-255100
rhel9STIG_stigrule_257996_Manage: True
rhel9STIG_stigrule_257996_ClientAliveInterval_Line: ClientAliveInterval 600
# R-257997 RHEL-09-255105
rhel9STIG_stigrule_257997_Manage: True
rhel9STIG_stigrule_257997__etc_ssh_sshd_config_group_owner_Dest: /etc/ssh/sshd_config
rhel9STIG_stigrule_257997__etc_ssh_sshd_config_group_owner_Group: root
# R-257998 RHEL-09-255110
rhel9STIG_stigrule_257998_Manage: True
rhel9STIG_stigrule_257998__etc_ssh_sshd_config_owner_Dest: /etc/ssh/sshd_config
rhel9STIG_stigrule_257998__etc_ssh_sshd_config_owner_Owner: root
# R-257999 RHEL-09-255115
rhel9STIG_stigrule_257999_Manage: True
rhel9STIG_stigrule_257999__etc_ssh_sshd_config_mode_Dest: /etc/ssh/sshd_config
rhel9STIG_stigrule_257999__etc_ssh_sshd_config_mode_Mode: '0600'
# R-258002 RHEL-09-255130
rhel9STIG_stigrule_258002_Manage: True
rhel9STIG_stigrule_258002_Compression_Line: Compression no
# R-258003 RHEL-09-255135
rhel9STIG_stigrule_258003_Manage: True
rhel9STIG_stigrule_258003_GSSAPIAuthentication_Line: GSSAPIAuthentication no
# R-258004 RHEL-09-255140
rhel9STIG_stigrule_258004_Manage: True
rhel9STIG_stigrule_258004_KerberosAuthentication_Line: KerberosAuthentication no
# R-258005 RHEL-09-255145
rhel9STIG_stigrule_258005_Manage: True
rhel9STIG_stigrule_258005_IgnoreRhosts_Line: IgnoreRhosts yes
# R-258006 RHEL-09-255150
rhel9STIG_stigrule_258006_Manage: True
rhel9STIG_stigrule_258006_IgnoreUserKnownHosts_Line: IgnoreUserKnownHosts yes
# R-258007 RHEL-09-255155
rhel9STIG_stigrule_258007_Manage: True
rhel9STIG_stigrule_258007_X11Forwarding_Line: X11Forwarding no
# R-258008 RHEL-09-255160
rhel9STIG_stigrule_258008_Manage: True
rhel9STIG_stigrule_258008_StrictModes_Line: StrictModes yes
# R-258009 RHEL-09-255165
rhel9STIG_stigrule_258009_Manage: True
rhel9STIG_stigrule_258009_PrintLastLog_Line: PrintLastLog yes
# R-258011 RHEL-09-255175
rhel9STIG_stigrule_258011_Manage: True
rhel9STIG_stigrule_258011_X11UseLocalhost_Line: X11UseLocalhost yes
# R-258012 RHEL-09-271010
rhel9STIG_stigrule_258012_Manage: True
rhel9STIG_stigrule_258012__etc_dconf_db_local_d_01_banner_message_Value: 'true'
# R-258013 RHEL-09-271015
rhel9STIG_stigrule_258013_Manage: True
rhel9STIG_stigrule_258013__etc_dconf_db_local_d_locks_session_banner_message_enable_Line: '/org/gnome/login-screen/banner-message-enable'
# R-258014 RHEL-09-271020
rhel9STIG_stigrule_258014_Manage: True
rhel9STIG_stigrule_258014__etc_dconf_db_local_d_00_security_settings_Value: 'false'
# R-258015 RHEL-09-271025
rhel9STIG_stigrule_258015_Manage: True
rhel9STIG_stigrule_258015__etc_dconf_db_local_d_locks_00_security_settings_lock_automount_open_Line: '/org/gnome/desktop/media-handling/automount-open'
# R-258016 RHEL-09-271030
rhel9STIG_stigrule_258016_Manage: True
rhel9STIG_stigrule_258016__etc_dconf_db_local_d_00_security_settings_Value: 'true'
# R-258017 RHEL-09-271035
rhel9STIG_stigrule_258017_Manage: True
rhel9STIG_stigrule_258017__etc_dconf_db_local_d_locks_00_security_settings_lock_autorun_never_Line: '/org/gnome/desktop/media-handling/autorun-never'
# R-258019 RHEL-09-271045
rhel9STIG_stigrule_258019_Manage: True
rhel9STIG_stigrule_258019__etc_dconf_db_local_d_00_security_settings_Value: "'lock-screen'"
# R-258020 RHEL-09-271050
rhel9STIG_stigrule_258020_Manage: True
rhel9STIG_stigrule_258020__etc_dconf_db_local_d_locks_00_security_settings_lock_removal_action_Line: '/org/gnome/settings-daemon/peripherals/smartcard/removal-action'
# R-258021 RHEL-09-271055
rhel9STIG_stigrule_258021_Manage: True
rhel9STIG_stigrule_258021__etc_dconf_db_local_d_00_screensaver_Value: 'true'
# R-258022 RHEL-09-271060
rhel9STIG_stigrule_258022_Manage: True
rhel9STIG_stigrule_258022__etc_dconf_db_local_d_locks_session_lock_enabled_Line: '/org/gnome/desktop/screensaver/lock-enabled'
# R-258023 RHEL-09-271065
rhel9STIG_stigrule_258023_Manage: True
rhel9STIG_stigrule_258023__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 900'
# R-258024 RHEL-09-271070
rhel9STIG_stigrule_258024_Manage: True
rhel9STIG_stigrule_258024__etc_dconf_db_local_d_locks_session_idle_delay_Line: '/org/gnome/desktop/session/idle-delay'
# R-258025 RHEL-09-271075
rhel9STIG_stigrule_258025_Manage: True
rhel9STIG_stigrule_258025__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 5'
# R-258026 RHEL-09-271080
rhel9STIG_stigrule_258026_Manage: True
rhel9STIG_stigrule_258026__etc_dconf_db_local_d_locks_session_lock_delay_Line: '/org/gnome/desktop/screensaver/lock-delay'
# R-258027 RHEL-09-271085
rhel9STIG_stigrule_258027_Manage: True
rhel9STIG_stigrule_258027__etc_dconf_db_local_d_00_security_settings_Value: "''"
# R-258027 RHEL-09-271085
rhel9STIG_stigrule_258027_Manage: True
rhel9STIG_stigrule_258027__etc_dconf_db_local_d_locks_00_security_settings_lock_picture_uri_Line: '/org/gnome/desktop/screensaver/picture-uri'
# R-258030 RHEL-09-271100
rhel9STIG_stigrule_258030_Manage: True
rhel9STIG_stigrule_258030__etc_dconf_db_local_d_locks_session_disable_restart_buttons_Line: '/org/gnome/login-screen/disable-restart-buttons'
# R-258031 RHEL-09-271105
rhel9STIG_stigrule_258031_Manage: True
rhel9STIG_stigrule_258031__etc_dconf_db_local_d_00_security_settings_Value: "['']"
# R-258032 RHEL-09-271110
rhel9STIG_stigrule_258032_Manage: True
rhel9STIG_stigrule_258032__etc_dconf_db_local_d_locks_session_logout_Line: '/org/gnome/settings-daemon/plugins/media-keys/logout'
# R-258033 RHEL-09-271115
rhel9STIG_stigrule_258033_Manage: True
rhel9STIG_stigrule_258033__etc_dconf_db_local_d_02_login_screen_Value: 'true'
# R-258034 RHEL-09-291010
rhel9STIG_stigrule_258034_Manage: True
rhel9STIG_stigrule_258034__etc_modprobe_d_usb_storage_conf_install_usb_storage__bin_false_Line: 'install usb-storage /bin/false'
rhel9STIG_stigrule_258034__etc_modprobe_d_usb_storage_conf_blacklist_usb_storage_Line: 'blacklist usb-storage'
# R-258035 RHEL-09-291015
rhel9STIG_stigrule_258035_Manage: True
rhel9STIG_stigrule_258035_usbguard_State: installed
rhel9STIG_stigrule_258035_usbguard_enable_Enabled: yes
rhel9STIG_stigrule_258035_usbguard_start_State: started
# R-258036 RHEL-09-291020
rhel9STIG_stigrule_258036_Manage: True
rhel9STIG_stigrule_258036_usbguard_enable_Enabled: yes
rhel9STIG_stigrule_258036_usbguard_start_State: started
# R-258037 RHEL-09-291025
rhel9STIG_stigrule_258037_Manage: True
rhel9STIG_stigrule_258037__etc_usbguard_usbguard_daemon_conf_Line: 'AuditBackend=LinuxAudit'
# R-258039 RHEL-09-291035
rhel9STIG_stigrule_258039_Manage: True
rhel9STIG_stigrule_258039__etc_modprobe_d_bluetooth_conf_install_bluetooth__bin_false_Line: 'install bluetooth /bin/false'
rhel9STIG_stigrule_258039__etc_modprobe_d_bluetooth_conf_blacklist_bluetooth_Line: 'blacklist bluetooth'
# R-258040 RHEL-09-291040
rhel9STIG_stigrule_258040_Manage: True
rhel9STIG_stigrule_258040_nmcli_radio_wifi_off_Command: nmcli radio wifi off
# R-258041 RHEL-09-411010
rhel9STIG_stigrule_258041_Manage: True
rhel9STIG_stigrule_258041__etc_login_defs_Line: 'PASS_MAX_DAYS 60'
# R-258043 RHEL-09-411020
rhel9STIG_stigrule_258043_Manage: True
rhel9STIG_stigrule_258043__etc_login_defs_Line: 'CREATE_HOME yes'
# R-258049 RHEL-09-411050
rhel9STIG_stigrule_258049_Manage: True
rhel9STIG_stigrule_258049_sudo_useradd__D__f_35_Command: sudo useradd -D -f 35
# R-258054 RHEL-09-411075
rhel9STIG_stigrule_258054_Manage: True
rhel9STIG_stigrule_258054__etc_security_faillock_conf_Line: 'deny = 3'
# R-258055 RHEL-09-411080
rhel9STIG_stigrule_258055_Manage: True
rhel9STIG_stigrule_258055__etc_security_faillock_conf_Line: 'even_deny_root'
# R-258056 RHEL-09-411085
rhel9STIG_stigrule_258056_Manage: True
rhel9STIG_stigrule_258056__etc_security_faillock_conf_Line: 'fail_interval = 900'
# R-258057 RHEL-09-411090
rhel9STIG_stigrule_258057_Manage: True
rhel9STIG_stigrule_258057__etc_security_faillock_conf_Line: 'unlock_time = 0'
# R-258060 RHEL-09-411105
rhel9STIG_stigrule_258060_Manage: True
rhel9STIG_stigrule_258060__etc_security_faillock_conf_Line: 'dir = /var/log/faillock'
# R-258069 RHEL-09-412040
rhel9STIG_stigrule_258069_Manage: True
rhel9STIG_stigrule_258069__etc_security_limits_conf_Line: '* hard maxlogins 10'
# R-258070 RHEL-09-412045
rhel9STIG_stigrule_258070_Manage: True
rhel9STIG_stigrule_258070__etc_security_faillock_conf_Line: 'audit'
# R-258071 RHEL-09-412050
rhel9STIG_stigrule_258071_Manage: True
rhel9STIG_stigrule_258071__etc_login_defs_Line: 'FAIL_DELAY 4'
# R-258072 RHEL-09-412055
rhel9STIG_stigrule_258072_Manage: True
rhel9STIG_stigrule_258072__etc_bashrc_Line: 'umask 077'
# R-258073 RHEL-09-412060
rhel9STIG_stigrule_258073_Manage: True
rhel9STIG_stigrule_258073__etc_csh_cshrc_Line: 'umask 077'
# R-258074 RHEL-09-412065
rhel9STIG_stigrule_258074_Manage: True
rhel9STIG_stigrule_258074__etc_login_defs_Line: 'UMASK 077'
# R-258075 RHEL-09-412070
rhel9STIG_stigrule_258075_Manage: True
rhel9STIG_stigrule_258075__etc_profile_Line: 'umask 077'
# R-258078 RHEL-09-431010
rhel9STIG_stigrule_258078_Manage: True
rhel9STIG_stigrule_258078__etc_selinux_config_Line: 'SELINUX=enforcing'
# R-258079 RHEL-09-431015
rhel9STIG_stigrule_258079_Manage: True
rhel9STIG_stigrule_258079__etc_selinux_config_Line: 'SELINUXTYPE=targeted'
# R-258081 RHEL-09-431025
rhel9STIG_stigrule_258081_Manage: True
rhel9STIG_stigrule_258081_policycoreutils_State: installed
# R-258082 RHEL-09-431030
rhel9STIG_stigrule_258082_Manage: True
rhel9STIG_stigrule_258082_policycoreutils_python_utils_State: installed
# R-258083 RHEL-09-432010
rhel9STIG_stigrule_258083_Manage: True
rhel9STIG_stigrule_258083_sudo_State: installed
# R-258084 RHEL-09-432015
rhel9STIG_stigrule_258084_Manage: True
rhel9STIG_stigrule_258084__etc_sudoers_Line: 'Defaults timestamp_timeout=0'
# R-258089 RHEL-09-433010
rhel9STIG_stigrule_258089_Manage: True
rhel9STIG_stigrule_258089_fapolicyd_State: installed
# R-258090 RHEL-09-433015
rhel9STIG_stigrule_258090_Manage: True
rhel9STIG_stigrule_258090_fapolicyd_enable_Enabled: yes
rhel9STIG_stigrule_258090_fapolicyd_start_State: started
# R-258101 RHEL-09-611060
rhel9STIG_stigrule_258101_Manage: True
rhel9STIG_stigrule_258101__etc_security_pwquality_conf_Line: 'enforce_for_root'
# R-258102 RHEL-09-611065
rhel9STIG_stigrule_258102_Manage: True
rhel9STIG_stigrule_258102__etc_security_pwquality_conf_Line: 'lcredit = -1'
# R-258103 RHEL-09-611070
rhel9STIG_stigrule_258103_Manage: True
rhel9STIG_stigrule_258103__etc_security_pwquality_conf_Line: 'dcredit = -1'
# R-258104 RHEL-09-611075
rhel9STIG_stigrule_258104_Manage: True
rhel9STIG_stigrule_258104__etc_login_defs_Line: 'PASS_MIN_DAYS 1'
# R-258107 RHEL-09-611090
rhel9STIG_stigrule_258107_Manage: True
rhel9STIG_stigrule_258107__etc_security_pwquality_conf_Line: 'minlen = 15'
# R-258109 RHEL-09-611100
rhel9STIG_stigrule_258109_Manage: True
rhel9STIG_stigrule_258109__etc_security_pwquality_conf_Line: 'ocredit = -1'
# R-258110 RHEL-09-611105
rhel9STIG_stigrule_258110_Manage: True
rhel9STIG_stigrule_258110__etc_security_pwquality_conf_Line: 'dictcheck = 1'
# R-258111 RHEL-09-611110
rhel9STIG_stigrule_258111_Manage: True
rhel9STIG_stigrule_258111__etc_security_pwquality_conf_Line: 'ucredit = -1'
# R-258112 RHEL-09-611115
rhel9STIG_stigrule_258112_Manage: True
rhel9STIG_stigrule_258112__etc_security_pwquality_conf_Line: 'difok = 8'
# R-258113 RHEL-09-611120
rhel9STIG_stigrule_258113_Manage: True
rhel9STIG_stigrule_258113__etc_security_pwquality_conf_Line: 'maxclassrepeat = 4'
# R-258114 RHEL-09-611125
rhel9STIG_stigrule_258114_Manage: True
rhel9STIG_stigrule_258114__etc_security_pwquality_conf_Line: 'maxrepeat = 3'
# R-258115 RHEL-09-611130
rhel9STIG_stigrule_258115_Manage: True
rhel9STIG_stigrule_258115__etc_security_pwquality_conf_Line: 'minclass = 4'
# R-258116 RHEL-09-611135
rhel9STIG_stigrule_258116_Manage: True
rhel9STIG_stigrule_258116__etc_libuser_conf_Value: 'sha512'
# R-258117 RHEL-09-611140
rhel9STIG_stigrule_258117_Manage: True
rhel9STIG_stigrule_258117__etc_login_defs_Line: 'ENCRYPT_METHOD SHA512'
# R-258121 RHEL-09-611160
rhel9STIG_stigrule_258121_Manage: True
rhel9STIG_stigrule_258121__etc_opensc_conf_Line: 'card_drivers = cac;'
# R-258122 RHEL-09-611165
rhel9STIG_stigrule_258122_Manage: True
rhel9STIG_stigrule_258122__etc_sssd_sssd_conf_Value: 'True'
# R-258124 RHEL-09-611175
rhel9STIG_stigrule_258124_Manage: True
rhel9STIG_stigrule_258124_pcsc_lite_State: installed
# R-258125 RHEL-09-611180
rhel9STIG_stigrule_258125_Manage: True
rhel9STIG_stigrule_258125_pcscd_enable_Enabled: yes
rhel9STIG_stigrule_258125_pcscd_start_State: started
# R-258126 RHEL-09-611185
rhel9STIG_stigrule_258126_Manage: True
rhel9STIG_stigrule_258126_opensc_State: installed
# R-258128 RHEL-09-611195
rhel9STIG_stigrule_258128_Manage: True
rhel9STIG_stigrule_258128__usr_lib_systemd_system_emergency_service_Value: '-/usr/lib/systemd/systemd-sulogin-shell emergency'
# R-258129 RHEL-09-611200
rhel9STIG_stigrule_258129_Manage: True
rhel9STIG_stigrule_258129__usr_lib_systemd_system_rescue_service_Value: '-/usr/lib/systemd/systemd-sulogin-shell rescue'
# R-258133 RHEL-09-631020
rhel9STIG_stigrule_258133_Manage: True
rhel9STIG_stigrule_258133__etc_sssd_sssd_conf_Value: '1'
# R-258140 RHEL-09-652010
rhel9STIG_stigrule_258140_Manage: True
rhel9STIG_stigrule_258140_rsyslog_State: installed
# R-258141 RHEL-09-652015
rhel9STIG_stigrule_258141_Manage: True
rhel9STIG_stigrule_258141_rsyslog_gnutls_State: installed
# R-258142 RHEL-09-652020
rhel9STIG_stigrule_258142_Manage: True
rhel9STIG_stigrule_258142_rsyslog_enable_Enabled: yes
rhel9STIG_stigrule_258142_rsyslog_start_State: started
# R-258144 RHEL-09-652030
rhel9STIG_stigrule_258144_Manage: True
rhel9STIG_stigrule_258144__etc_rsyslog_conf_Line: 'auth.*;authpriv.*;daemon.* /var/log/secure'
# R-258146 RHEL-09-652040
rhel9STIG_stigrule_258146_Manage: True
rhel9STIG_stigrule_258146__etc_rsyslog_conf_Line: '$ActionSendStreamDriverAuthMode x509/name'
# R-258147 RHEL-09-652045
rhel9STIG_stigrule_258147_Manage: True
rhel9STIG_stigrule_258147__etc_rsyslog_conf_Line: '$ActionSendStreamDriverMode 1'
# R-258148 RHEL-09-652050
rhel9STIG_stigrule_258148_Manage: True
rhel9STIG_stigrule_258148__etc_rsyslog_conf_Line: '$DefaultNetstreamDriver gtls'
# R-258150 RHEL-09-652060
rhel9STIG_stigrule_258150_Manage: True
rhel9STIG_stigrule_258150__etc_rsyslog_conf_Line: 'cron.* /var/log/cron'
# R-258151 RHEL-09-653010
rhel9STIG_stigrule_258151_Manage: True
rhel9STIG_stigrule_258151_audit_State: installed
# R-258152 RHEL-09-653015
rhel9STIG_stigrule_258152_Manage: True
rhel9STIG_stigrule_258152_auditd_enable_Enabled: yes
rhel9STIG_stigrule_258152_auditd_start_State: started
# R-258153 RHEL-09-653020
rhel9STIG_stigrule_258153_Manage: True
rhel9STIG_stigrule_258153__etc_audit_auditd_conf_Line: 'disk_error_action = HALT'
# R-258154 RHEL-09-653025
rhel9STIG_stigrule_258154_Manage: True
rhel9STIG_stigrule_258154__etc_audit_auditd_conf_Line: 'disk_full_action = HALT'
# R-258156 RHEL-09-653035
rhel9STIG_stigrule_258156_Manage: True
rhel9STIG_stigrule_258156__etc_audit_auditd_conf_Line: 'space_left = 25%'
# R-258157 RHEL-09-653040
rhel9STIG_stigrule_258157_Manage: True
rhel9STIG_stigrule_258157__etc_audit_auditd_conf_Line: 'space_left_action = email'
# R-258158 RHEL-09-653045
rhel9STIG_stigrule_258158_Manage: True
rhel9STIG_stigrule_258158__etc_audit_auditd_conf_Line: 'admin_space_left = 5%'
# R-258159 RHEL-09-653050
rhel9STIG_stigrule_258159_Manage: True
rhel9STIG_stigrule_258159__etc_audit_auditd_conf_Line: 'admin_space_left_action = single'
# R-258160 RHEL-09-653055
rhel9STIG_stigrule_258160_Manage: True
rhel9STIG_stigrule_258160__etc_audit_auditd_conf_Line: 'max_log_file_action = ROTATE'
# R-258161 RHEL-09-653060
rhel9STIG_stigrule_258161_Manage: True
rhel9STIG_stigrule_258161__etc_audit_auditd_conf_Line: 'name_format = hostname'
# R-258162 RHEL-09-653065
rhel9STIG_stigrule_258162_Manage: True
rhel9STIG_stigrule_258162__etc_audit_auditd_conf_Line: 'overflow_action = syslog'
# R-258163 RHEL-09-653070
rhel9STIG_stigrule_258163_Manage: True
rhel9STIG_stigrule_258163__etc_audit_auditd_conf_Line: 'action_mail_acct = root'
# R-258164 RHEL-09-653075
rhel9STIG_stigrule_258164_Manage: True
rhel9STIG_stigrule_258164__etc_audit_auditd_conf_Line: 'local_events = yes'
# R-258168 RHEL-09-653095
rhel9STIG_stigrule_258168_Manage: True
rhel9STIG_stigrule_258168__etc_audit_auditd_conf_Line: 'freq = 100'
# R-258169 RHEL-09-653100
rhel9STIG_stigrule_258169_Manage: True
rhel9STIG_stigrule_258169__etc_audit_auditd_conf_Line: 'log_format = ENRICHED'
# R-258170 RHEL-09-653105
rhel9STIG_stigrule_258170_Manage: True
rhel9STIG_stigrule_258170__etc_audit_auditd_conf_Line: 'write_logs = yes'
# R-258172 RHEL-09-653115
rhel9STIG_stigrule_258172_Manage: True
rhel9STIG_stigrule_258172__etc_audit_auditd_conf_mode_Dest: /etc/audit/auditd.conf
rhel9STIG_stigrule_258172__etc_audit_auditd_conf_mode_Mode: '0640'
# R-258175 RHEL-09-653130
rhel9STIG_stigrule_258175_Manage: True
rhel9STIG_stigrule_258175_audispd_plugins_State: installed
# R-258176 RHEL-09-654010
rhel9STIG_stigrule_258176_Manage: True
rhel9STIG_stigrule_258176__etc_audit_rules_d_audit_rules_execve_euid_b32_Line: '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv'
rhel9STIG_stigrule_258176__etc_audit_rules_d_audit_rules_execve_euid_b64_Line: '-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv'
rhel9STIG_stigrule_258176__etc_audit_rules_d_audit_rules_execve_egid_b32_Line: '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv'
rhel9STIG_stigrule_258176__etc_audit_rules_d_audit_rules_execve_egid_b64_Line: '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv'
# R-258177 RHEL-09-654015
rhel9STIG_stigrule_258177_Manage: True
rhel9STIG_stigrule_258177__etc_audit_rules_d_audit_rules_chmod_b32_Line: '-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod'
rhel9STIG_stigrule_258177__etc_audit_rules_d_audit_rules_chmod_b64_Line: '-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod'
# R-258178 RHEL-09-654020
rhel9STIG_stigrule_258178_Manage: True
rhel9STIG_stigrule_258178__etc_audit_rules_d_audit_rules_chown_b32_Line: '-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod'
rhel9STIG_stigrule_258178__etc_audit_rules_d_audit_rules_chown_b64_Line: '-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod'
# R-258179 RHEL-09-654025
rhel9STIG_stigrule_258179_Manage: True
rhel9STIG_stigrule_258179__etc_audit_rules_d_audit_rules_lremovexattr_b32_unset_Line: '-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod'
rhel9STIG_stigrule_258179__etc_audit_rules_d_audit_rules_lremovexattr_b64_unset_Line: '-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod'
rhel9STIG_stigrule_258179__etc_audit_rules_d_audit_rules_lremovexattr_b32_Line: '-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod'
rhel9STIG_stigrule_258179__etc_audit_rules_d_audit_rules_lremovexattr_b64_Line: '-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod'
# R-258180 RHEL-09-654030
rhel9STIG_stigrule_258180_Manage: True
rhel9STIG_stigrule_258180__etc_audit_rules_d_audit_rules__usr_bin_umount_Line: '-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount'
# R-258181 RHEL-09-654035
rhel9STIG_stigrule_258181_Manage: True
rhel9STIG_stigrule_258181__etc_audit_rules_d_audit_rules__usr_bin_chacl_Line: '-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod'
# R-258182 RHEL-09-654040
rhel9STIG_stigrule_258182_Manage: True
rhel9STIG_stigrule_258182__etc_audit_rules_d_audit_rules__usr_bin_setfacl_Line: '-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod'
# R-258183 RHEL-09-654045
rhel9STIG_stigrule_258183_Manage: True
rhel9STIG_stigrule_258183__etc_audit_rules_d_audit_rules__usr_bin_chcon_Line: '-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod'
# R-258184 RHEL-09-654050
rhel9STIG_stigrule_258184_Manage: True
rhel9STIG_stigrule_258184__etc_audit_rules_d_audit_rules__usr_sbin_semanage_Line: '-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
# R-258185 RHEL-09-654055
rhel9STIG_stigrule_258185_Manage: True
rhel9STIG_stigrule_258185__etc_audit_rules_d_audit_rules__usr_sbin_setfiles_Line: '-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
# R-258186 RHEL-09-654060
rhel9STIG_stigrule_258186_Manage: True
rhel9STIG_stigrule_258186__etc_audit_rules_d_audit_rules__usr_sbin_setsebool_Line: '-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged'
# R-258187 RHEL-09-654065
rhel9STIG_stigrule_258187_Manage: True
rhel9STIG_stigrule_258187__etc_audit_rules_d_audit_rules_rename_b32_Line: '-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete'
rhel9STIG_stigrule_258187__etc_audit_rules_d_audit_rules_rename_b64_Line: '-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete'
# R-258188 RHEL-09-654070
rhel9STIG_stigrule_258188_Manage: True
rhel9STIG_stigrule_258188__etc_audit_rules_d_audit_rules_truncate_EPERM_b32_Line: '-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access'
rhel9STIG_stigrule_258188__etc_audit_rules_d_audit_rules_truncate_EPERM_b64_Line: '-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access'
rhel9STIG_stigrule_258188__etc_audit_rules_d_audit_rules_truncate_EACCES_b32_Line: '-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access'
rhel9STIG_stigrule_258188__etc_audit_rules_d_audit_rules_truncate_EACCES_b64_Line: '-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access'
# R-258189 RHEL-09-654075
rhel9STIG_stigrule_258189_Manage: True
rhel9STIG_stigrule_258189__etc_audit_rules_d_audit_rules_delete_module_b32_Line: '-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng'
rhel9STIG_stigrule_258189__etc_audit_rules_d_audit_rules_delete_module_b64_Line: '-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng'
# R-258190 RHEL-09-654080
rhel9STIG_stigrule_258190_Manage: True
rhel9STIG_stigrule_258190__etc_audit_rules_d_audit_rules_init_module_b32_Line: '-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng'
rhel9STIG_stigrule_258190__etc_audit_rules_d_audit_rules_init_module_b64_Line: '-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng'
# R-258191 RHEL-09-654085
rhel9STIG_stigrule_258191_Manage: True
rhel9STIG_stigrule_258191__etc_audit_rules_d_audit_rules__usr_bin_chage_Line: '-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage'
# R-258192 RHEL-09-654090
rhel9STIG_stigrule_258192_Manage: True
rhel9STIG_stigrule_258192__etc_audit_rules_d_audit_rules__usr_bin_chsh_Line: '-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd'
# R-258193 RHEL-09-654095
rhel9STIG_stigrule_258193_Manage: True
rhel9STIG_stigrule_258193__etc_audit_rules_d_audit_rules__usr_bin_crontab_Line: '-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab'
# R-258194 RHEL-09-654100
rhel9STIG_stigrule_258194_Manage: True
rhel9STIG_stigrule_258194__etc_audit_rules_d_audit_rules__usr_bin_gpasswd_Line: '-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd'
# R-258195 RHEL-09-654105
rhel9STIG_stigrule_258195_Manage: True
rhel9STIG_stigrule_258195__etc_audit_rules_d_audit_rules__usr_bin_kmod_Line: '-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules'
# R-258196 RHEL-09-654110
rhel9STIG_stigrule_258196_Manage: True
rhel9STIG_stigrule_258196__etc_audit_rules_d_audit_rules__usr_bin_newgrp_Line: '-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd'
# R-258197 RHEL-09-654115
rhel9STIG_stigrule_258197_Manage: True
rhel9STIG_stigrule_258197__etc_audit_rules_d_audit_rules__usr_sbin_pam_timestamp_check_Line: '-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check'
# R-258198 RHEL-09-654120
rhel9STIG_stigrule_258198_Manage: True
rhel9STIG_stigrule_258198__etc_audit_rules_d_audit_rules__usr_bin_passwd_Line: '-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd'
# R-258199 RHEL-09-654125
rhel9STIG_stigrule_258199_Manage: True
rhel9STIG_stigrule_258199__etc_audit_rules_d_audit_rules__usr_sbin_postdrop_Line: '-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
# R-258200 RHEL-09-654130
rhel9STIG_stigrule_258200_Manage: True
rhel9STIG_stigrule_258200__etc_audit_rules_d_audit_rules__usr_sbin_postqueue_Line: '-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
# R-258201 RHEL-09-654135
rhel9STIG_stigrule_258201_Manage: True
rhel9STIG_stigrule_258201__etc_audit_rules_d_audit_rules__usr_bin_ssh_agent_Line: '-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh'
# R-258202 RHEL-09-654140
rhel9STIG_stigrule_258202_Manage: True
rhel9STIG_stigrule_258202__etc_audit_rules_d_audit_rules__usr_libexec_openssh_ssh_keysign_Line: '-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh'
# R-258203 RHEL-09-654145
rhel9STIG_stigrule_258203_Manage: True
rhel9STIG_stigrule_258203__etc_audit_rules_d_audit_rules__usr_bin_su_Line: '-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change'
# R-258204 RHEL-09-654150
rhel9STIG_stigrule_258204_Manage: True
rhel9STIG_stigrule_258204__etc_audit_rules_d_audit_rules__usr_bin_sudo_Line: '-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd'
# R-258205 RHEL-09-654155
rhel9STIG_stigrule_258205_Manage: True
rhel9STIG_stigrule_258205__etc_audit_rules_d_audit_rules__usr_bin_sudoedit_Line: '-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd'
# R-258206 RHEL-09-654160
rhel9STIG_stigrule_258206_Manage: True
rhel9STIG_stigrule_258206__etc_audit_rules_d_audit_rules__usr_sbin_unix_chkpwd_Line: '-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
# R-258207 RHEL-09-654165
rhel9STIG_stigrule_258207_Manage: True
rhel9STIG_stigrule_258207__etc_audit_rules_d_audit_rules__usr_sbin_unix_update_Line: '-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
# R-258208 RHEL-09-654170
rhel9STIG_stigrule_258208_Manage: True
rhel9STIG_stigrule_258208__etc_audit_rules_d_audit_rules__usr_sbin_userhelper_Line: '-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
# R-258209 RHEL-09-654175
rhel9STIG_stigrule_258209_Manage: True
rhel9STIG_stigrule_258209__etc_audit_rules_d_audit_rules__usr_sbin_usermod_Line: '-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod'
# R-258210 RHEL-09-654180
rhel9STIG_stigrule_258210_Manage: True
rhel9STIG_stigrule_258210__etc_audit_rules_d_audit_rules__usr_bin_mount_Line: '-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount'
# R-258211 RHEL-09-654185
rhel9STIG_stigrule_258211_Manage: True
rhel9STIG_stigrule_258211__etc_audit_rules_d_audit_rules__usr_sbin_init_Line: '-a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init'
# R-258212 RHEL-09-654190
rhel9STIG_stigrule_258212_Manage: True
rhel9STIG_stigrule_258212__etc_audit_rules_d_audit_rules__usr_sbin_poweroff_Line: '-a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset -k privileged-poweroff'
# R-258213 RHEL-09-654195
rhel9STIG_stigrule_258213_Manage: True
rhel9STIG_stigrule_258213__etc_audit_rules_d_audit_rules__usr_sbin_reboot_Line: '-a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot'
# R-258214 RHEL-09-654200
rhel9STIG_stigrule_258214_Manage: True
rhel9STIG_stigrule_258214__etc_audit_rules_d_audit_rules__usr_sbin_shutdown_Line: '-a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown'
# R-258217 RHEL-09-654215
rhel9STIG_stigrule_258217_Manage: True
rhel9STIG_stigrule_258217__etc_audit_rules_d_audit_rules__etc_sudoers_Line: '-w /etc/sudoers -p wa -k identity'
# R-258218 RHEL-09-654220
rhel9STIG_stigrule_258218_Manage: True
rhel9STIG_stigrule_258218__etc_audit_rules_d_audit_rules__etc_sudoers_d__Line: '-w /etc/sudoers.d/ -p wa -k identity'
# R-258219 RHEL-09-654225
rhel9STIG_stigrule_258219_Manage: True
rhel9STIG_stigrule_258219__etc_audit_rules_d_audit_rules__etc_group_Line: '-w /etc/group -p wa -k identity'
# R-258220 RHEL-09-654230
rhel9STIG_stigrule_258220_Manage: True
rhel9STIG_stigrule_258220__etc_audit_rules_d_audit_rules__etc_gshadow_Line: '-w /etc/gshadow -p wa -k identity'
# R-258221 RHEL-09-654235
rhel9STIG_stigrule_258221_Manage: True
rhel9STIG_stigrule_258221__etc_audit_rules_d_audit_rules__etc_security_opasswd_Line: '-w /etc/security/opasswd -p wa -k identity'
# R-258222 RHEL-09-654240
rhel9STIG_stigrule_258222_Manage: True
rhel9STIG_stigrule_258222__etc_audit_rules_d_audit_rules__etc_passwd_Line: '-w /etc/passwd -p wa -k identity'
# R-258223 RHEL-09-654245
rhel9STIG_stigrule_258223_Manage: True
rhel9STIG_stigrule_258223__etc_audit_rules_d_audit_rules__etc_shadow_Line: '-w /etc/shadow -p wa -k identity'
# R-258224 RHEL-09-654250
rhel9STIG_stigrule_258224_Manage: True
rhel9STIG_stigrule_258224__etc_audit_rules_d_audit_rules__var_log_faillock_Line: '-w /var/log/faillock -p wa -k logins'
# R-258225 RHEL-09-654255
rhel9STIG_stigrule_258225_Manage: True
rhel9STIG_stigrule_258225__etc_audit_rules_d_audit_rules__var_log_lastlog_Line: '-w /var/log/lastlog -p wa -k logins'
# R-258226 RHEL-09-654260
rhel9STIG_stigrule_258226_Manage: True
rhel9STIG_stigrule_258226__etc_audit_rules_d_audit_rules__var_log_tallylog_Line: '-w /var/log/tallylog -p wa -k logins'
# R-258227 RHEL-09-654265
rhel9STIG_stigrule_258227_Manage: True
rhel9STIG_stigrule_258227__etc_audit_rules_d_audit_rules_f2_Line: '-f 2'
# R-258228 RHEL-09-654270
rhel9STIG_stigrule_258228_Manage: True
rhel9STIG_stigrule_258228__etc_audit_rules_d_audit_rules_loginuid_immutable_Line: '--loginuid-immutable'
# R-258229 RHEL-09-654275
rhel9STIG_stigrule_258229_Manage: True
rhel9STIG_stigrule_258229__etc_audit_rules_d_audit_rules_e2_Line: '-e 2'
# R-258234 RHEL-09-215100
rhel9STIG_stigrule_258234_Manage: True
rhel9STIG_stigrule_258234_crypto_policies_State: installed
# R-272488 RHEL-09-215101
rhel9STIG_stigrule_272488_Manage: True
rhel9STIG_stigrule_272488_postfix_State: installed

7150
collections/ansible_collections/demo/compliance/roles/rhel9STIG/files/U_RHEL_9_STIG_V2R4_Manual-xccdf.xml Normal file
View File

File diff suppressed because one or more lines are too long

30
collections/ansible_collections/demo/compliance/roles/rhel9STIG/handlers/main.yml Normal file
View File

@@ -0,0 +1,30 @@
- name: dconf_update
command: dconf update
- name: auditd_restart
command: /usr/sbin/service auditd restart
- name: ssh_restart
service:
name: sshd
state: restarted
- name: rsyslog_restart
service:
name: rsyslog
state: restarted
- name: sysctl_load_settings
command: sysctl --system
- name: daemon_reload
systemd:
daemon_reload: true
- name: networkmanager_reload
service:
name: NetworkManager
state: reloaded
- name: logind_restart
service:
name: systemd-logind
state: restarted
- name: with_faillock_enable
command: authselect enable-feature with-faillock
- name: do_reboot
reboot:
pre_reboot_delay: 60

2990
collections/ansible_collections/demo/compliance/roles/rhel9STIG/tasks/main.yml Normal file
View File

File diff suppressed because it is too large Load Diff

13
collections/ansible_collections/demo/openshift/roles/eda_controller/.yamllint Normal file
View File

@@ -0,0 +1,13 @@
---
extends: default
rules:
comments:
require-starting-space: false
min-spaces-from-content: 1
comments-indentation: disable
indentation:
indent-sequences: consistent
line-length:
max: 120
allow-non-breakable-inline-mappings: true

16
collections/ansible_collections/demo/openshift/roles/eda_controller/defaults/main.yml Normal file
View File

@@ -0,0 +1,16 @@
---
# --------------------------------------------------------
# Ansible Automation Platform Controller URL
# --------------------------------------------------------
# eda_controller_aap_controller_url: [Required]
# --------------------------------------------------------
# Workload: eda_controller
# --------------------------------------------------------
eda_controller_project: "aap"
eda_controller_project_app_name: "eda-controller"
# eda_controller_admin_password: "{{ common_password }}"
eda_controller_cluster_rolebinding_name: eda_default
eda_controller_cluster_rolebinding_role: cluster-admin

14
collections/ansible_collections/demo/openshift/roles/eda_controller/meta/main.yml Normal file
View File

@@ -0,0 +1,14 @@
---
galaxy_info:
role_name: eda_controller
author: Mitesh Sharma (mitsharm@redhat.com)
description: |
Installs EDA on OpenShift
license: GPLv3
min_ansible_version: "2.9"
platforms: []
galaxy_tags:
- eda
- openshift
- aap
dependencies: []

6
collections/ansible_collections/demo/openshift/roles/eda_controller/readme.adoc Normal file
View File

@@ -0,0 +1,6 @@
== eda_controller
This role installs EDA on OpenShift, mostly copied from https://github.com/redhat-cop/agnosticd/.
== Dependencies
Role: automation_controller_platform

54
collections/ansible_collections/demo/openshift/roles/eda_controller/tasks/main.yml Normal file
View File

@@ -0,0 +1,54 @@
---
- name: Setup environment vars
block:
- name: Create secret and Install EDA
kubernetes.core.k8s:
state: present
definition: "{{ lookup('template', __definition) }}"
loop:
- eda_admin_secret.j2
- eda_controller.j2
loop_control:
loop_var: __definition
- name: Retrieve created route
kubernetes.core.k8s_info:
api_version: "route.openshift.io/v1"
kind: Route
name: "{{ eda_controller_project_app_name }}"
namespace: "{{ eda_controller_project }}"
register: r_eda_route
until: r_eda_route.resources[0].spec.host is defined
retries: 30
delay: 45
- name: Get eda-controller route hostname
ansible.builtin.set_fact:
eda_controller_hostname: "{{ r_eda_route.resources[0].spec.host }}"
- name: Wait for eda_controller to be running
ansible.builtin.uri:
url: https://{{ eda_controller_hostname }}/api/eda/v1/users/me/awx-tokens/
user: "admin"
password: "{{ lookup('ansible.builtin.env', 'CONTROLLER_PASSWORD') }}"
method: GET
force_basic_auth: true
validate_certs: false
body_format: json
status_code: 200
register: r_result
until: not r_result.failed
retries: 60
delay: 45
- name: Create Rolebinding for Rulebook Activations
kubernetes.core.k8s:
state: present
definition: "{{ lookup('template', 'cluster_rolebinding.j2') }}"
- name: Display EDA Controller URL
ansible.builtin.debug:
msg:
- "EDA Controller URL: https://{{ eda_controller_hostname }}"
- "EDA Controller Admin Login: admin"
- "EDA Controller Admin Password: <same as the Controller Admin password>"

13
collections/ansible_collections/demo/openshift/roles/eda_controller/templates/cluster_rolebinding.j2 Normal file
View File

@@ -0,0 +1,13 @@
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ eda_controller_cluster_rolebinding_name }}
subjects:
- kind: ServiceAccount
name: default
namespace: {{ eda_controller_project }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ eda_controller_cluster_rolebinding_role }}

15
collections/ansible_collections/demo/openshift/roles/eda_controller/templates/eda_admin_secret.j2 Normal file
View File

@@ -0,0 +1,15 @@
---
kind: Secret
apiVersion: v1
metadata:
name: {{ eda_controller_project_app_name }}-admin-password
namespace: {{ eda_controller_project }}
labels:
app.kubernetes.io/component: eda
app.kubernetes.io/managed-by: eda-operator
app.kubernetes.io/name: {{ eda_controller_project_app_name }}
app.kubernetes.io/operator-version: '2.4'
app.kubernetes.io/part-of: {{ eda_controller_project_app_name }}
data:
password: "{{ lookup('ansible.builtin.env', 'CONTROLLER_PASSWORD') | b64encode }}"
type: Opaque

26
collections/ansible_collections/demo/openshift/roles/eda_controller/templates/eda_controller.j2 Normal file
View File

@@ -0,0 +1,26 @@
---
apiVersion: eda.ansible.com/v1alpha1
kind: EDA
metadata:
name: {{ eda_controller_project_app_name }}
namespace: {{ eda_controller_project }}
spec:
route_tls_termination_mechanism: Edge
ingress_type: Route
loadbalancer_port: 80
no_log: true
image_pull_policy: IfNotPresent
ui:
replicas: 1
set_self_labels: true
api:
gunicorn_workers: 2
replicas: 1
redis:
replicas: 1
admin_user: admin
loadbalancer_protocol: http
worker:
replicas: 3
automation_server_url: '{{ lookup('ansible.builtin.env', 'CONTROLLER_HOST') }}'
admin_password_secret: {{ eda_controller_project_app_name }}-admin-password

49
collections/ansible_collections/demo/openshift/roles/snapshot/tasks/create.yml Normal file
View File

@@ -0,0 +1,49 @@
---
- name: Get state of VirtualMachine
redhat.openshift_virtualization.kubevirt_vm_info:
name: "{{ item }}"
namespace: "{{ vm_namespace }}"
register: state
- name: Stop VirtualMachine
redhat.openshift_virtualization.kubevirt_vm:
name: "{{ item }}"
namespace: "{{ vm_namespace }}"
running: false
wait: true
when: state.resources.0.spec.running
- name: Create a VirtualMachineSnapshot
kubernetes.core.k8s:
definition:
apiVersion: snapshot.kubevirt.io/v1alpha1
kind: VirtualMachineSnapshot
metadata:
generateName: "{{ item }}-{{ ansible_date_time.epoch }}"
namespace: "{{ vm_namespace }}"
spec:
source:
apiGroup: kubevirt.io
kind: VirtualMachine
name: "{{ item }}"
wait: true
wait_condition:
type: Ready
register: snapshot
- name: Start VirtualMachine
redhat.openshift_virtualization.kubevirt_vm:
name: "{{ item }}"
namespace: "{{ vm_namespace }}"
running: true
wait: true
when: state.resources.0.spec.running
- name: Export snapshot name
ansible.builtin.set_stats:
data:
restore_snapshot_name: "{{ snapshot.result.metadata.name }}"
- name: Output snapshot name
ansible.builtin.debug:
msg: "Successfully created snapshot {{ snapshot.result.metadata.name }}"

12
collections/ansible_collections/demo/openshift/roles/snapshot/tasks/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
# parameters
# snapshot_opeation: <ceate/restore>
- name: Show hostnames we care about
ansible.builtin.debug:
msg: "About to {{ snapshot_operation }} snapshot(s) for the following hosts:
{{ lookup('ansible.builtin.inventory_hostnames', snapshot_hosts) | split(',') | difference(['localhost']) }}"
- name: Manage snapshots based on operation
ansible.builtin.include_tasks:
file: "{{ snapshot_operation }}.yml"
loop: "{{ lookup('ansible.builtin.inventory_hostnames', snapshot_hosts) | regex_replace(vm_namespace + '-', '') | split(',') | difference(['localhost']) }}"

51
collections/ansible_collections/demo/openshift/roles/snapshot/tasks/restore.yml Normal file
View File

@@ -0,0 +1,51 @@
---
- name: Get state of VirtualMachine
redhat.openshift_virtualization.kubevirt_vm_info:
name: "{{ item }}"
namespace: "{{ vm_namespace }}"
register: state
- name: List snapshots
kubernetes.core.k8s_info:
api_version: snapshot.kubevirt.io/v1alpha1
kind: VirtualMachineSnapshot
namespace: "{{ vm_namespace }}"
register: snapshot
- name: Set snapshot name for {{ item }}
ansible.builtin.set_fact:
latest_snapshot: "{{ snapshot.resources | selectattr('spec.source.name', 'equalto', item) | sort(attribute='metadata.creationTimestamp') | first }}"
- name: Stop VirtualMachine
redhat.openshift_virtualization.kubevirt_vm:
name: "{{ item }}"
namespace: "{{ vm_namespace }}"
running: false
wait: true
when: state.resources.0.spec.running
- name: Restore a VirtualMachineSnapshot
kubernetes.core.k8s:
definition:
apiVersion: snapshot.kubevirt.io/v1alpha1
kind: VirtualMachineRestore
metadata:
generateName: "{{ latest_snapshot.metadata.generateName }}"
namespace: "{{ vm_namespace }}"
spec:
target:
apiGroup: kubevirt.io
kind: VirtualMachine
name: "{{ item }}"
virtualMachineSnapshotName: "{{ latest_snapshot.metadata.name }}"
wait: true
wait_condition:
type: Ready
- name: Start VirtualMachine
redhat.openshift_virtualization.kubevirt_vm:
name: "{{ item }}"
namespace: "{{ vm_namespace }}"
running: true
wait: true
when: state.resources.0.spec.running

22
collections/ansible_collections/demo/patching/roles/build_report_network/tasks/main.yml
View File

@@ -6,32 +6,34 @@
mode: "0755"
- name: Create HTML report
check_mode: false
ansible.builtin.template:
src: report.j2
dest: "{{ file_path }}/network.html"
mode: "0644"
check_mode: false
- name: Copy CSS over
check_mode: false
ansible.builtin.copy:
src: "css"
dest: "{{ file_path }}"
directory_mode: true
mode: "0775"
check_mode: false
- name: Copy logos over
ansible.builtin.copy:
src: "{{ item }}"
dest: "{{ file_path }}"
directory_mode: true
mode: "0644"
loop:
- "webpage_logo.png"
- "redhat-ansible-logo.svg"
- "router.png"
loop_control:
loop_var: logo
check_mode: false
ansible.builtin.copy:
src: "{{ logo }}"
dest: "{{ file_path }}"
directory_mode: true
mode: "0644"
# - name: Display link to Linux patch report
# ansible.builtin.debug:
# msg: "Please go to http://{{ hostvars[report_server]['ansible_host'] }}/reports/network.html"
- name: Display link to Linux patch report
ansible.builtin.debug:
msg: "Please go to http://{{ hostvars[report_server]['ansible_host'] }}/reports/network.html"

4
collections/ansible_collections/demo/patching/roles/report_linux/tasks/main.yml
View File

@@ -31,3 +31,7 @@
- name: Display link to inventory report
ansible.builtin.debug:
msg: "Please go to http://{{ hostvars[report_server]['ansible_host'] }}/reports/linux.html"
- name: Display link with a new path
ansible.builtin.debug:
msg: "Please go to http://{{ hostvars[report_server]['ansible_host'] }}/reports/linux.html"

12
collections/ansible_collections/demo/patching/roles/report_server/tasks/apache.yml
View File

@@ -2,14 +2,6 @@
- name: Include system variables
ansible.builtin.include_vars: "{{ ansible_system }}.yml"
- name: Permit traffic in default zone for http service
ansible.posix.firewalld:
service: http
permanent: true
state: enabled
immediate: true
check_mode: false
- name: Install httpd package
ansible.builtin.yum:
name: httpd
@@ -30,8 +22,10 @@
mode: "0644"
check_mode: false
- name: Install httpd service
- name: Start httpd service
ansible.builtin.service:
name: httpd
state: started
check_mode: false
...

107
collections/ansible_collections/nmake/inventory/.gitignore vendored
View File

@@ -1,107 +0,0 @@
# ansible dist for migration if local
ansible*
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# C extensions
*.so
# Distribution / packaging
.Python
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
*.egg-info/
.installed.cfg
*.egg
MANIFEST
# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*.cover
.hypothesis/
.pytest_cache/
# Translations
*.mo
*.pot
# Django stuff:
*.log
local_settings.py
db.sqlite3
# Flask stuff:
instance/
.webassets-cache
# Scrapy stuff:
.scrapy
# Sphinx documentation
docs/_build/
# PyBuilder
target/
# Jupyter Notebook
.ipynb_checkpoints
# pyenv
.python-version
# celery beat schedule file
celerybeat-schedule
# SageMath parsed files
*.sage.py
# Environments
.env
.venv
env/
venv/
ENV/
env.bak/
venv.bak/
# Spyder project settings
.spyderproject
.spyproject
# Rope project settings
.ropeproject
# mkdocs documentation
/site
# mypy
.mypy_cache/

674
collections/ansible_collections/nmake/inventory/LICENSE
View File

@@ -1,674 +0,0 @@
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU General Public License is a free, copyleft license for
software and other kinds of works.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
the GNU General Public License is intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users. We, the Free Software Foundation, use the
GNU General Public License for most of our software; it applies also to
any other work released this way by its authors. You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights. Therefore, you have
certain responsibilities if you distribute copies of the software, or if
you modify it: responsibilities to respect the freedom of others.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received. You must make sure that they, too, receive
or can get the source code. And you must show them these terms so they
know their rights.
Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you legal permission to copy, distribute and/or modify it.
For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software. For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.
Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the manufacturer
can do so. This is fundamentally incompatible with the aim of
protecting users' freedom to change the software. The systematic
pattern of such abuse occurs in the area of products for individuals to
use, which is precisely where it is most unacceptable. Therefore, we
have designed this version of the GPL to prohibit the practice for those
products. If such problems arise substantially in other domains, we
stand ready to extend this provision to those domains in future versions
of the GPL, as needed to protect the freedom of users.
Finally, every program is threatened constantly by software patents.
States should not allow patents to restrict development and use of
software on general-purpose computers, but in those that do, we wish to
avoid the special danger that patents applied to a free program could
make it effectively proprietary. To prevent this, the GPL assures that
patents cannot be used to render the program non-free.
The precise terms and conditions for copying, distribution and
modification follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.
The Corresponding Source for a work in source code form is that
same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or
e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
13. Use with the GNU Affero General Public License.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU Affero General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the special requirements of the GNU Affero General Public License,
section 13, concerning interaction through a network will apply to the
combination as such.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of
the GNU General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU General Public License, you may choose any version ever published
by the Free Software Foundation.
If the Program specifies that a proxy can decide which future
versions of the GNU General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
If the program does terminal interaction, make it output a short
notice like this when it starts in an interactive mode:
<program> Copyright (C) <year> <name of author>
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, your program's commands
might be different; for a GUI interface, you would use an "about box".
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU GPL, see
<https://www.gnu.org/licenses/>.
The GNU General Public License does not permit incorporating your program
into proprietary programs. If your program is a subroutine library, you
may consider it more useful to permit linking proprietary applications with
the library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License. But first, please read
<https://www.gnu.org/licenses/why-not-lgpl.html>.

334
collections/ansible_collections/nmake/inventory/README.md
View File

@@ -1,334 +0,0 @@
# CSV based ansible inventory
## Quick start
1) Clone the repository
2) Link the repo into the default collection path
```
mkdir -p ~/.ansible/collections/ansible_collections/nmake
ln -s ~/projects/inventory ~/.ansible/collections/ansible_collections/nmake
```
3) Define a `nmake_inventory_csv.yaml` file:
```yaml
plugin: nmake.inventory.csv
source: "/full/path/to/inventory.csv"
# add an attribute to each host based on a conditional
compose:
ansible_become: ansible_network_os == "eos"
ansible_python_interpreter: python
# build dynamic groups based on csv columns
keyed_groups:
- key: site
prefix: site
- key: ansible_network_os
prefix: ""
separator: ""
# allow the csv to contain `vars:xxx` values which reference these
vars:
ansible_user: "{{ lookup('env', 'ansible_user') }}"
ansible_password: "{{ lookup('env', 'ansible_password') }}"
ansible_become_pass: "{{ lookup('env', 'ansible_become_pass') }}"
# add an attribute to each host if it's not in the csv
defaults:
ansible_become_method: enable
ansible_connection: network_cli
ansible_python_interpreter: python
# in case the CSV columns don't match what we need
column_replace:
os: ansible_network_os
```
4) Define the CSV file:
Note:
- A value in the format of `vars:xxx` will be replaced with values from the yaml file above
- A column called groups should contain a space delimited list of groups the host should belong to
- All other columns will be added as attributes of the host in the inventory
- See the constructued inventory plugin for details about `compose`, `keyed_groups` and `groups`
```
host,os,ansible_user,ansible_password,ansible_become_pass,site,groups
nxos101,nxos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,red blue
nxos102,nxos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,blue yellow
nxos103,nxos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,red blue
nxos104,nxos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,blue yellow
eos10[1:4],eos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,orange red
vyos10[1:4],vyos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,orange red
```
5) Update the ansible.cfg file to allow the CSV inventory plugin:
```ini
[inventory]
enable_plugins = nmake.inventory.csv
```
6) Check the inventory
```bash
ansible-inventory -i nmake_inventory_csv.yaml --list
```
```json
{
"_meta": {
"hostvars": {
"eos101": {
"ansible_become": true,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "eos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
},
"eos102": {
"ansible_become": true,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "eos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
},
"eos103": {
"ansible_become": true,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "eos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
},
"eos104": {
"ansible_become": true,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "eos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
},
"nxos101": {
"ansible_become": false,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "nxos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
},
"nxos102": {
"ansible_become": false,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "nxos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
},
"nxos103": {
"ansible_become": false,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "nxos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
},
"nxos104": {
"ansible_become": false,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "nxos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
},
"vyos101": {
"ansible_become": false,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "vyos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
},
"vyos102": {
"ansible_become": false,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "vyos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
},
"vyos103": {
"ansible_become": false,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "vyos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
},
"vyos104": {
"ansible_become": false,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "vyos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
}
}
},
"all": {
"children": [
"blue",
"eos",
"nxos",
"orange",
"red",
"site_my_lab",
"ungrouped",
"vyos",
"yellow"
]
},
"blue": {
"hosts": [
"nxos101",
"nxos102",
"nxos103",
"nxos104"
]
},
"eos": {
"hosts": [
"eos101",
"eos102",
"eos103",
"eos104"
]
},
"nxos": {
"hosts": [
"nxos101",
"nxos102",
"nxos103",
"nxos104"
]
},
"orange": {
"hosts": [
"eos101",
"eos102",
"eos103",
"eos104",
"vyos101",
"vyos102",
"vyos103",
"vyos104"
]
},
"red": {
"hosts": [
"eos101",
"eos102",
"eos103",
"eos104",
"nxos101",
"nxos103",
"vyos101",
"vyos102",
"vyos103",
"vyos104"
]
},
"site_my_lab": {
"hosts": [
"eos101",
"eos102",
"eos103",
"eos104",
"nxos101",
"nxos102",
"nxos103",
"nxos104",
"vyos101",
"vyos102",
"vyos103",
"vyos104"
]
},
"vyos": {
"hosts": [
"vyos101",
"vyos102",
"vyos103",
"vyos104"
]
},
"yellow": {
"hosts": [
"nxos102",
"nxos104"
]
}
}
```
7) Run ansible:
```yaml
# site.yaml
- hosts: all
gather_facts: False
tasks:
- name: Use the platform facts module for each
action: "{{ ansible_network_os }}_facts"
args:
gather_network_resources:
- interfaces
- debug:
msg: "{{ hostvars[inventory_hostname] }}"
```
```shell
ansible-playbook -i nmake_inventory_csv.yaml site.yaml
```

376
collections/ansible_collections/nmake/inventory/docs/gsheet.md
View File

@@ -1,376 +0,0 @@
# Ansible inventory using a google sheet
## Requirements
```
pip install --upgrade google-api-python-client google-auth-httplib2 google-auth-oauthlib
```
## Set-up
1) Clone the repository
2) Link the repo into the default collection path
```
mkdir -p ~/.ansible/collections/ansible_collections/nmake
ln -s ~/projects/inventory ~/.ansible/collections/ansible_collections/nmake
```
3) Enable the Google sheets API and download the `credentials.json` file.
https://developers.google.com/sheets/api/quickstart/python
4) Create the token file by running the inventory script directly from the command line
Note:
- Provide the full path the credentials file downloaded above
- Provide a path to where the token file should be created
- This step is optional, if not completed the token file will be created during the first use of the inventory plugin
```shell
python /path_to_repo/inventory/plugins/inventory/gsheet.py \
--token /home/username/token.pickle \
--credentials /home/username/credentials.json
```
5) Build the google sheet
Note-
- Take note of the spreadsheet ID in the URL for your google sheet
- The inventory will be build from the first sheet only
Sample URL and sheet ID
```
https://docs.google.com/spreadsheets/d/1iTRfuFTPidnJoplKVH4e5znlk3my/edit#gid=1310233339
The ID falls between the /d and /edit
1iTRfuFTPidnJoplKVH4e5znlk3my
```
Sample Google sheet:
```
host,os,ansible_user,ansible_password,ansible_become_pass,site,groups
nxos101,nxos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,red blue
nxos102,nxos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,blue yellow
nxos103,nxos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,red blue
nxos104,nxos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,blue yellow
eos10[1:4],eos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,orange red
vyos10[1:4],vyos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,orange red
```
6) Define a `nmake_inventory_gsheet.yaml` file:
Note:
- The credentials key should point to the credentials file downloaded above
- The token should point ot the token file created above
```yaml
plugin: nmake.inventory.gsheet
credentials: /home/username/credentials.json
token: /home/username/token.pickle
sheet_id: 1iTRfuFTPidnJoplKVH4e5znlk3my
# add an attribute to each host based on a conditional
compose:
ansible_become: ansible_network_os == "eos"
ansible_python_interpreter: python
# build dynamic groups based on csv columns
keyed_groups:
- key: site
prefix: site
- key: ansible_network_os
prefix: ""
separator: ""
# allow the csv to contain `vars:xxx` values which reference these
vars:
ansible_user: "{{ lookup('env', 'ansible_user') }}"
ansible_password: "{{ lookup('env', 'ansible_password') }}"
ansible_become_pass: "{{ lookup('env', 'ansible_become_pass') }}"
# add an attribute to each host if it's not in the csv
defaults:
ansible_become_method: enable
ansible_connection: network_cli
ansible_python_interpreter: python
# in case the CSV columns don't match what we need
column_replace:
os: ansible_network_os
```
7) Update the ansible.cfg file to allow the CSV inventory plugin:
```ini
[inventory]
enable_plugins = nmake.inventory.gsheet
```
8) Check the inventory
```bash
ansible-inventory -i nmake_inventory_gsheet.yaml --list
```
```json
{
"_meta": {
"hostvars": {
"eos101": {
"ansible_become": true,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "eos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
},
"eos102": {
"ansible_become": true,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "eos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
},
"eos103": {
"ansible_become": true,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "eos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
},
"eos104": {
"ansible_become": true,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "eos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
},
"nxos101": {
"ansible_become": false,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "nxos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
},
"nxos102": {
"ansible_become": false,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "nxos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
},
"nxos103": {
"ansible_become": false,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "nxos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
},
"nxos104": {
"ansible_become": false,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "nxos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
},
"vyos101": {
"ansible_become": false,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "vyos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
},
"vyos102": {
"ansible_become": false,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "vyos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
},
"vyos103": {
"ansible_become": false,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "vyos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
},
"vyos104": {
"ansible_become": false,
"ansible_become_method": "enable",
"ansible_become_pass": "{{ lookup('env', 'ansible_become_pass') }}",
"ansible_connection": "network_cli",
"ansible_network_os": "vyos",
"ansible_password": "{{ lookup('env', 'ansible_password') }}",
"ansible_python_interpreter": "python",
"ansible_user": "{{ lookup('env', 'ansible_user') }}",
"site": "my_lab"
}
}
},
"all": {
"children": [
"blue",
"eos",
"nxos",
"orange",
"red",
"site_my_lab",
"ungrouped",
"vyos",
"yellow"
]
},
"blue": {
"hosts": [
"nxos101",
"nxos102",
"nxos103",
"nxos104"
]
},
"eos": {
"hosts": [
"eos101",
"eos102",
"eos103",
"eos104"
]
},
"nxos": {
"hosts": [
"nxos101",
"nxos102",
"nxos103",
"nxos104"
]
},
"orange": {
"hosts": [
"eos101",
"eos102",
"eos103",
"eos104",
"vyos101",
"vyos102",
"vyos103",
"vyos104"
]
},
"red": {
"hosts": [
"eos101",
"eos102",
"eos103",
"eos104",
"nxos101",
"nxos103",
"vyos101",
"vyos102",
"vyos103",
"vyos104"
]
},
"site_my_lab": {
"hosts": [
"eos101",
"eos102",
"eos103",
"eos104",
"nxos101",
"nxos102",
"nxos103",
"nxos104",
"vyos101",
"vyos102",
"vyos103",
"vyos104"
]
},
"vyos": {
"hosts": [
"vyos101",
"vyos102",
"vyos103",
"vyos104"
]
},
"yellow": {
"hosts": [
"nxos102",
"nxos104"
]
}
}
```
9) Run ansible:
```yaml
# site.yaml
- hosts: all
gather_facts: False
tasks:
- name: Use the platform facts module for each
action: "{{ ansible_network_os }}_facts"
args:
gather_network_resources:
- interfaces
- debug:
msg: "{{ hostvars[inventory_hostname] }}"
```
```shell
ansible-playbook -i nmake_inventory_gsheet.yaml site.yaml
```

145
collections/ansible_collections/nmake/inventory/plugins/inventory/csv.py
View File

@@ -1,145 +0,0 @@
from ansible.plugins.inventory import (
BaseInventoryPlugin,
Constructable,
expand_hostname_range,
detect_range,
)
import csv
DOCUMENTATION = """
name: nmake.inventory.csv
plugin_type: inventory
short_description: Use a CSV file as an inventory source
description:
- Use a CSV file as an inventory source
extends_documentation_fragment:
- constructed
options:
column_replace:
description: Replace a column name in the csv with an alternate name
type: dict
defaults:
description: Assign attributes to hosts when not in the CSV file
type: dict
plugin:
description: token that ensures this is a source file for the 'csv' plugin
required: True
choices: ['nmake.inventory.csv']
vars:
description: Use variables to provide CSV values
type: dict
"""
EXAMPLES = """
# sample CSV file
# host,os,ansible_user,ansible_password,ansible_become_pass,site,groups
# nxos101,nxos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,red blue
# nxos102,nxos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,blue yellow
# nxos103,nxos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,red blue
# nxos104,nxos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,blue yellow
# eos10[1:4],eos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,orange red
# vyos10[1:4],vyos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,orange red
# nmake_inventory_csv.yaml
plugin: nmake.inventory.csv
source: "/home/user/github/test_csv_inventory/inventory.csv"
# add an attribute to each host based on a conditional
compose:
ansible_become: ansible_network_os == "eos"
# build dynamic groups based on csv columns
keyed_groups:
- key: site
prefix: site
- key: ansible_network_os
prefix: ""
separator: ""
# allow the csv to contain `vars:xxx` values which reference these
vars:
ansible_user: "{{ lookup('env', 'ansible_user') }}"
ansible_password: "{{ lookup('env', 'ansible_password') }}"
ansible_become_pass: "{{ lookup('env', 'ansible_become_pass') }}"
# add an attribute to each host if it's not in the csv
defaults:
ansible_connection: network_cli
# in case the CSV columns don't match what we need
column_replace:
os: ansible_network_os
"""
class InventoryModule(BaseInventoryPlugin, Constructable):
NAME = "nmake.inventory.csv"
def verify_file(self, path):
""" return true/false if this is possibly a valid file for this plugin to consume """
valid = False
if super(InventoryModule, self).verify_file(path):
if path.endswith(
("nmake_inventory_csv.yaml", "nmake_inventory_csv.yml")
):
valid = True
return valid
def parse(self, inventory, loader, path, cache=True):
super(InventoryModule, self).parse(inventory, loader, path, cache)
config = self._read_config_data(path)
strict = self.get_option("strict")
input_file = csv.DictReader(open(config["source"]))
for entry in input_file:
hostvars = {}
groups = []
if detect_range(entry["host"]):
hosts = expand_hostname_range(entry["host"])
else:
hosts = [entry["host"]]
for host in hosts:
self.inventory.add_host(host)
for k, v in entry.items():
if k not in ["host", "tags"]:
if v.startswith("vars:"):
varval = v.split("vars:")[1]
v = config["vars"].get(varval)
if k in config.get("column_replace", {}):
add_key = config["column_replace"][k]
else:
add_key = k
hostvars[add_key] = v
if k == "groups":
groups = v.split(" ")
for k, v in config.get("defaults", {}).items():
if k not in hostvars:
hostvars[k] = v
for k, v in hostvars.items():
self.inventory.set_variable(host, k, v)
self._set_composite_vars(
self.get_option("compose"), hostvars, host, strict=strict
)
self._add_host_to_composed_groups(
self.get_option("groups"), hostvars, host, strict=strict
)
self._add_host_to_keyed_groups(
self.get_option("keyed_groups"),
hostvars,
host,
strict=strict,
)
for group in groups:
self.inventory.add_group(group=group)
self.inventory.add_host(group=group, host=host)

235
collections/ansible_collections/nmake/inventory/plugins/inventory/gsheet.py
View File

@@ -1,235 +0,0 @@
from ansible.plugins.inventory import (
BaseInventoryPlugin,
Constructable,
expand_hostname_range,
detect_range,
)
import pickle
import os.path
from ansible.errors import AnsibleError
try:
from googleapiclient.discovery import build
from google_auth_oauthlib.flow import InstalledAppFlow
from google.auth.transport.requests import Request
except ImportError:
raise AnsibleError(
"This inventory requires several python libraries that appear to be missing `pip install --upgrade google-api-python-client google-auth-httplib2 google-auth-oauthlib`"
)
SCOPES = ["https://www.googleapis.com/auth/spreadsheets.readonly"]
DOCUMENTATION = """
name: name.inventory.gsheet
plugin_type: inventory
short_description: Use a Google sheet as an inventory source
description:
- Use a Google sheet as an inventory source
extends_documentation_fragment:
- constructed
options:
column_replace:
description: Replace a column name in the csv with an alternate name
type: dict
credentials:
description: The full path to the credentials.json file
type: str
required: True
defaults:
description: Assign attributes to hosts when not in the CSV file
type: dict
plugin:
description: token that ensures this is a source file for the 'csv' plugin
required: True
choices: ['nmake.inventory.gsheet']
sheet_id:
description: The ID for the google sheet from the sheet's URL
required: True
token:
description: The full path to the token file
required: True
type: str
vars:
description: Use variables to provide CSV values
type: dict
"""
EXAMPLES = """
# sample gsheet file
# host,os,ansible_user,ansible_password,ansible_become_pass,site,groups
# nxos101,nxos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,red blue
# nxos102,nxos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,blue yellow
# nxos103,nxos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,red blue
# nxos104,nxos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,blue yellow
# eos10[1:4],eos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,orange red
# vyos10[1:4],vyos,vars:ansible_user,vars:ansible_password,vars:ansible_become_pass,my_lab,orange red
# nmake_inventory_gsheet.yaml
plugin: nmake.inventory.gsheet
credentials: /home/username/credentials.json
token: /home/username/token.pickle
sheet_id: 1iTRfuFTPidnJoplKVH4e5znlk3my
# add an attribute to each host based on a conditional
compose:
ansible_become: ansible_network_os == "eos"
# build dynamic groups based on csv columns
keyed_groups:
- key: site
prefix: site
- key: ansible_network_os
prefix: ""
separator: ""
# allow the csv to contain `vars:xxx` values which reference these
vars:
ansible_user: "{{ lookup('env', 'ansible_user') }}"
ansible_password: "{{ lookup('env', 'ansible_password') }}"
ansible_become_pass: "{{ lookup('env', 'ansible_become_pass') }}"
# add an attribute to each host if it's not in the csv
defaults:
ansible_connection: network_cli
# in case the CSV columns don't match what we need
column_replace:
os: ansible_network_os
"""
def get_creds(token_path, cred_path):
creds = None
if os.path.exists(token_path):
with open(token_path, "rb") as token:
creds = pickle.load(token)
# If there are no (valid) credentials available, let the user log in.
if not creds or not creds.valid:
if creds and creds.expired and creds.refresh_token:
creds.refresh(Request())
else:
flow = InstalledAppFlow.from_client_secrets_file(cred_path, SCOPES)
creds = flow.run_local_server(port=0)
# Save the credentials for the next run
with open(token_path, "wb") as token:
pickle.dump(creds, token)
return creds
def main():
import argparse
parser = argparse.ArgumentParser(
description="Ansible Google sheet inventory"
)
parser.add_argument("--token", type=str, help="Full path for token file")
parser.add_argument(
"--credentials", type=str, help="Full path to credentials.json"
)
args = parser.parse_args()
creds = get_creds(args.token, args.credentials)
if creds:
print("{} created successfully".format(args.token))
class InventoryModule(BaseInventoryPlugin, Constructable):
NAME = "nmake.inventory.gsheet"
def verify_file(self, path):
""" return true/false if this is possibly a valid file for this plugin to consume """
valid = False
if super(InventoryModule, self).verify_file(path):
if path.endswith(
("nmake_inventory_gsheet.yaml", "nmake_inventory_gsheet.yml")
):
valid = True
return valid
def parse(self, inventory, loader, path, cache=True):
super(InventoryModule, self).parse(inventory, loader, path, cache)
config = self._read_config_data(path)
cred_path = self.get_option("credentials")
sheet_id = self.get_option("sheet_id")
token = self.get_option("token")
creds = get_creds(token, cred_path)
service = build("sheets", "v4", credentials=creds)
sheet = service.spreadsheets()
sheet_metadata = (
service.spreadsheets().get(spreadsheetId=sheet_id).execute()
)
properties = sheet_metadata.get("sheets")
rows = properties[0]["properties"]["gridProperties"]["rowCount"]
columns = properties[0]["properties"]["gridProperties"]["columnCount"]
range_name = "R1C1:R{}C{}".format(rows, columns)
result = (
sheet.values()
.get(spreadsheetId=sheet_id, range=range_name)
.execute()
)
values = result.get("values", [])
dicts = [dict(zip(values[0], row)) for row in values[1:]]
self.add_to_inventory(dicts, config)
def add_to_inventory(self, list_of_dicts, config):
strict = self.get_option("strict")
for entry in list_of_dicts:
hostvars = {}
groups = []
if detect_range(entry["host"]):
hosts = expand_hostname_range(entry["host"])
else:
hosts = [entry["host"]]
for host in hosts:
self.inventory.add_host(host)
for k, v in entry.items():
if k not in ["host", "tags"]:
if v.startswith("vars:"):
varval = v.split("vars:")[1]
v = config["vars"].get(varval)
if k in config.get("column_replace", {}):
add_key = config["column_replace"][k]
else:
add_key = k
hostvars[add_key] = v
if k == "groups":
groups = v.split(" ")
for k, v in config.get("defaults", {}).items():
if k not in hostvars:
hostvars[k] = v
for k, v in hostvars.items():
self.inventory.set_variable(host, k, v)
self._set_composite_vars(
self.get_option("compose"), hostvars, host, strict=strict
)
self._add_host_to_composed_groups(
self.get_option("groups"), hostvars, host, strict=strict
)
self._add_host_to_keyed_groups(
self.get_option("keyed_groups"),
hostvars,
host,
strict=strict,
)
for group in groups:
self.inventory.add_group(group=group)
self.inventory.add_host(group=group, host=host)
if __name__ == "__main__":
main()

57
collections/requirements.yml
View File

@@ -1,53 +1,6 @@
---
# This file is mainly used by product-demos CI,
# See cloin/ee-builds/product-demos-ee/requirements.yml
# for configuring collections and collection versions.
collections:
- name: ansible.controller
version: ">=4.5.5"
- name: infra.ah_configuration
version: ">=2.0.6"
- name: infra.controller_configuration
version: ">=2.7.1"
- name: redhat_cop.controller_configuration
version: ">=2.3.1"
# linux
- name: ansible.posix
version: ">=1.5.4"
- name: community.general
version: ">=8.0.0"
- name: containers.podman
version: ">=1.12.1"
- name: redhat.insights
version: ">=1.2.2"
- name: redhat.rhel_system_roles
version: ">=1.23.0"
# windows
- name: ansible.windows
version: ">=2.3.0"
- name: chocolatey.chocolatey
version: ">=1.5.1"
- name: community.windows
version: ">=2.2.0"
# cloud
- name: amazon.aws
version: ">=7.5.0"
# satellite
- name: redhat.satellite
version: ">=4.0.0"
# network
- name: ansible.netcommon
version: ">=6.0.0"
- name: cisco.ios
version: ">=7.0.0"
- name: cisco.iosxr
version: ">=8.0.0"
- name: cisco.nxos
version: ">=7.0.0"
# openshift
- name: kubernetes.core
version: ">=4.0.0"
- name: redhat.openshift
version: ">=3.0.1"
- name: redhat.openshift_virtualization
version: ">=1.4.0"
# required collections are installed in the Product Demos EE.
# additional collections needed during testing can be added here.
collections: []
...

3
common/README.md Normal file
View File

@@ -0,0 +1,3 @@
# Common Prerequisites
Demos from some categories (cloud, linux, windows, etc.) have become dependent on controller resources defined in other demo categories. The setup.yml file in this directory is used to configure these common prerequisites so that they are available before setup for a demo category is called.

329
common/setup.yml Normal file
View File

@@ -0,0 +1,329 @@
---
controller_execution_environments:
- name: Cloud Services Execution Environment
image: quay.io/scottharwell/cloud-ee:latest
controller_organizations:
- name: Default
default_environment: Product Demos EE
controller_projects:
- name: Ansible Cloud Content Lab - AWS
organization: Default
scm_type: git
wait: true
scm_url: https://github.com/ansible-content-lab/aws.infrastructure_config_demos.git
default_environment: Cloud Services Execution Environment
- name: Ansible Cloud AWS Demos
organization: Default
scm_type: git
wait: true
scm_url: https://github.com/ansible-cloud/aws_demos.git
default_environment: Cloud Services Execution Environment
controller_credentials:
- name: AWS
credential_type: Amazon Web Services
organization: Default
update_secrets: false
state: exists
inputs:
username: REPLACEME
password: REPLACEME
controller_inventory_sources:
- name: AWS Inventory
organization: Default
source: ec2
inventory: Demo Inventory
credential: AWS
overwrite: true
source_vars:
hostnames:
- tag:Name
compose:
ansible_host: public_ip_address
ansible_user: 'ec2-user'
groups:
cloud_aws: true
os_linux: tags.blueprint.startswith('rhel')
os_windows: tags.blueprint.startswith('win')
keyed_groups:
- key: platform
prefix: os
- key: tags.blueprint
prefix: blueprint
- key: tags.owner
prefix: owner
- key: tags.purpose
prefix: purpose
- key: tags.deployment
prefix: deployment
- key: tags.Compliance
separator: ''
controller_groups:
- name: cloud_aws
inventory: Demo Inventory
variables:
ansible_user: ec2-user
- name: os_windows
inventory: Demo Inventory
variables:
ansible_connection: winrm
ansible_winrm_transport: credssp
ansible_winrm_server_cert_validation: ignore
ansible_port: 5986
controller_templates:
- name: SUBMIT FEEDBACK
job_type: run
inventory: Demo Inventory
project: Ansible Product Demos
playbook: feedback.yml
execution_environment: Default execution environment
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Name/Email/Contact
type: text
variable: email
required: true
- question_name: Issue or Feedback
type: textarea
variable: feedback
required: true
- name: Cloud / AWS / Create VPC
job_type: run
organization: Default
credentials:
- AWS
project: Ansible Product Demos
playbook: cloud/create_vpc.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: AWS Region
type: multiplechoice
variable: create_vm_aws_region
required: true
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- question_name: Owner
type: text
variable: aws_owner_tag
required: true
- name: Cloud / AWS / Create Keypair
job_type: run
organization: Default
credentials:
- AWS
project: Ansible Product Demos
playbook: cloud/aws_key.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: AWS Region
type: multiplechoice
variable: create_vm_aws_region
required: true
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- question_name: Keypair Name
type: text
variable: aws_key_name
required: true
default: aws-test-key
- question_name: Keypair Public Key
type: textarea
variable: aws_public_key
required: true
- question_name: Owner
type: text
variable: aws_keypair_owner
required: true
- name: Cloud / AWS / Create VM
job_type: run
organization: Default
credentials:
- AWS
- Demo Credential
project: Ansible Cloud Content Lab - AWS
playbook: playbooks/create_vm.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
allow_simultaneous: true
survey:
name: ''
description: ''
spec:
- question_name: AWS Region
type: multiplechoice
variable: create_vm_aws_region
required: true
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- question_name: Name
type: text
variable: create_vm_vm_name
required: true
- question_name: Owner
type: text
variable: create_vm_vm_owner
required: true
- question_name: Deployment
type: text
variable: create_vm_vm_deployment
required: true
- question_name: Purpose
type: text
variable: create_vm_vm_purpose
required: true
default: demo
- question_name: Environment
type: multiplechoice
variable: create_vm_vm_environment
required: true
choices:
- Dev
- QA
- Prod
- question_name: Blueprint
type: multiplechoice
variable: vm_blueprint
required: true
choices:
- windows_core
- windows_full
- rhel9
- rhel8
- rhel7
- al2023
- question_name: Subnet
type: text
variable: create_vm_aws_vpc_subnet_name
required: true
default: aws-test-subnet
- question_name: Security Group
type: text
variable: create_vm_aws_securitygroup_name
required: true
default: aws-test-sg
- question_name: SSH Keypair
type: text
variable: create_vm_aws_keypair_name
required: true
default: aws-test-key
- question_name: AWS Instance Type (defaults to blueprint value)
type: text
variable: create_vm_aws_instance_size
required: false
- question_name: AWS Image Filter (defaults to blueprint value)
type: text
variable: create_vm_aws_image_filter
required: false
- name: Cloud / AWS / Delete VM
job_type: run
organization: Default
credentials:
- AWS
- Demo Credential
project: Ansible Cloud Content Lab - AWS
playbook: playbooks/delete_inventory_vm.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Name or Pattern
type: text
variable: _hosts
required: true
- name: Cloud / AWS / Resize EC2
job_type: run
organization: Default
credentials:
- AWS
- Controller Credential
project: Ansible Product Demos
playbook: cloud/resize_ec2.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: AWS Region
type: multiplechoice
variable: aws_region
required: true
default: us-east-1
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- question_name: Specify target hosts
type: text
variable: _hosts
required: true
- question_name: Specify target instance type
type: text
variable: instance_type
default: t3a.medium
required: true
controller_notifications:
- name: Telemetry
organization: Default
notification_type: webhook
notification_configuration:
url: https://script.google.com/macros/s/AKfycbzxUObvCJ6ZbzfJyicw4RvxlGE3AZdrK4AR5-TsedCYd7O-rtTOVjvsRvqyb3rx6B0g8g/exec
http_method: POST
headers: {}
controller_settings:
- name: SESSION_COOKIE_AGE
value: 180000

7
devices.csv
View File

@@ -1,7 +0,0 @@
host,os,site,groups
nxos101,nxos,my_lab,red blue
nxos102,nxos,my_lab,blue yellow
nxos103,nxos,my_lab,red blue
nxos104,nxos,my_lab,blue yellow
eos10[1:4],eos,my_lab,orange red
vyos10[1:4],vyos,my_lab,orange red
1 host os site groups
2 nxos101 nxos my_lab red blue
3 nxos102 nxos my_lab blue yellow
4 nxos103 nxos my_lab red blue
5 nxos104 nxos my_lab blue yellow
6 eos10[1:4] eos my_lab orange red
7 vyos10[1:4] vyos my_lab orange red

1
execution_environments/.gitattributes vendored Normal file
View File

@@ -0,0 +1 @@
openshift-clients-4.16.0-202408021139.p0.ge8fb3c0.assembly.stream.el9.x86_64.rpm filter=lfs diff=lfs merge=lfs -text

17
execution_environments/README.md Normal file
View File

@@ -0,0 +1,17 @@
# Execution Environment Images for Ansible Product Demos
When the Ansible Product Demos setup job template is run, it creates a number of execution environment definitions on the automation controller. The content of this directory is used to create and update the default execution environment images defined during the setup process.
Currently these execution environment images are created manually using the `build.sh` script, with a future goal of building in a CI pipeline when any EE definitions or requirements are updated.
## Building the execution environment images
1. `podman login registry.redhat.io` in order to pull the base EE images
2. `export ANSIBLE_GALAXY_SERVER_CERTIFIED_TOKEN="<token>"` obtained from [Automation Hub](https://console.redhat.com/ansible/automation-hub/token)
3. `export ANSIBLE_GALAXY_SERVER_VALIDATED_TOKEN="<token>"` (same as above)
4. `./build.sh` to build the EE images and add them to your local podman image cache
The `build.sh` script creates multiple EE images, each based on the ee-minimal image that comes with a different minor version of AAP. These images are created in the "quay.io/ansible-product-demos" namespace. Currently the script builds the following images:
* quay.io/ansible-product-demos/apd-ee-24
* quay.io/ansible-product-demos/apd-ee-25

15
execution_environments/ansible.cfg Normal file
View File

@@ -0,0 +1,15 @@
[defaults]
[galaxy]
server_list = certified, validated, community_galaxy
[galaxy_server.certified]
url=https://cloud.redhat.com/api/automation-hub/content/published/
auth_url=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
[galaxy_server.validated]
url=https://cloud.redhat.com/api/automation-hub/content/validated/
auth_url=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
[galaxy_server.community_galaxy]
url=https://galaxy.ansible.com/

32
execution_environments/apd-ee-24.yml Normal file
View File

@@ -0,0 +1,32 @@
---
version: 3
images:
base_image:
name: registry.redhat.io/ansible-automation-platform-24/ee-minimal-rhel9:latest
dependencies:
galaxy: requirements.yml
additional_build_files:
# https://access.redhat.com/solutions/7024259
# download from access.redhat.com -> Downloads -> OpenShift Container Platform -> Packages
- src: openshift-clients-4.16.0-202408021139.p0.ge8fb3c0.assembly.stream.el9.x86_64.rpm
dest: rpms
- src: ansible.cfg
dest: configs
options:
package_manager_path: /usr/bin/microdnf
additional_build_steps:
prepend_base:
- RUN $PYCMD -m pip install --upgrade pip setuptools
- COPY _build/rpms/openshift-clients*.rpm /tmp/openshift-clients.rpm
- RUN $PKGMGR -y update && $PKGMGR -y install bash-completion && $PKGMGR clean all
- RUN rpm -ivh /tmp/openshift-clients.rpm && rm /tmp/openshift-clients.rpm
prepend_galaxy:
- ADD _build/configs/ansible.cfg /etc/ansible/ansible.cfg
- ARG ANSIBLE_GALAXY_SERVER_CERTIFIED_TOKEN
- ARG ANSIBLE_GALAXY_SERVER_VALIDATED_TOKEN
...

40
execution_environments/apd-ee-25.yml Normal file
View File

@@ -0,0 +1,40 @@
---
version: 3
images:
base_image:
name: registry.redhat.io/ansible-automation-platform-25/ee-minimal-rhel9:latest
dependencies:
galaxy: requirements-25.yml
system:
- python3.11-devel [platform:rpm]
python:
- pywinrm>=0.4.3
python_interpreter:
python_path: /usr/bin/python3.11
additional_build_files:
# https://access.redhat.com/solutions/7024259
# download from access.redhat.com -> Downloads -> OpenShift Container Platform -> Packages
- src: openshift-clients-4.16.0-202408021139.p0.ge8fb3c0.assembly.stream.el9.x86_64.rpm
dest: rpms
- src: ansible.cfg
dest: configs
options:
package_manager_path: /usr/bin/microdnf
additional_build_steps:
prepend_base:
# AgnosticD can use this to deterine it is running from an EE
# see https://github.com/redhat-cop/agnosticd/blob/development/ansible/install_galaxy_roles.yml
- ENV LAUNCHED_BY_RUNNER=1
- RUN $PYCMD -m pip install --upgrade pip setuptools
- COPY _build/rpms/openshift-clients*.rpm /tmp/openshift-clients.rpm
- RUN $PKGMGR -y update && $PKGMGR -y install bash-completion && $PKGMGR clean all
- RUN rpm -ivh /tmp/openshift-clients.rpm && rm /tmp/openshift-clients.rpm
prepend_galaxy:
- ADD _build/configs/ansible.cfg /etc/ansible/ansible.cfg
- ARG ANSIBLE_GALAXY_SERVER_CERTIFIED_TOKEN
- ARG ANSIBLE_GALAXY_SERVER_VALIDATED_TOKEN
...

29
execution_environments/build.sh Executable file
View File

@@ -0,0 +1,29 @@
#!/bin/bash
# array of images to build
ee_images=(
"apd-ee-24"
"apd-ee-25"
)
for ee in "${ee_images[@]}"
do
echo "Building EE image ${ee}"
# build EE image
ansible-builder build \
--file ${ee}.yml \
--context ./ee_contexts/${ee} \
--build-arg ANSIBLE_GALAXY_SERVER_CERTIFIED_TOKEN \
--build-arg ANSIBLE_GALAXY_SERVER_VALIDATED_TOKEN \
-v 3 \
-t quay.io/ansible-product-demos/${ee}:$(date +%Y%m%d)
if [[ $? == 0 ]]
then
# tag EE image as latest
podman tag \
quay.io/ansible-product-demos/${ee}:$(date +%Y%m%d) \
quay.io/ansible-product-demos/${ee}:latest
fi
done

3
execution_environments/openshift-clients-4.16.0-202408021139.p0.ge8fb3c0.assembly.stream.el9.x86_64.rpm Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f637eb0440f14f1458800c7a9012adcb9b58eb2131c02f64dfa4ca515e182093
size 54960859

77
execution_environments/requirements-25.yml Normal file
View File

@@ -0,0 +1,77 @@
---
collections:
# AAP config as code
- name: ansible.controller
version: ">=4.6.0"
# TODO this fails trying to install a different version of
# the python-systemd package
# - name: ansible.eda # fails trying to install systemd-python package
# version: ">=2.1.0"
- name: ansible.hub
version: ">=1.0.0"
- name: ansible.platform
version: ">=2.5.0"
- name: infra.ah_configuration
version: ">=2.0.6"
- name: infra.controller_configuration
version: ">=2.11.0"
# linux demos
- name: ansible.posix
version: ">=1.5.4"
- name: community.general
version: ">=8.0.0"
- name: containers.podman
version: ">=1.12.1"
- name: redhat.insights
version: ">=1.2.2"
- name: redhat.rhel_system_roles
version: ">=1.23.0"
# windows demos
- name: microsoft.ad
version: "1.9"
- name: ansible.windows
version: ">=2.3.0"
- name: chocolatey.chocolatey
version: ">=1.5.1"
- name: community.windows
version: ">=2.2.0"
# cloud demos
- name: amazon.aws
version: ">=7.5.0"
# satellite demos
- name: redhat.satellite
version: ">=4.0.0"
# network demos
- name: ansible.netcommon
version: ">=6.0.0"
- name: cisco.ios
version: ">=7.0.0"
- name: cisco.iosxr
version: ">=8.0.0"
- name: cisco.nxos
version: ">=7.0.0"
- name: network.backup
version: ">=3.0.0"
# TODO on 2.5 ee-minimal-rhel9 this tries to build and install
# a different version of python netifaces, which fails
# - name: infoblox.nios_modules
# version: ">=1.6.1"
# openshift demos
- name: kubernetes.core
version: ">=4.0.0"
- name: redhat.openshift
version: ">=3.0.1"
- name: redhat.openshift_virtualization
version: ">=1.4.0"
# for RHDP
- name: ansible.utils
version: ">=5.1.0"
- name: kubevirt.core
version: ">=2.1.0"
- name: community.okd
version: ">=4.0.0"
- name: https://github.com/rhpds/assisted_installer.git
type: git
version: "v0.0.1"
...

54
execution_environments/requirements.yml Normal file
View File

@@ -0,0 +1,54 @@
---
collections:
- name: ansible.controller
version: "<4.6.0"
- name: infra.ah_configuration
version: ">=2.0.6"
- name: infra.controller_configuration
version: ">=2.9.0"
- name: redhat_cop.controller_configuration
version: ">=2.3.1"
# linux
- name: ansible.posix
version: ">=1.5.4"
- name: community.general
version: ">=8.0.0"
- name: containers.podman
version: ">=1.12.1"
- name: redhat.insights
version: ">=1.2.2"
- name: redhat.rhel_system_roles
version: ">=1.23.0"
# windows
- name: microsoft.ad
version: "1.9"
- name: ansible.windows
version: ">=2.3.0"
- name: chocolatey.chocolatey
version: ">=1.5.1"
- name: community.windows
version: ">=2.2.0"
# cloud
- name: amazon.aws
version: ">=7.5.0"
# satellite
- name: redhat.satellite
version: ">=4.0.0"
# network
- name: ansible.netcommon
version: ">=6.0.0"
- name: cisco.ios
version: ">=7.0.0"
- name: cisco.iosxr
version: ">=8.0.0"
- name: cisco.nxos
version: ">=7.0.0"
- name: infoblox.nios_modules
version: ">=1.6.1"
# openshift
- name: kubernetes.core
version: ">=4.0.0"
- name: redhat.openshift
version: ">=3.0.1"
- name: redhat.openshift_virtualization
version: ">=1.4.0"

2
linux/README.md
View File

@@ -60,7 +60,7 @@ Edit the `Linux / System Roles` job to include the list of roles that you wish t
**Linux / Temporary Sudo** - Use this job to show how to grant sudo access with automated cleanup to a server. The user must exist on the system. Using the student user is a good example (ie. student1)
**Linux / Patching** - Use this job to apply updates or audit for missing updates and produce an html report of systems with missing updates. See the end of the job for the URL to view the report. In other environments this report could be uploaded to a wiki, email, other system. This demo also shows installing a webserver on a linux server. The report is places on the system defined by the `report_server` variable. By default, `report_server` is configured as `node1`. This may be overridden with `extra_vars` on the Job Template.
**Linux / Patching** - Use this job to apply updates or audit for missing updates and produce an html report of systems with missing updates. See the end of the job for the URL to view the report. In other environments this report could be uploaded to a wiki, email, other system. This demo also shows installing a webserver on a linux server. The report is places on the system defined by the `report_server` variable. By default, `report_server` is configured as `reports`. This may be overridden with `extra_vars` on the Job Template.
**Linux / Run Shell Script** - Use this job to demonstrate running shell commands or an existing shell script across a group of systems as root. This can be preferred over using Ad-Hoc commands due to the ability to control usage with RBAC. This is helpful in showing the scalable of execution of an existing shell script. It is always recommended to convert shell scripts to playbooks over time. Example usage would be getting the public key used in the environment with the command `cat .ssh/authorized_keys`.

0
linux/compliance.yml → linux/disa_stig.yml
View File

3
linux/compliance-enforce.yml → linux/multi_profile_compliance.yml
View File

@@ -12,5 +12,4 @@
- name: Run Compliance Profile
ansible.builtin.include_role:
name: "redhatofficial.rhel{{ ansible_distribution_major_version }}_{{ compliance_profile }}"
...
name: "redhatofficial.rhel{{ ansible_distribution_major_version }}-{{ compliance_profile }}"

27
linux/compliance-report.yml → linux/multi_profile_compliance_report.yml
View File

@@ -9,9 +9,17 @@
- openscap-utils
- scap-security-guide
compliance_profile: ospp
# install httpd and use it to host compliance report
use_httpd: true
tasks:
- name: Assert memory meets minimum requirements
ansible.builtin.assert:
that:
- ansible_memfree_mb >= 1000
- ansible_memtotal_mb >= 2000
fail_msg: "OpenSCAP is a memory intensive operation, the specified enepoint does not meet minimum requirements. See https://access.redhat.com/articles/6999111 for details."
- name: Get our facts straight
ansible.builtin.set_fact:
_profile: '{{ compliance_profile | replace("pci_dss", "pci-dss") }}'
@@ -80,11 +88,28 @@
group: root
mode: 0644
- name: Debug output for report
ansible.builtin.debug:
msg: "http://{{ ansible_host }}/oscap-reports/{{ _profile }}/report-{{ ansible_date_time.iso8601 }}.html"
when: use_httpd | bool
- name: Tag instance as {{ compliance_profile | upper }}_OUT_OF_COMPLIANCE # noqa name[template]
delegate_to: localhost
amazon.aws.ec2_tag:
region: "{{ placement.region }}"
resource: "{{ instance_id }}"
state: present
tags:
Compliance: "{{ compliance_profile | upper }}_OUT_OF_COMPLIANCE"
when:
- _oscap.rc == 2
- instance_id is defined
become: false
handlers:
- name: Restart httpd
ansible.builtin.service:
name: httpd
state: restarted
enabled: true
...

13
linux/patching.yml
View File

@@ -3,7 +3,7 @@
hosts: "{{ _hosts | default(omit) }}"
become: true
vars:
report_server: node1
report_server: reports
tasks:
# Install yum-utils if it's not there
@@ -11,6 +11,7 @@
ansible.builtin.yum:
name: yum-utils
state: installed
check_mode: false
- name: Include patching role
ansible.builtin.include_role:
@@ -45,6 +46,16 @@
name: firewalld
state: started
- name: Enable firewall http service
ansible.posix.firewalld:
service: '{{ item }}'
state: enabled
immediate: true
permanent: true
loop:
- http
- https
- name: Build report server
ansible.builtin.include_role:
name: "{{ item }}"

13
linux/remediate_out_of_compliance.yml Normal file
View File

@@ -0,0 +1,13 @@
---
- name: Apply compliance profile as part of workflow.
hosts: "{{ compliance_profile | default('stig') | upper }}_OUT_OF_COMPLIANCE"
become: true
tasks:
- name: Check os type
ansible.builtin.assert:
that: "ansible_os_family == 'RedHat'"
- name: Run Compliance Profile
ansible.builtin.include_role:
name: "redhatofficial.rhel{{ ansible_distribution_major_version }}-{{ compliance_profile }}"
...

117
linux/setup.yml
View File

@@ -36,7 +36,7 @@ controller_inventory_sources:
- name: Insights Inventory
inventory: Demo Inventory
source: scm
source_project: Ansible official demo project
source_project: Ansible Product Demos
source_path: linux/inventory.insights.yml
credential: Insights Inventory
@@ -44,7 +44,7 @@ controller_templates:
- name: "LINUX / Register with Insights"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "linux/ec2_register.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -83,7 +83,7 @@ controller_templates:
- name: "LINUX / Troubleshoot"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "linux/tshoot.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -104,7 +104,7 @@ controller_templates:
- name: "LINUX / Temporary Sudo"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "linux/temp_sudo.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -133,7 +133,7 @@ controller_templates:
- name: "LINUX / Patching"
job_type: check
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "linux/patching.yml"
execution_environment: Default execution environment
notification_templates_started: Telemetry
@@ -156,7 +156,7 @@ controller_templates:
- name: "LINUX / Start Service"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "linux/service_start.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -181,7 +181,7 @@ controller_templates:
- name: "LINUX / Stop Service"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "linux/service_stop.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -206,7 +206,7 @@ controller_templates:
- name: "LINUX / Run Shell Script"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "linux/run_script.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -228,7 +228,7 @@ controller_templates:
required: true
- name: "LINUX / Fact Scan"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: linux/fact_scan.yml
inventory: Demo Inventory
execution_environment: Default execution environment
@@ -251,7 +251,7 @@ controller_templates:
- name: "LINUX / Podman Webserver"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "linux/podman.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -276,7 +276,7 @@ controller_templates:
- name: "LINUX / System Roles"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "linux/system_roles.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -303,7 +303,7 @@ controller_templates:
- name: "LINUX / Install Web Console (cockpit)"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "linux/system_roles.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -334,11 +334,33 @@ controller_templates:
- full
required: true
- name: "LINUX / Compliance Enforce"
job_type: run
inventory: "Demo Inventory"
project: "Ansible Product Demos"
playbook: "linux/remediate_out_of_compliance.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
credentials:
- "Demo Credential"
extra_vars:
sudo_remove_nopasswd: false
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Server Name or Pattern
type: text
variable: _hosts
required: true
- name: "LINUX / DISA STIG"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
playbook: "linux/compliance.yml"
project: "Ansible Product Demos"
playbook: "linux/disa_stig.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
@@ -359,13 +381,14 @@ controller_templates:
- name: "LINUX / Multi-profile Compliance"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
playbook: "linux/compliance-enforce.yml"
project: "Ansible Product Demos"
playbook: "linux/multi_profile_compliance.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
credentials:
- "Demo Credential"
- "AWS"
extra_vars:
# used by CIS profile role
sudo_require_authentication: false
@@ -377,6 +400,9 @@ controller_templates:
# used by the CJIS profile role
service_firewalld_enabled: false
firewalld_sshd_port_enabled: false
# used by the PCI-DSS profile role
firewalld_loopback_traffic_restricted: false
firewalld_loopback_traffic_trusted: false
survey_enabled: true
survey:
name: ''
@@ -396,19 +422,20 @@ controller_templates:
- cui
- hipaa
- ospp
- pci_dss
- pci-dss
- stig
- name: "LINUX / Multi-profile Compliance Report"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
playbook: "linux/compliance-report.yml"
project: "Ansible Product Demos"
playbook: "linux/multi_profile_compliance_report.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
credentials:
- "Demo Credential"
- "AWS"
survey_enabled: true
survey:
name: ''
@@ -442,7 +469,7 @@ controller_templates:
- name: "LINUX / Insights Compliance Scan"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "linux/insights_compliance_scan.yml"
credentials:
- "Demo Credential"
@@ -467,7 +494,7 @@ controller_templates:
- name: "LINUX / Deploy Application"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "linux/deploy_application.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -489,4 +516,52 @@ controller_templates:
variable: application
required: true
controller_workflows:
- name: "Linux / Compliance Workflow"
description: A workflow to generate a SCAP report and run enforce on findings
organization: Default
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Server Name or Pattern
type: text
default: aws_rhel*
variable: _hosts
required: true
- question_name: Compliance Profile
type: multiplechoice
variable: compliance_profile
required: true
choices:
- cis
- cjis
- cui
- hipaa
- ospp
- pci_dss
- stig
- question_name: Use httpd on the target host(s) to access reports locally?
type: multiplechoice
variable: use_httpd
required: true
choices:
- "true"
- "false"
default: "true"
simplified_workflow_nodes:
- identifier: Compliance Report
unified_job_template: "LINUX / Multi-profile Compliance Report"
success_nodes:
- Update Inventory
- identifier: Update Inventory
unified_job_template: AWS Inventory
success_nodes:
- Compliance Enforce
- identifier: Compliance Enforce
unified_job_template: "LINUX / Compliance Enforce"
...

7
multi_select_setup.yml
View File

@@ -4,15 +4,16 @@
gather_facts: false
vars:
launch_jobs:
name: "SETUP"
name: "Product Demos | Single demo setup"
wait: true
tasks:
- name: Build controller launch jobs
ansible.builtin.set_fact:
controller_launch_jobs: "{{ (controller_launch_jobs | d([]))
+ [launch_jobs | combine( {'extra_vars': { 'demo': item }})] }}"
controller_launch_jobs: "{{ (controller_launch_jobs | d([])) + [launch_jobs | combine({'extra_vars': {'demo': item}})] }}"
loop: "{{ demos }}"
- name: Default Components
ansible.builtin.include_role:
name: "infra.controller_configuration.job_launch"
vars:
controller_dependency_check: false # noqa: var-naming[no-role-prefix]

55
network/README.md
View File

@@ -12,18 +12,23 @@
This category of demos shows examples of network operations and management with Ansible Automation Platform. The list of demos can be found below. See the [Suggested Usage](#suggested-usage) section of this document for recommendations on how to best use these demos.
- [**NETWORK / Configuration**](https://github.com/nleiva/ansible-net-modules/blob/main/main.yml) - Deploy golden configurations for different resources to Cisco IOS, IOSXR, and NXOS.
To run the demos, deploy them using Infrastructure as Code, run either the "Product Demos | Multi-demo setup" or the "Product Demos | Single demo setup" and select 'Network' in the "Product Demos" deployment, or utilize the steps in the repo level README.
### Project
These demos leverage playbooks from a [git repo](https://github.com/nleiva/ansible-net-modules) that is added as the **`Network Golden Configs`** Project in your Ansible Controller. Review this repo for the playbooks to configure different resources and network config templates that will be configured.
### Inventory
These demos leverage "always-on" instances for Cisco IOS, IOSXR, and NXOS from [Cisco DevNet Sandboxes](https://developer.cisco.com/docs/sandbox/#!getting-started/always-on-sandboxes). These instances are shared and do not provide admin access but they are instantly avaible all the time meaning not setup time is required.
These demos leverage "always-on" instances for Cisco IOS, IOSXR, and NXOS from [Cisco DevNet Sandboxes](https://developer.cisco.com/docs/sandbox/#!getting-started/always-on-sandboxes). These instances are shared and do not provide admin access but they are instantly avaible all the time meaning no setup time is required.
A **`Network Inventory`** is created when setting up these demos and a dynamic source is added to populate the Always-On instances. Review the inventory file [here](https://github.com/nleiva/ansible-net-modules/blob/main/hosts).
A **`Demo Inventory`** is created when setting up these demos and a dynamic source is added to populate the Always-On instances. Review the inventory file [here](https://github.com/nleiva/ansible-net-modules/blob/main/hosts). Demo Inventory is the default inventory for **`Product Demos`**.
## Suggested Usage
**NETWORK / Report** - Use this job to gather facts from Cisco Network devices and create a report with information about the device such as code version, along with configuration information about layers 1, 2, and 3. This shows how Ansible can be used to gather facts and build reports. Generating html pages is just one potential output. This information can be used in a number of ways, such as integration with different network management tools.
- to run this you will first need to run the **`Deploy Cloud Stack in AWS`** job template to deploy the report server. If using a demo.redhat.com Product Demos instance you should use the public key provided in the demo page in the Bastion Host Credentials section. If you are using a different environment, you may need to update the "Demo Credential".
**NETWORK / Configuration** - Use this job to execute different [Ansible Network Resource Modules](https://docs.ansible.com/ansible/latest/network/user_guide/network_resource_modules.html) to deploy golden configs. Below is a list of the different resources the can be configured with a link to their golden config.
- [acls](https://github.com/nleiva/ansible-net-modules/blob/main/acls.cfg)
- [banner](https://github.com/nleiva/ansible-net-modules/blob/main/banner.cfg)
@@ -36,3 +41,49 @@ A **`Network Inventory`** is created when setting up these demos and a dynamic s
- [prefix_lists](https://github.com/nleiva/ansible-net-modules/blob/main/prefix_lists.cfg)
- [snmp](https://github.com/nleiva/ansible-net-modules/blob/main/snmp.cfg)
- [user](https://github.com/nleiva/ansible-net-modules/blob/main/user.cfg)
**NETWORK / DISA STIG** - Use this job to run the DISA STIG role (in check mode) and show how Ansible can be used for configuration compliance of network devices. Click into tasks to see what is changed for each compliance rule, i.e.:
{
"changed": true,
"warnings": [
"To ensure idempotency and correct diff the input configuration lines should be similar to how they appear if present in the running configuration on device"
],
"commands": [
"ip http max-connections 2"
],
"updates": [
"ip http max-connections 2"
],
"banners": {},
"invocation": {
"module_args": {
"defaults": true,
"lines": [
"ip http max-connections 2"
],
"match": "line",
"replace": "line",
"multiline_delimiter": "@",
"backup": false,
"save_when": "never",
"src": null,
"parents": null,
"before": null,
"after": null,
"running_config": null,
"intended_config": null,
"backup_options": null,
"diff_against": null,
"diff_ignore_lines": null
}
},
"_ansible_no_log": false
}
**NETWORK / BACKUP** - Use this job to show how Ansible can be used to backup network devices using Red Hat validated content. Job Template will create a backup file on the reports server where they can be viewed as a webpage. This is just an example - backups can also be sent to other repositories such as a Git repo (Github, Gitlab, etc).
To run this demo, you will need to complete a couple of prerequisites:
- to run this you will first need to run the **`Deploy Cloud Stack in AWS`** job template to deploy the report server.
- If using a demo.redhat.com Product Demos instance you should use the public key provided in the demo page in the 'Bastion Host Credentials' section. If you are using a different environment, you may need to update the "Demo Credential".
- This works with Product Demos for AAP v2.5; which includes the "Product Demos EE" includes the \
network.backup collection.

63
network/backup.yml Normal file
View File

@@ -0,0 +1,63 @@
---
- name: Create network reports server
hosts: reports
become: true
tasks:
- name: Build report server
ansible.builtin.include_role:
name: "{{ item }}"
loop:
- demo.patching.report_server
- name: Create a backup directory if it does not exist
run_once: true
ansible.builtin.file:
path: "/var/www/html/backups"
state: directory
owner: ec2-user
group: ec2-user
mode: '0755'
- name: Play to Backup Cisco Always-On Network Devices
hosts: routers
gather_facts: false
vars:
report_server: reports
backup_dir: "/tmp/network_backups"
tasks:
- name: Network Backup and Resource Manager
ansible.builtin.include_role:
name: network.backup.run
vars: # noqa var-naming[no-role-prefix]
operation: backup
type: full
data_store:
local: "{{ backup_dir }}"
# This task removes the Current configuration... from the top of IOS routers show run
- name: Remove non config lines - regexp
delegate_to: localhost
ansible.builtin.lineinfile:
path: "{{ backup_dir }}/{{ inventory_hostname }}.txt"
line: "Building configuration..."
state: absent
- name: Copy backup file
delegate_to: "{{ report_server }}"
ansible.builtin.copy:
src: "{{ backup_dir }}/{{ inventory_hostname }}.txt"
dest: "/var/www/html/backups/{{ inventory_hostname }}.cfg"
backup: true
owner: ec2-user
group: ec2-user
mode: '0644'
- name: Review backup on report server
delegate_to: "{{ report_server }}"
run_once: true
ansible.builtin.debug:
msg: "To review backed up configurations, go to http://{{ ansible_host }}/backups/"
...

42
network/hosts Normal file
View File

@@ -0,0 +1,42 @@
[ios]
sandbox-iosxe-latest-1.cisco.com
[ios:vars]
ansible_network_os=cisco.ios.ios
ansible_password=C1sco12345
ansible_ssh_password=C1sco12345
ansible_port=22
ansible_user=admin
[iosxr]
sandbox-iosxr-1.cisco.com
[iosxr:vars]
ansible_network_os=cisco.iosxr.iosxr
ansible_password=C1sco12345
ansible_ssh_pass=C1sco12345
ansible_port=22
ansible_user=admin
[nxos]
sbx-nxos-mgmt.cisco.com
sandbox-nxos-1.cisco.com
[nxos:vars]
ansible_network_os=cisco.nxos.nxos
ansible_password=Admin_1234!
ansible_ssh_pass=Admin_1234!
ansible_port=22
ansible_user=admin
[routers]
sbx-nxos-mgmt.cisco.com
sandbox-nxos-1.cisco.com
sandbox-iosxr-1.cisco.com
sandbox-iosxe-latest-1.cisco.com
[routers:vars]
ansible_connection=ansible.netcommon.network_cli
[webservers]
reports ansible_host=ec2-18-118-189-162.us-east-2.compute.amazonaws.com ansible_user=ec2-user

9
network/report.yml
View File

@@ -20,22 +20,19 @@
gather_network_resources: all
when: ansible_network_os == 'cisco.nxos.nxos'
# TODO figure out why this keeps failing
- name: Gather all network resource and minimal legacy facts [Cisco IOS XR]
ignore_errors: true # noqa: ignore-errors
cisco.iosxr.iosxr_facts:
gather_subset: min
gather_network_resources: all
when: ansible_network_os == 'cisco.iosxr.iosxr'
# # The dig lookup requires the python 'dnspython' library
# - name: Resolve IP address
# ansible.builtin.set_fact:
# ansible_host: "{{ lookup('community.general.dig', inventory_hostname)}}"
- name: Create network reports
hosts: "{{ report_server }}"
become: true
vars:
report_server: node1
report_server: reports
web_path: /var/www/html/reports/
tasks:

45
network/setup.yml
View File

@@ -11,35 +11,32 @@ controller_projects:
scm_type: git
scm_url: https://github.com/nleiva/ansible-net-modules
update_project: true
wait: true
wait: false
controller_request_timeout: 20
controller_configuration_async_retries: 40
default_environment: Networking Execution Environment
controller_inventories:
- name: Network Inventory
- name: Demo Inventory
organization: Default
controller_inventory_sources:
- name: DevNet always-on sandboxes
source: scm
inventory: Network Inventory
inventory: Demo Inventory
overwrite: true
source_project: Network Golden Configs
source_path: hosts
controller_hosts:
- name: node1
inventory: Network Inventory
variables:
ansible_user: rhel
ansible_host: node1
source_project: Ansible Product Demos
source_path: network/hosts
controller_templates:
- name: NETWORK / Configuration
organization: Default
inventory: Network Inventory
inventory: Demo Inventory
survey_enabled: true
project: Network Golden Configs
playbook: main.yml
credentials:
- "Demo Credential"
execution_environment: Networking Execution Environment
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -70,8 +67,8 @@ controller_templates:
- name: "NETWORK / Report"
job_type: check
organization: Default
inventory: Network Inventory
project: "Ansible official demo project"
inventory: Demo Inventory
project: "Ansible Product Demos"
playbook: "network/report.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -99,12 +96,26 @@ controller_templates:
- name: "NETWORK / DISA STIG"
job_type: check
organization: Default
inventory: Network Inventory
project: "Ansible official demo project"
inventory: Demo Inventory
project: "Ansible Product Demos"
playbook: "network/compliance.yml"
credentials:
- "Demo Credential"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
use_fact_cache: true
ask_job_type_on_launch: true
survey_enabled: true
- name: "NETWORK / Backup"
job_type: run
organization: Default
inventory: Demo Inventory
project: "Ansible Product Demos"
playbook: "network/backup.yml"
credentials:
- "Demo Credential"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry

12
nmake_inventory_csv.yaml
View File

@@ -1,12 +0,0 @@
---
plugin: nmake.inventory.csv
source: devices.csv
keyed_groups:
- key: site
prefix: site
- key: ansible_network_os
prefix: group
column_replace:
os: ansible_network_os

41
openshift/README.md
View File

@@ -5,16 +5,45 @@
- [Table of Contents](#table-of-contents)
- [About These Demos](#about-these-demos)
- [Jobs](#jobs)
- [Pre Setup](#pre-setup)
- [Suggested Usage](#suggested-usage)
## About These Demos
This category of demos shows examples of openshift operations and management with Ansible Automation Platform. The list of demos can be found below. See the [Suggested Usage](#suggested-usage) section of this document for recommendations on how to best use these demos.
This category of demos shows examples of OpenShift operations and management with Ansible Automation Platform. The list of demos can be found below. See the [Suggested Usage](#suggested-usage) section of this document for recommendations on how to best use these demos.
### Jobs
- [**OpenShift / Dev Spaces**](devspaces.yml) - Install and deploy dev spaces on OCP cluster. After this job has run successfully, login to your OCP cluster, click the application icon (to the left of the bell icon in the top right) to access Dev Spaces
- [**OpenShift / GitLab**](gitlab.yml) - Install and deploy GitLab on OCP.
- [**OpenShift / EDA / Install Controller**](eda/install.yml) - Install and deploy EDA Controller instance using the AAP OpenShift operator.
- [**OpenShift / CNV / Install Operator**](cnv/install.yml) - Install the Container Native Virtualization (CNV) operator and all its required dependencies.
- **OpenShift / CNV / Infra Stack** - Workflow Job Template to build out infrastructure necessary to run jobs against VMs in OpenShift Virtualization.
- [**OpenShift / CNV / Create RHEL VM**](cnv/install.yml) - Install the Container Native Virtualization (CNV) operator and all its required dependencies.
- **OpenShift / CNV / Patch CNV Workflow** - Workflow Job Template to snapshot and patch VMs deployed in OpenShift Virtualization.
- [**OpenShift / CNV / Create VM Snapshots**](cnv/snapshot.yml) - Create snapshot of VMs running in CNV.
- [**OpenShift / CNV / Patch**](cnv/patch.yml) - Patch VMs in OpenShift CNV, when run in `run` mode build out container native patching report and display link to the user.
- [**OpenShift / CNV / Restore Latest VM Snapshots**](cnv/snapshot.yml) - Restore VM in CNV to last snapshot.
- [**OpenShift / CNV / Delete VM**](cnv/install.yml) - Deletes VMs in OpenShift CNV.
## Pre Setup
This demo requires an OpenShift cluster to deploy to. If you do not have a cluster to use, one can be requested from [demo.redhat.com](https://demo.redhat.com).
- Search for the [Red Hat OpenShift Container Platform 4.12 Workshop](https://demo.redhat.com/catalog?item=babylon-catalog-prod/sandboxes-gpte.ocp412-wksp.prod&utm_source=webapp&utm_medium=share-link) item in the catalog and request with the number of users you would like for Dev Spaces.
- Login using the admin credentials provided. Click the `admin` username at the top right and select `Copy login command`.
- Authenticate and click `Display Token`. This information will be used to populate the OpenShift Credential after you run the setup.
These demos require an OpenShift cluster to deploy to. Luckily the default Ansible Product Demos item from [demo.redhat.com](https://demo.redhat.com) includes an OpenShift cluster. Most of the jobs require an `OpenShift or Kubernetes API Bearer Token` credential in order to interact with OpenShift. When ordered from RHDP this credential is configured for the user.
## Suggested Usage
**OpenShift / EDA / Install Controller** - This job uses the `admin` Controller user's password to configure the EDA controller login of the same name. This job displays the created route after finished and takes roughly 2.5 minutes to run.
**OpenShift / CNV / Deploy Automation Hub and sync EEs and Collections** - A custom credential type is created for the use in this WJT, `Usable Hub Credential` and it must be filled out in order to pull content from console.redhat.com. This workflow takes roughly 30 minutes to run. This workflow includes the following Job Templates:
- **OpenShift / Hub / Install Automation Hub** - This job does not require a hub credential
- **OpenShift / Hub / Sync EE Registries** - The registries can be configured via `extra_vars` and conforms roughly to those described in [infra.ah_configuration.ah_ee_registry](https://console.redhat.com/ansible/automation-hub/repo/validated/infra/ah_configuration/content/module/ah_ee_registry/).
- **OpenShift / Hub / Sync Collection Repositories** - The collections can be configured via `extra_vars` and conforms roughly to those described in [infra.ah_configuration.collection_repository_sync](https://console.redhat.com/ansible/automation-hub/repo/validated/infra/ah_configuration/content/role/collection_repository_sync/).
**OpenShift / CNV / Install Operator** - This job takes no parameters, to ensure the CNV operator is fully operational it provisions a VM in CNV which is cleaned up upon success.
**OpenShift / CNV / Infra Stack** - This workflow takes three parameters, SSH public key, RHEL activation key, and org ID. The SSH public key is placed as an SSH authorized key, thus in order to then authenticate to these VMs the `Machine Credential` `Demo Credential` must be configured with the private key pair associated with the SSH public key. The RHEL activation key and ID are to receive updates from the DNF repositories for the final patching job. This workflow includes the following Job Templates:
- **OpenShift / CNV / Create RHEL VM** - creates a VM using OpenShift Virtualization
**OpenShift / CNV / Patch CNV Workflow** - This workflow takes an ansible host string as a parameter, by default the hosts generated by APD in CNV are of the format `<namespace>-<vm name>`, for example `openshift-cnv-rhel9`. This workflow includes the following Job Templates:
- **OpenShift / CNV / Create VM Snapshots** - Creates snapshots of VMs relevant to the workflow
- **OpenShift / CNV / Patch** - Patches relevant VMs and generate patching report
- **OpenShift / CNV / Restore Latest VM Snapshots** - restores VMs to their latest snapshot, for the workflow this is invoked upon failure of the patching job. The same host string is used by this job template as the others in the workflow.
**OpenShift / CNV / Delete VM** - Delete VMs based on host string pattern, similar to the other CNV jobs.

22
openshift/cnv/provision.yml → openshift/cnv/delete.yml
View File

@@ -1,7 +1,12 @@
---
- name: De-Provision OCP-CNV VM
- name: De-Provision OCP-CNV VMs
hosts: localhost
tasks:
- name: Show VM(s) we are about to make {{ instance_state }}
ansible.builtin.debug:
msg: "Setting the following hosts to {{ instance_state }}
{{ lookup('ansible.builtin.inventory_hostnames', vm_host_string) | split(',') | difference(['localhost']) }}"
- name: Define resources
kubernetes.core.k8s:
wait: true
@@ -10,23 +15,23 @@
apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
name: "{{ vm_name }}"
name: "{{ item }}"
namespace: "{{ vm_namespace }}"
labels:
app: "{{ vm_name }}"
app: "{{ item }}"
os.template.kubevirt.io/fedora36: 'true'
vm.kubevirt.io/name: "{{ vm_name }}"
vm.kubevirt.io/name: "{{ item }}"
spec:
dataVolumeTemplates:
- apiVersion: cdi.kubevirt.io/v1beta1
kind: DataVolume
metadata:
creationTimestamp: null
name: "{{ vm_name }}"
name: "{{ item }}"
spec:
sourceRef:
kind: DataSource
name: "{{ os_version |default('rhel9') }}"
name: "{{ os_version | default('rhel9') }}"
namespace: openshift-virtualization-os-images
storage:
resources:
@@ -41,7 +46,7 @@
vm.kubevirt.io/workload: server
creationTimestamp: null
labels:
kubevirt.io/domain: "{{ vm_name }}"
kubevirt.io/domain: "{{ item }}"
kubevirt.io/size: small
spec:
domain:
@@ -72,5 +77,6 @@
terminationGracePeriodSeconds: 180
volumes:
- dataVolume:
name: "{{ vm_name }}"
name: "{{ item }}"
name: rootdisk
loop: "{{ lookup('ansible.builtin.inventory_hostnames', vm_host_string) | regex_replace(vm_namespace + '-', '') | split(',') | difference(['localhost']) }}"

1
openshift/cnv/provision_rhel.yml
View File

@@ -94,3 +94,4 @@
name: "{{ vm_name }}"
namespace: "{{ vm_namespace }}"
wait: true
wait_timeout: 240

9
openshift/cnv/snapshot.yml Normal file
View File

@@ -0,0 +1,9 @@
---
- name: Manage CNV snapshots
hosts: localhost
tasks:
- name: Include snapshot role
ansible.builtin.include_role:
name: "demo.openshift.snapshot"
vars:
snapshot_hosts: "{{ _hosts }}"

2
openshift/cnv/wait.yml
View File

@@ -6,7 +6,7 @@
- name: Wait for
ansible.builtin.wait_for:
port: 22
host: '{{ (ansible_ssh_host|default(ansible_host))|default(inventory_hostname) }}'
host: '{{ (ansible_ssh_host | default(ansible_host)) | default(inventory_hostname) }}'
search_regex: OpenSSH
delay: 10
retries: 10

8
openshift/eda/install.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: Deploy EDA Controller attached to the same AAP
hosts: localhost
gather_facts: false
tasks:
- name: Include role
ansible.builtin.include_role:
name: demo.openshift.eda_controller

32
openshift/gitlab.yml
View File

@@ -101,6 +101,21 @@
retries: 10
delay: 30
- name: Get available charts from gitlab operator repo
register: gitlab_chart_versions
ansible.builtin.uri:
url: https://gitlab.com/gitlab-org/cloud-native/gitlab-operator/-/raw/master/CHART_VERSIONS?ref_type=heads
method: GET
return_content: true
- name: Debug gitlab_chart_versions
ansible.builtin.debug:
var: gitlab_chart_versions.content | from_yaml
- name: Get latest chart from available_chart_versions
ansible.builtin.set_fact:
gitlab_chart_version: "{{ (gitlab_chart_versions.content | split())[0] }}"
- name: Grab url for Gitlab spec
ansible.builtin.set_fact:
cluster_domain: "apps{{ lookup('ansible.builtin.env', 'K8S_AUTH_HOST') | regex_search('\\.[^:]*') }}"
@@ -133,3 +148,20 @@
route.openshift.io/termination: "edge"
certmanager-issuer:
email: "{{ cert_email | default('nobody@nowhere.nosite') }}"
- name: Print out warning and initial details about deployment
vars:
msg: |
If not immediately successful be aware that the Gitlab instance can take
a couple minutes to come up, so be patient.
URL for Gitlab instance:
https://gitlab.{{ cluster_domain }}
The initial login user is 'root', and the password can be found by logging
into the OpenShift cluster portal, and on the left hand side of the administrator
portal, under workloads, select Secrets and look for 'gitlab-gitlab-initial-root-password'
ansible.builtin.debug:
msg: "{{ msg.split('\n') }}"
...

2
openshift/host_vars/localhost.yml
View File

@@ -1,2 +1,2 @@
---
gitlab_chart_version: "8.0.1"
gitlab_chart_version: "8.5.1"

8
openshift/inventory.kubevirt.yml
View File

@@ -5,19 +5,19 @@ connections:
- namespaces:
- openshift-cnv
compose:
ansible_user: "'cloud-user' if 'rhel' in annotations['vm.kubevirt.io/os']"
annotations: "annotations | ansible.utils.replace_keys(target=[
ansible_user: "'cloud-user' if 'rhel' in vmi_annotations['vm.kubevirt.io/os']"
vmi_annotations: "vmi_annotations | ansible.utils.replace_keys(target=[
{'before':'vm.kubevirt.io/os', 'after':'os'},
{'before':'vm.kubevirt.io/flavor', 'after':'flavor'},
{'before':'vm.kubevirt.io/workload', 'after':'workload'},
{'before':'kubevirt.io/vm-generation', 'after':'vm-generation'},
{'before':'kubevirt.io/latest-observed-api-version', 'after':'latest-observed-api-version'},
{'before':'kubevirt.io/storage-observed-api-version', 'after':'storage-observed-api-version' }] )"
labels: "labels | ansible.utils.replace_keys(target=[
labels: "vmi_labels | ansible.utils.replace_keys(target=[
{'before':'kubevirt.io/nodeName', 'after':'nodeName'},
{'before':'kubevirt.io/size', 'after':'size'},
{'before':'kubevirt.io/domain', 'after':'domain' }] )"
keyed_groups:
- key: annotations.os
- key: vmi_annotations.os
prefix: "cnv"
separator: "_"

188
openshift/setup.yml
View File

@@ -7,29 +7,6 @@ controller_components:
- job_templates
- workflow_job_templates
controller_credential_types:
# Ideally, we would not need to use this and could just re-use the OCP credential for the inventory plugin
- name: OCPV inventory credential
kind: cloud
inputs:
fields:
- id: host
type: string
label: OpenShift or Kubernetes API Endpoint
secret: false
- id: bearer_token
type: string
label: API authentication bearer token
secret: true
- id: verify_ssl
type: boolean
label: Verify SSL
injectors:
env:
K8S_AUTH_HOST: "{% raw %}{ { host }}{% endraw %}"
K8S_AUTH_API_KEY: "{% raw %}{ { bearer_token }}{% endraw %}"
K8S_AUTH_VERIFY_SSL: "{% raw %}{ { verify_ssl }}{% endraw %}"
controller_credentials:
- name: OpenShift Credential
organization: Default
@@ -40,29 +17,34 @@ controller_credentials:
bearer_token: CHANGEME
verify_ssl: false
- name: OCP-V Inventory Credential
organization: Default
credential_type: OCPV inventory credential
state: exists
inputs:
host: CHANGEME
bearer_token: CHANGEME
verify_ssl: false
controller_inventory_sources:
- name: OpenShift CNV Inventory
inventory: Demo Inventory
source: scm
source_project: Ansible official demo project
source_project: Ansible Product Demos
source_path: openshift/inventory.kubevirt.yml
credential: OCP-V Inventory Credential
update_on_launch: true
credential: OpenShift Credential
update_on_launch: false
overwrite: true
controller_templates:
- name: OpenShift / CNV / Install
- name: OpenShift / EDA / Install Controller
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "openshift/eda/install.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
credentials:
- "OpenShift Credential"
- "Controller Credential"
- name: OpenShift / CNV / Install Operator
job_type: run
inventory: "Demo Inventory"
project: "Ansible Product Demos"
playbook: "openshift/cnv/install.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -74,7 +56,7 @@ controller_templates:
- name: OpenShift / CNV / Create RHEL VM
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "openshift/cnv/provision_rhel.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -115,24 +97,25 @@ controller_templates:
credentials:
- "OpenShift Credential"
- name: OpenShift / CNV / Delete VM
- name: OpenShift / CNV / Create VM Snapshots
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
playbook: "openshift/cnv/provision.yml"
project: "Ansible Product Demos"
playbook: "openshift/cnv/snapshot.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
extra_vars:
state: absent
snapshot_operation: create
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: VM name
- question_name: Server Name or Pattern
type: text
variable: vm_name
variable: _hosts
default: "openshift-cnv-rhel*"
required: true
- question_name: VM NameSpace
type: text
@@ -142,10 +125,66 @@ controller_templates:
credentials:
- "OpenShift Credential"
- name: OpenShift / CNV / Patching
- name: OpenShift / CNV / Restore Latest VM Snapshots
job_type: run
inventory: "Demo Inventory"
project: "Ansible Product Demos"
playbook: "openshift/cnv/snapshot.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
extra_vars:
snapshot_operation: restore
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Server Name or Pattern
type: text
variable: _hosts
default: "openshift-cnv-rhel*"
required: true
- question_name: VM NameSpace
type: text
variable: vm_namespace
default: openshift-cnv
required: true
credentials:
- "OpenShift Credential"
- name: OpenShift / CNV / Delete VM
job_type: run
inventory: "Demo Inventory"
project: "Ansible Product Demos"
playbook: "openshift/cnv/delete.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
extra_vars:
instance_state: absent
survey:
name: ''
description: ''
spec:
- question_name: VM host string
type: text
variable: vm_host_string
required: true
- question_name: VM NameSpace
type: text
variable: vm_namespace
default: openshift-cnv
required: true
credentials:
- "OpenShift Credential"
- name: OpenShift / CNV / Patch
job_type: check
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "openshift/cnv/patch.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -167,7 +206,7 @@ controller_templates:
- name: OpenShift / CNV / Wait Hosts
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "openshift/cnv/wait.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -186,7 +225,7 @@ controller_templates:
- name: OpenShift / Dev Spaces
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "openshift/devspaces.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -197,7 +236,7 @@ controller_templates:
- name: OpenShift / GitLab
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "openshift/gitlab.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -229,6 +268,10 @@ controller_workflows:
type: text
variable: rh_subscription_org
required: true
- question_name: Email
type: text
variable: email
required: true
simplified_workflow_nodes:
- identifier: Deploy RHEL8 VM
unified_job_template: OpenShift / CNV / Create RHEL VM
@@ -254,3 +297,48 @@ controller_workflows:
unified_job_template: 'SUBMIT FEEDBACK'
extra_data:
feedback: Failed to create CNV instance
- name: OpenShift / CNV / Patch CNV Workflow
description: A workflow to patch CNV instances with snapshot and restore on failure.
organization: Default
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Specify target hosts
type: text
variable: _hosts
required: true
default: "openshift-cnv-rhel*"
simplified_workflow_nodes:
- identifier: Project Sync
unified_job_template: Ansible Product Demos
success_nodes:
- Patch Instance
# We need to do an invnetory sync *after* creating snapshots, as turning VMs on/off changes their IP
- identifier: Inventory Sync
unified_job_template: OpenShift CNV Inventory
success_nodes:
- Patch Instance
- identifier: Take Snapshot
unified_job_template: OpenShift / CNV / Create VM Snapshots
success_nodes:
- Project Sync
- Inventory Sync
- identifier: Patch Instance
unified_job_template: OpenShift / CNV / Patch
job_type: run
failure_nodes:
- Restore from Snapshot
- identifier: Restore from Snapshot
unified_job_template: OpenShift / CNV / Restore Latest VM Snapshots
failure_nodes:
- Ticket - Restore Failed
- identifier: Ticket - Restore Failed
unified_job_template: 'SUBMIT FEEDBACK'
extra_data:
feedback: OpenShift / CNV / Patch CNV Workflow | Failed to restore CNV VM from snapshot

80
roles/requirements.yml
View File

@@ -1,46 +1,46 @@
---
roles:
# RHEL 7 compliance roles from ComplianceAsCode
- name: redhatofficial.rhel7_cis
version: 0.1.69
- name: redhatofficial.rhel7_cjis
version: 0.1.69
- name: redhatofficial.rhel7_cui
version: 0.1.67
- name: redhatofficial.rhel7_hipaa
version: 0.1.69
- name: redhatofficial.rhel7_ospp
version: 0.1.69
- name: redhatofficial.rhel7_pci_dss
version: 0.1.69
- name: redhatofficial.rhel7_stig
version: 0.1.69
- name: redhatofficial.rhel7-cis
version: 0.1.72
- name: redhatofficial.rhel7-cjis
version: 0.1.72
- name: redhatofficial.rhel7-cui
version: 0.1.72
- name: redhatofficial.rhel7-hipaa
version: 0.1.72
- name: redhatofficial.rhel7-ospp
version: 0.1.72
- name: redhatofficial.rhel7-pci-dss
version: 0.1.72
- name: redhatofficial.rhel7-stig
version: 0.1.72
# RHEL 8 compliance roles from ComplianceAsCode
- name: redhatofficial.rhel8_cis
version: 0.1.69
- name: redhatofficial.rhel8_cjis
version: 0.1.69
- name: redhatofficial.rhel8_cui
version: 0.1.69
- name: redhatofficial.rhel8_hipaa
version: 0.1.69
- name: redhatofficial.rhel8_ospp
version: 0.1.69
- name: redhatofficial.rhel8_pci_dss
version: 0.1.69
- name: redhatofficial.rhel8_stig
version: 0.1.69
- name: redhatofficial.rhel8-cis
version: 0.1.72
- name: redhatofficial.rhel8-cjis
version: 0.1.72
- name: redhatofficial.rhel8-cui
version: 0.1.72
- name: redhatofficial.rhel8-hipaa
version: 0.1.72
- name: redhatofficial.rhel8-ospp
version: 0.1.72
- name: redhatofficial.rhel8-pci-dss
version: 0.1.72
- name: redhatofficial.rhel8-stig
version: 0.1.72
# RHEL 9 compliance roles from ComplianceAsCode
- name: redhatofficial.rhel9_cis
version: 0.1.68
- name: redhatofficial.rhel9_cui
version: 0.1.64
- name: redhatofficial.rhel9_hipaa
version: 0.1.68
- name: redhatofficial.rhel9_ospp
version: 0.1.68
- name: redhatofficial.rhel9_pci_dss
version: 0.1.68
- name: redhatofficial.rhel9_stig
version: 0.1.64
- name: redhatofficial.rhel9-cis
version: 0.1.72
- name: redhatofficial.rhel9-cui
version: 0.1.72
- name: redhatofficial.rhel9-hipaa
version: 0.1.72
- name: redhatofficial.rhel9-ospp
version: 0.1.72
- name: redhatofficial.rhel9-pci-dss
version: 0.1.72
- name: redhatofficial.rhel9-stig
version: 0.1.72
...

10
satellite/setup.yml
View File

@@ -74,7 +74,7 @@ controller_inventory_sources:
controller_templates:
- name: LINUX / Register with Satellite
project: Ansible official demo project
project: Ansible Product Demos
playbook: satellite/server_register.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
@@ -104,7 +104,7 @@ controller_templates:
required: true
- name: LINUX / Compliance Scan with Satellite
project: Ansible official demo project
project: Ansible Product Demos
playbook: satellite/server_openscap.yml
inventory: Demo Inventory
# execution_environment: Ansible Engine 2.9 execution environment
@@ -127,7 +127,7 @@ controller_templates:
required: false
- name: SATELLITE / Publish Content View Version
project: Ansible official demo project
project: Ansible Product Demos
playbook: satellite/satellite_publish.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
@@ -149,7 +149,7 @@ controller_templates:
required: true
- name: SATELLITE / Promote Content View Version
project: Ansible official demo project
project: Ansible Product Demos
playbook: satellite/satellite_promote.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
@@ -179,7 +179,7 @@ controller_templates:
required: true
- name: SETUP / Satellite
project: Ansible official demo project
project: Ansible Product Demos
playbook: satellite/setup_satellite.yml
inventory: Demo Inventory
notification_templates_started: Telemetry

72
setup_demo.yml
View File

@@ -1,63 +1,37 @@
---
- name: Setup demo
- name: Setup common prerequisites
hosts: localhost
gather_facts: false
tasks:
- name: Default Components
ansible.builtin.include_role:
name: infra.controller_configuration.dispatch
vars: # noqa var-naming[no-role-prefix]
controller_execution_environments:
- name: product-demos
image: quay.io/acme_corp/product-demos-ee:latest
controller_organizations:
- name: Default
default_environment: product-demos
controller_notifications:
- name: Telemetry
organization: Default
notification_type: webhook
notification_configuration:
url: https://script.google.com/macros/s/AKfycbzxUObvCJ6ZbzfJyicw4RvxlGE3AZdrK4AR5-TsedCYd7O-rtTOVjvsRvqyb3rx6B0g8g/exec
http_method: POST
headers: {}
controller_templates:
- name: "SUBMIT FEEDBACK"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
playbook: "feedback.yml"
execution_environment: Default execution environment
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Name/Email/Contact
type: text
variable: email
required: true
- question_name: Issue or Feedback
type: textarea
variable: feedback
required: true
controller_settings:
- name: "SESSION_COOKIE_AGE"
value: 180000
# vars_files should be scoped to a play so variables defined in the
# files should not be available in subsequent plays, so certain
# resources won't be retried
vars_files:
- common/setup.yml
tasks:
- name: Create reusable deployment ID
ansible.builtin.set_fact:
_deployment_id: '{{ lookup("ansible.builtin.password", "{{ playbook_dir }}/.deployment_id", chars=["ascii_lowercase", "digits"], length=5) }}'
- name: "Include configuration for {{ demo }}"
- name: Create common demo resources
ansible.builtin.include_role:
name: infra.controller_configuration.dispatch
vars:
controller_dependency_check: false # noqa: var-naming[no-role-prefix]
- name: Setup demo
hosts: localhost
gather_facts: false
tasks:
- name: Include configuration for {{ demo }}
ansible.builtin.include_vars: "{{ demo }}/setup.yml"
- name: Demo Components
ansible.builtin.include_role:
name: "infra.controller_configuration.dispatch"
name: infra.controller_configuration.dispatch
vars:
controller_dependency_check: false # noqa: var-naming[no-role-prefix]
- name: Log Demo
ansible.builtin.uri:
@@ -70,3 +44,5 @@
ansible.builtin.debug:
msg: "{{ user_message }}"
when: user_message is defined
...

1
tests/requirements.yml Symbolic link
View File

@@ -0,0 +1 @@
../execution_environments/requirements-25.yml

10
windows/README.md
View File

@@ -4,12 +4,17 @@
- [Windows Demos](#windows-demos)
- [Table of Contents](#table-of-contents)
- [About These Demos](#about-these-demos)
- [Known Issues](#known-issues)
- [Jobs](#jobs)
- [Workflows](#workflows)
- [Suggested Usage](#suggested-usage)
## About These Demos
This category of demos shows examples of Windows Server operations and management with Ansible Automation Platform. The list of demos can be found below. See the [Suggested Usage](#suggested-usage) section of this document for recommendations on how to best use these demos.
### Known Issues
We are currently investigating an intermittent connectivity issue related to the credentials for Windows hosts. If encountered, re-provision your demo environment. You can track the issue and related work [here](https://github.com/ansible/product-demos/issues/176).
### Jobs
- [**WINDOWS / Install IIS**](install_iis.yml) - Install IIS feature with a configurable index.html
@@ -23,8 +28,13 @@ This category of demos shows examples of Windows Server operations and managemen
- [**WINDOWS / Helpdesk new user portal**](helpdesk_new_user_portal.yml) - Create user in AD Domain
- [**WINDOWS / Join Active Directory Domain**](join_ad_domain.yml) - Join computer to AD Domain
### Workflows
- [**Setup Active Directory Domain**](setup_domain_workflow.md) - A workflow to create a domain controller with two domain-joined Windows hosts
## Suggested Usage
**Setup Active Directory Domain** - One-click domain setup, infrastructure included.
**WINDOWS / Create Active Directory Domain** - This job can take some to complete. It is recommended to run ahead of time if you would like to demo creating a helpdesk user.
**WINDOWS / Helpdesk new user portal** - This job is dependant on the Create Active Directory Domain completing before users can be created.

7
windows/backup.yml
View File

@@ -1,7 +0,0 @@
---
- name: Rollback playbook
hosts: windows
tasks:
- name: "Rollback this step"
ansible.builtin.debug:
msg: "Rolling back this step"

15
windows/connect.yml Normal file
View File

@@ -0,0 +1,15 @@
---
- name: Connectivity test
hosts: "{{ _hosts | default('os_windows') }}"
gather_facts: false
tasks:
- name: Wait 600 seconds for target connection to become reachable/usable
ansible.builtin.wait_for_connection:
connect_timeout: "{{ wait_for_timeout_sec | default(5) }}"
delay: "{{ wait_for_delay_sec | default(0) }}"
sleep: "{{ wait_for_sleep_sec | default(1) }}"
timeout: "{{ wait_for_timeout_sec | default(300) }}"
- name: Ping the windows host
ansible.windows.win_ping:

55
windows/create_ad_domain.yml
View File

@@ -9,21 +9,31 @@
name: Administrator
password: "{{ ansible_password }}"
- name: Update the hostname
ansible.windows.win_hostname:
name: "{{ inventory_hostname.split('.')[0] }}"
register: r_rename_hostname
- name: Reboot to apply new hostname
# noqa no-handler
when: r_rename_hostname is changed
ansible.windows.win_reboot:
reboot_timeout: 3600
- name: Create new domain in a new forest on the target host
ansible.windows.win_domain:
register: r_create_domain
microsoft.ad.domain:
dns_domain_name: ansible.local
safe_mode_password: "{{ lookup('community.general.random_string', min_lower=1, min_upper=1, min_special=1, min_numeric=1) }}"
notify:
- Reboot host
- Wait for AD services
- Reboot again
- Wait for AD services again
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Verify domain services running
# noqa no-handler
when: r_create_domain is changed
ansible.builtin.include_tasks:
file: tasks/domain_services_check.yml
- name: Create some groups
community.windows.win_domain_group:
microsoft.ad.group:
name: "{{ item.name }}"
scope: global
loop:
@@ -34,7 +44,7 @@
delay: 10
- name: Create some users
community.windows.win_domain_user:
microsoft.ad.user:
name: "{{ item.name }}"
groups: "{{ item.groups }}"
password: "{{ lookup('community.general.random_string', min_lower=1, min_upper=1, min_special=1, min_numeric=1) }}"
@@ -48,28 +58,3 @@
groups: "GroupC"
retries: 5
delay: 10
handlers:
- name: Reboot host
ansible.windows.win_reboot:
reboot_timeout: 3600
- name: Wait for AD services
community.windows.win_wait_for_process:
process_name_exact: Microsoft.ActiveDirectory.WebServices
pre_wait_delay: 60
state: present
timeout: 600
sleep: 10
- name: Reboot again
ansible.windows.win_reboot:
reboot_timeout: 3600
- name: Wait for AD services again
community.windows.win_wait_for_process:
process_name_exact: Microsoft.ActiveDirectory.WebServices
pre_wait_delay: 60
state: present
timeout: 600
sleep: 10

5
windows/group_vars/os_windows.yml
View File

@@ -1,5 +0,0 @@
---
ansible_connection: winrm
ansible_winrm_transport: ntlm
ansible_winrm_server_cert_validation: ignore
ansible_port: 5986

13
windows/join_ad_domain.yml
View File

@@ -4,22 +4,31 @@
gather_facts: false
tasks:
- name: Extract domain controller private ip
ansible.builtin.set_fact:
domain_controller_private_ip: "{{ hostvars[groups['purpose_domain_controller'][0]]['private_ip_address'] }}"
- name: Set a single address on the adapter named Ethernet
ansible.windows.win_dns_client:
adapter_names: 'Ethernet*'
dns_servers: "{{ hostvars[domain_controller]['private_ip_address'] }}"
dns_servers: "{{ domain_controller_private_ip }}"
- name: Ensure Demo OU exists
run_once: true
delegate_to: "{{ domain_controller }}"
community.windows.win_domain_ou:
name: Demo
state: present
- name: Update the hostname
ansible.windows.win_hostname:
name: "{{ inventory_hostname.split('.')[0] }}"
- name: Join ansible.local domain
register: r_domain_membership
ansible.windows.win_domain_membership:
dns_domain_name: ansible.local
hostname: "{{ inventory_hostname }}"
hostname: "{{ inventory_hostname.split('.')[0] }}"
domain_admin_user: "{{ ansible_user }}@ansible.local"
domain_admin_password: "{{ ansible_password }}"
domain_ou_path: "OU=Demo,DC=ansible,DC=local"

8
windows/patching.yml
View File

@@ -2,9 +2,15 @@
- name: Windows updates
hosts: "{{ _hosts | default('os_windows') }}"
vars:
report_server: win1
report_server: aws_win1
tasks:
- name: Assert that host is in webservers group
ansible.builtin.assert:
that: "'{{ report_server }}' in groups.os_windows"
msg: "Please run the 'Deploy Cloud Stack in AWS' Workflow Job Template first"
- name: Patch windows server
ansible.builtin.include_role:
name: demo.patching.patch_windows

9
windows/rollback.yml Normal file
View File

@@ -0,0 +1,9 @@
---
- name: Rollback playbook
hosts: "{{ _hosts | default('os_windows') }}"
gather_facts: false
tasks:
- name: Rollback this step
ansible.builtin.debug:
msg: "{{ rollback_msg | default('rolling back this step') }}"

206
windows/setup.yml
View File

@@ -12,7 +12,7 @@ controller_templates:
- name: "WINDOWS / Install IIS"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "windows/install_iis.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -38,9 +38,8 @@ controller_templates:
job_type: check
ask_job_type_on_launch: true
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "windows/patching.yml"
execution_environment: Default execution environment
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
@@ -81,10 +80,54 @@ controller_templates:
- 'Yes'
- 'No'
- name: "WINDOWS / Rollback"
job_type: run
inventory: "Demo Inventory"
project: "Ansible Product Demos"
playbook: "windows/rollback.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
credentials:
- "Demo Credential"
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Server Name or Pattern
type: text
variable: _hosts
required: false
- question_name: Rollback Message
type: text
variable: rollback_msg
required: false
- name: "WINDOWS / Test Connectivity"
job_type: run
inventory: "Demo Inventory"
project: "Ansible Product Demos"
playbook: "windows/connect.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
credentials:
- "Demo Credential"
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Server Name or Pattern
type: text
variable: _hosts
required: false
- name: "WINDOWS / Chocolatey install multiple"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "windows/windows_choco_multiple.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -104,7 +147,7 @@ controller_templates:
- name: "WINDOWS / Chocolatey install specific"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "windows/windows_choco_specific.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -128,7 +171,7 @@ controller_templates:
- name: "WINDOWS / Run PowerShell"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "windows/powershell.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -153,7 +196,7 @@ controller_templates:
- name: "WINDOWS / Query Services"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "windows/powershell_script.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -181,7 +224,7 @@ controller_templates:
- name: "WINDOWS / Configuring Password Requirements"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "windows/powershell_dsc.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -201,7 +244,7 @@ controller_templates:
- name: "WINDOWS / AD / Create Domain"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "windows/create_ad_domain.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -221,7 +264,7 @@ controller_templates:
- name: "WINDOWS / AD / Join Domain"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "windows/join_ad_domain.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -246,7 +289,7 @@ controller_templates:
- name: "WINDOWS / AD / New User"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "windows/helpdesk_new_user_portal.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -290,7 +333,7 @@ controller_templates:
- name: "WINDOWS / DISA STIG"
job_type: run
inventory: "Demo Inventory"
project: "Ansible official demo project"
project: "Ansible Product Demos"
playbook: "windows/compliance.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -306,3 +349,142 @@ controller_templates:
type: text
variable: HOSTS
required: false
controller_workflows:
- name: Setup Active Directory Domain
description: A workflow to create a domain controller with two domain-joined Windows hosts.
organization: Default
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
extra_vars:
create_vm_aws_image_owners:
- amazon
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: AWS Region
type: multiplechoice
variable: create_vm_aws_region
required: true
default: us-east-2
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- question_name: Keypair Public Key
type: textarea
variable: aws_public_key
required: true
# Create VM variables
- question_name: Owner
type: text
variable: create_vm_vm_owner
required: true
- question_name: Environment
type: multiplechoice
variable: create_vm_vm_environment
required: true
choices:
- Dev
- QA
- Prod
- question_name: Subnet
type: text
variable: create_vm_aws_vpc_subnet_name
required: true
default: aws-test-subnet
- question_name: Security Group
type: text
variable: create_vm_aws_securitygroup_name
required: true
default: aws-test-sg
simplified_workflow_nodes:
- identifier: Create Keypair
unified_job_template: Cloud / AWS / Create Keypair
success_nodes:
- Create VPC
- identifier: Create VPC
unified_job_template: Cloud / AWS / Create VPC
success_nodes:
- Create Domain Controller
- Create Computer (1)
- Create Computer (2)
- identifier: Create Domain Controller
unified_job_template: Cloud / AWS / Create VM
job_type: run
extra_data:
create_vm_vm_name: dc01
create_vm_vm_purpose: domain_controller
create_vm_vm_deployment: domain_ansible_local
vm_blueprint: windows_full
success_nodes:
- Inventory Sync
- identifier: Create Computer (1)
unified_job_template: Cloud / AWS / Create VM
job_type: run
extra_data:
create_vm_vm_name: winston
create_vm_vm_purpose: domain_computer
create_vm_vm_deployment: domain_ansible_local
vm_blueprint: windows_core
success_nodes:
- Inventory Sync
- identifier: Create Computer (2)
unified_job_template: Cloud / AWS / Create VM
job_type: run
extra_data:
create_vm_vm_name: winthrop
create_vm_vm_purpose: domain_computer
create_vm_vm_deployment: domain_ansible_local
vm_blueprint: windows_core
success_nodes:
- Inventory Sync
- identifier: Inventory Sync
unified_job_template: AWS Inventory
all_parents_must_converge: true
success_nodes:
- Test Connectivity
- identifier: Test Connectivity
unified_job_template: WINDOWS / Test Connectivity
job_type: run
extra_data:
_hosts: deployment_domain_ansible_local
failure_nodes:
- Cleanup Resources
success_nodes:
- Create Domain
- identifier: Create Domain
unified_job_template: WINDOWS / AD / Create Domain
job_type: run
extra_data:
_hosts: purpose_domain_controller
failure_nodes:
- Cleanup Resources
success_nodes:
- Join Domain
- identifier: Join Domain
unified_job_template: WINDOWS / AD / Join Domain
job_type: run
extra_data:
_hosts: purpose_domain_computer
domain_controller: dc01
failure_nodes:
- Cleanup Resources
success_nodes:
- PowerShell Validation
- identifier: Cleanup Resources
unified_job_template: WINDOWS / Rollback
job_type: run
extra_data:
_hosts: localhost
rollback_msg: "Domain setup failed. Cleaning up resources..."
- identifier: PowerShell Validation
unified_job_template: WINDOWS / Run PowerShell
job_type: run
extra_data:
_hosts: purpose_domain_controller
ps_script: "Get-ADComputer -Filter * | Select-Object -Property 'Name'"

Some files were not shown because too many files have changed in this diff Show More