attempt galaxy workaround

Wheee!

.ansible-lint

@@ -1,10 +1,16 @@
 ---
 profile: production
-offline: false
+offline: true
 
 skip_list:
   - "galaxy[no-changelog]"
 
+warn_list:
+  # seems to be a bug, see https://github.com/ansible/ansible-lint/issues/4172
+  - "fqcn[canonical]"
+  # @matferna: really not sure why lint thinks it can't find jmespath, it is installed and functional
+  - "jinja[invalid]"
+
 exclude_paths:
   # would be better to move the roles here to the top-level roles directory
   - collections/ansible_collections/demo/compliance/roles/

.github/workflows/README.md

@@ -0,0 +1,25 @@
+# GitHub Actions
+## Background
+We want to make attempts to run our integration tests in the same manner wether using GitHub actions or on a developers's machine locally. For this reason, the tests are curated to run using conatiner images. As of this writing, two images exist which we would like to test against:
+  - quay.io/ansible-product-demos/apd-ee-24:latest
+  - quay.io/ansible-product-demos/apd-ee-25:latest
+
+These images are built given the structure defined in their respective EE [definitions][../execution_environments]. Because they differ (mainly due to their python versions), each gets some special handling.
+
+## Troubleshooting GitHub Actions
+
+### Interactive
+It is likely the most straight-forward approach to interactively debug issues. The following podman command can be run from the project root directory to replicate the GitHub action:
+```
+podman run \
+           --user root  \
+           -v $(pwd):/runner:Z \
+           -it \
+           <image> \
+           /bin/bash
+```
+`<image>` is one of `quay.io/ansible-product-demos/apd-ee-25:latest`, `quay.io/ansible-product-demos/apd-ee-24:latest`
+It is not exact because GitHub seems to run closer to a sidecar container paradigm, and uses docker instead of podman, but hopefully it's close enough.
+
+For the 24 EE, the python interpreriter verions is set for our pre-commit script like so: `USE_PYTHON=python3.9 ./.github/workflows/run-pc.sh`
+The 25 EE is similary run but without the need for this variable: `./.github/workflows/run-pc.sh`

.github/workflows/pre-commit.yml

@@ -4,17 +4,23 @@ on:
  - push
  - pull_request_target
 
-env:
-  ANSIBLE_GALAXY_SERVER_CERTIFIED_TOKEN: ${{ secrets.ANSIBLE_GALAXY_SERVER_CERTIFIED_TOKEN }}
-  ANSIBLE_GALAXY_SERVER_VALIDATED_TOKEN: ${{ secrets.ANSIBLE_GALAXY_SERVER_VALIDATED_TOKEN }}
-
 jobs:
-  pre-commit:
-    name: pre-commit
+  pre-commit-25:
+    container:
+      image: quay.io/ansible-product-demos/apd-ee-25
+      options: --user root
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
-    - uses: actions/setup-python@v5
-    - uses: pre-commit/action@v3.0.1
+    - run: ./.github/workflows/run-pc.sh
+      shell: bash
+  pre-commit-24:
+    container:
+      image: quay.io/ansible-product-demos/apd-ee-24
+      options: --user root
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - run: USE_PYTHON=python3.9 ./.github/workflows/run-pc.sh
+      shell: bash
 
-...

.github/workflows/run-pc.sh

@@ -0,0 +1,24 @@
+#!/bin/bash -x
+
+dnf install git-lfs -y
+
+PYTHON_VARIANT="${USE_PYTHON:-python3.11}"
+PATH="$PATH:$HOME/.local/bin"
+
+# intsall pip
+eval "${PYTHON_VARIANT} -m pip install --user --upgrade pip"
+
+# try to fix 2.4 incompatibility 
+eval "${PYTHON_VARIANT} -m pip install --user --upgrade setuptools wheel twine check-wheel-contents"
+
+# intsall pre-commit
+eval "${PYTHON_VARIANT} -m pip install --user pre-commit"
+
+# view pip packages
+eval "${PYTHON_VARIANT} -m pip freeze --local"
+
+# fix permissions on directory
+git config --global --add safe.directory $(pwd)
+
+# run pre-commit
+pre-commit run --config $(pwd)/.pre-commit-gh.yml --show-diff-on-failure --color=always 

.gitignore

@@ -12,3 +12,4 @@ roles/*
 .deployment_id
 .cache/
 .ansible/
+**/tmp/

.pre-commit-config.yaml

@@ -14,13 +14,12 @@ repos:
       - id: check-json
       - id: check-symlinks
 
-  - repo: https://github.com/ansible/ansible-lint.git
-    # get latest release tag from https://github.com/ansible/ansible-lint/releases/
-    rev: v6.20.3
+  - repo: local
     hooks:
       - id: ansible-lint
-        additional_dependencies:
-          - jmespath
+        name: ansible-navigator lint --eei quay.io/ansible-product-demos/apd-ee-25:latest --mode stdout
+        language: python
+        entry: bash -c "ansible-navigator lint --eei quay.io/ansible-product-demos/apd-ee-25 -v --force-color --mode stdout"
 
   - repo: https://github.com/psf/black-pre-commit-mirror
     rev: 23.11.0

.pre-commit-gh.yml

@@ -0,0 +1,30 @@
+---
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+      - id: trailing-whitespace
+        exclude: rhel[89]STIG/.*$
+
+      - id: check-yaml
+        exclude: \.j2.(yaml|yml)$|\.(yaml|yml).j2$
+        args: [--unsafe]   # see https://github.com/pre-commit/pre-commit-hooks/issues/273
+
+      - id: check-toml
+      - id: check-json
+      - id: check-symlinks
+
+  - repo: https://github.com/ansible/ansible-lint.git
+    # get latest release tag from https://github.com/ansible/ansible-lint/releases/
+    rev: v6.20.3
+    hooks:
+      - id: ansible-lint
+        additional_dependencies:
+          - jmespath
+
+  - repo: https://github.com/psf/black-pre-commit-mirror
+    rev: 23.11.0
+    hooks:
+      - id: black
+        exclude: rhel[89]STIG/.*$
+...

ansible.cfg

@@ -1,5 +1,5 @@
 [defaults]
-collections_path=./collections
+collections_path=./collections:/usr/share/ansible/collections
 roles_path=./roles
 
 [galaxy]

cloud/README.md

@@ -19,12 +19,11 @@ This category of demos shows examples of multi-cloud provisioning and management
 
 ### Jobs
 
-- [**Cloud / Create Infra**](create_infra.yml) - Creates a VPC with required routing and firewall rules for provisioning VMs
-- [**Cloud / Create Keypair**](aws_key.yml) - Creates a keypair for connecting to EC2 instances
-- [**Cloud / Create VM**](create_vm.yml) - Create a VM based on a [blueprint](blueprints/) in the selected cloud provider
-- [**Cloud / Destroy VM**](destroy_vm.yml) - Destroy a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be deleted.
-- [**Cloud / Snapshot EC2**](snapshot_ec2.yml) - Snapshot a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be snapshot.
-- [**Cloud / Restore EC2 from Snapshot**](snapshot_ec2.yml) - Restore a VM that has been created in a cloud provider.  By default, volumes will be restored from their latest snapshot. VM must be imported into dynamic inventory to be patched.
+- [**Cloud / AWS / Create VM**](create_vm.yml) - Create a VM based on a [blueprint](blueprints/) in the selected cloud provider
+- [**Cloud / AWS / Destroy VM**](destroy_vm.yml) - Destroy a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be deleted.
+- [**Cloud / AWS / Snapshot EC2**](snapshot_ec2.yml) - Snapshot a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be snapshot.
+- [**Cloud / AWS / Restore EC2 from Snapshot**](snapshot_ec2.yml) - Restore a VM that has been created in a cloud provider.  By default, volumes will be restored from their latest snapshot. VM must be imported into dynamic inventory to be patched.
+- [**Cloud / Resize EC2**](resize_ec2.yml) - Re-size an EC2 instance.
 
 ### Inventory
 
@@ -59,11 +58,13 @@ After running the setup job template, there are a few steps required to make the
 
 ## Suggested Usage
 
-**Cloud / Create Keypair** - The Create Keypair job creates an EC2 keypair which can be used when creating EC2 instances to enable SSH access.
+**Deploy Cloud Stack in AWS** - This workflow builds out many helpful and convient resources in AWS. Given an AWS region, key, and some organizational paremetres for tagging it builds a default VPC, keypair, five VMs (three RHEL and two Windows), and even provides a report for cloud stats. It is the typical starting point for using Ansible Product-Demos in AWS.
 
 **Cloud / Create VM** - The Create VM job builds a VM in the given provider based on the included `demo.cloud` collection. VM [blueprints](blueprints/) define variables for each provider that override the defaults in the collection. When creating VMs it is recommended to follow naming conventions that can be used as host patterns. (eg. VM names: `win1`, `win2`, `win3`.  Host Pattern: `win*` )
 
 **Cloud / AWS / Patch EC2 Workflow** - Create a VPC and one or more linux VM(s) in AWS using the `Cloud / Create VPC` and `Cloud / Create VM` templates. Run the workflow and observe the instance snapshots followed by patching operation. Optionally, use the survey to force a patch failure in order to demonstrate the restore path. At this time, the workflow does not support patching Windows instances.
 
+**Cloud / AWS / Resize EC2** - Given an EC2 instance, change its size. This takes an AWS region, target host pattern, and a target instance size as parameters. As a final step, this job refreshes the AWS inventory so the re-created instance is accessible from AAP.
+
 ## Known Issues
 Azure does not work without a custom execution environment that includes the Azure dependencies.

cloud/resize_ec2.yml

@@ -0,0 +1,10 @@
+---
+- name: Resize ec2 instances
+  hosts: "{{ _hosts | default(omit) }}"
+  gather_facts: false
+
+  tasks:
+    - name: Include snapshot role
+      ansible.builtin.include_role:
+        name: "demo.cloud.aws"
+        tasks_from: resize_ec2

collections/ansible_collections/demo/cloud/roles/aws/tasks/resize_ec2.yml

@@ -0,0 +1,45 @@
+---
+# parameters
+# instance_type: new instance type, e.g. t3.large
+- name: AWS | RESIZE VM
+  delegate_to: localhost
+  vars:
+    controller_dependency_check: false  # noqa: var-naming[no-role-prefix]
+    controller_inventory_sources:
+      - name: AWS Inventory
+        inventory: Demo Inventory
+        organization: Default
+        wait: true
+  block:
+    - name: AWS | RESIZE EC2 | assert required vars
+      ansible.builtin.assert:
+        that:
+          - instance_id is defined
+          - aws_region is defined
+        fail_msg: "instance_id, aws_region is required for resize operations"
+
+    - name: AWS | RESIZE EC2 | shutdown instance
+      amazon.aws.ec2_instance:
+        instance_ids: "{{ instance_id }}"
+        region: "{{ aws_region }}"
+        state: stopped
+        wait: true
+
+    - name: AWS | RESIZE EC2 | update instance type
+      amazon.aws.ec2_instance:
+        region: "{{ aws_region }}"
+        instance_ids: "{{ instance_id }}"
+        instance_type: "{{ instance_type }}"
+        wait: true
+
+    - name: AWS | RESIZE EC2 | start instance
+      amazon.aws.ec2_instance:
+        instance_ids: "{{ instance_id }}"
+        region: "{{ aws_region }}"
+        state: started
+        wait: true
+
+    - name: Synchronize inventory
+      run_once: true
+      ansible.builtin.include_role:
+        name: infra.controller_configuration.inventory_source_update

collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml

@@ -3,7 +3,7 @@ rhel8STIG_stigrule_230225_Manage: True
 rhel8STIG_stigrule_230225_banner_Line: banner /etc/issue
 # R-230226 RHEL-08-010050
 rhel8STIG_stigrule_230226_Manage: True
-rhel8STIG_stigrule_230226__etc_dconf_db_local_d_01_banner_message_Value: '''You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'''
+rhel8STIG_stigrule_230226__etc_dconf_db_local_d_01_banner_message_Value: "''You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.''"
 # R-230227 RHEL-08-010060
 rhel8STIG_stigrule_230227_Manage: True
 rhel8STIG_stigrule_230227__etc_issue_Dest: /etc/issue
@@ -43,9 +43,6 @@ rhel8STIG_stigrule_230241_policycoreutils_State: installed
 # R-230244 RHEL-08-010200
 rhel8STIG_stigrule_230244_Manage: True
 rhel8STIG_stigrule_230244_ClientAliveCountMax_Line: ClientAliveCountMax 1
-# R-230252 RHEL-08-010291
-rhel8STIG_stigrule_230252_Manage: True
-rhel8STIG_stigrule_230252__etc_sysconfig_sshd_Line: '# CRYPTO_POLICY='
 # R-230255 RHEL-08-010294
 rhel8STIG_stigrule_230255_Manage: True
 rhel8STIG_stigrule_230255__etc_crypto_policies_back_ends_opensslcnf_config_Line: 'MinProtocol = TLSv1.2'
@@ -138,16 +135,9 @@ rhel8STIG_stigrule_230346__etc_security_limits_conf_Line: '* hard maxlogins 10'
 # R-230347 RHEL-08-020030
 rhel8STIG_stigrule_230347_Manage: True
 rhel8STIG_stigrule_230347__etc_dconf_db_local_d_00_screensaver_Value: 'true'
-# R-230348 RHEL-08-020040
-rhel8STIG_stigrule_230348_Manage: True
-rhel8STIG_stigrule_230348_ensure_tmux_is_installed_State: installed
-rhel8STIG_stigrule_230348__etc_tmux_conf_Line: 'set -g lock-command vlock'
 # R-230352 RHEL-08-020060
 rhel8STIG_stigrule_230352_Manage: True
 rhel8STIG_stigrule_230352__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 900'
-# R-230353 RHEL-08-020070
-rhel8STIG_stigrule_230353_Manage: True
-rhel8STIG_stigrule_230353__etc_tmux_conf_Line: 'set -g lock-after-time 900'
 # R-230354 RHEL-08-020080
 rhel8STIG_stigrule_230354_Manage: True
 rhel8STIG_stigrule_230354__etc_dconf_db_local_d_locks_session_Line: '/org/gnome/desktop/screensaver/lock-delay'
@@ -335,8 +325,8 @@ rhel8STIG_stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b32_Line: '
 rhel8STIG_stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b64_Line: '-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng'
 # R-230439 RHEL-08-030361
 rhel8STIG_stigrule_230439_Manage: True
-rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32_Line: '-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -k module_chng'
-rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64_Line: '-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -k module_chng'
+rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32_Line: '-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete'
+rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64_Line: '-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete'
 # R-230444 RHEL-08-030370
 rhel8STIG_stigrule_230444_Manage: True
 rhel8STIG_stigrule_230444__etc_audit_rules_d_audit_rules__usr_bin_gpasswd_Line: '-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd'
@@ -432,7 +422,8 @@ rhel8STIG_stigrule_230527_Manage: True
 rhel8STIG_stigrule_230527_RekeyLimit_Line: RekeyLimit 1G 1h
 # R-230529 RHEL-08-040170
 rhel8STIG_stigrule_230529_Manage: True
-rhel8STIG_stigrule_230529_systemctl_mask_ctrl_alt_del_target_Command: systemctl mask ctrl-alt-del.target
+rhel8STIG_stigrule_230529_ctrl_alt_del_target_disable_Enabled: false
+rhel8STIG_stigrule_230529_ctrl_alt_del_target_mask_Masked: true
 # R-230531 RHEL-08-040172
 rhel8STIG_stigrule_230531_Manage: True
 rhel8STIG_stigrule_230531__etc_systemd_system_conf_Value: 'none'
@@ -514,6 +505,9 @@ rhel8STIG_stigrule_244523__usr_lib_systemd_system_emergency_service_Value: '-/us
 # R-244525 RHEL-08-010201
 rhel8STIG_stigrule_244525_Manage: True
 rhel8STIG_stigrule_244525_ClientAliveInterval_Line: ClientAliveInterval 600
+# R-244526 RHEL-08-010287
+rhel8STIG_stigrule_244526_Manage: True
+rhel8STIG_stigrule_244526__etc_sysconfig_sshd_Line: '# CRYPTO_POLICY='
 # R-244527 RHEL-08-010472
 rhel8STIG_stigrule_244527_Manage: True
 rhel8STIG_stigrule_244527_rng_tools_State: installed
@@ -526,9 +520,6 @@ rhel8STIG_stigrule_244535__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 5'
 # R-244536 RHEL-08-020032
 rhel8STIG_stigrule_244536_Manage: True
 rhel8STIG_stigrule_244536__etc_dconf_db_local_d_02_login_screen_Value: 'true'
-# R-244537 RHEL-08-020039
-rhel8STIG_stigrule_244537_Manage: True
-rhel8STIG_stigrule_244537_tmux_State: installed
 # R-244538 RHEL-08-020081
 rhel8STIG_stigrule_244538_Manage: True
 rhel8STIG_stigrule_244538__etc_dconf_db_local_d_locks_session_idle_delay_Line: '/org/gnome/desktop/session/idle-delay'

collections/ansible_collections/demo/compliance/roles/rhel8STIG/handlers/main.yml

@@ -6,6 +6,25 @@
   service:
     name: sshd
     state: restarted
+- name: rsyslog_restart
+  service:
+    name: rsyslog
+    state: restarted
+- name: sysctl_load_settings
+  command: sysctl --system
+- name: daemon_reload
+  systemd:
+    daemon_reload: true
+- name: networkmanager_reload
+  service:
+    name: NetworkManager
+    state: reloaded
+- name: logind_restart
+  service:
+    name: systemd-logind
+    state: restarted
+- name: with_faillock_enable
+  command: authselect enable-feature with-faillock
 - name: do_reboot
   reboot:
     pre_reboot_delay: 60

collections/ansible_collections/demo/compliance/roles/rhel8STIG/tasks/main.yml

@@ -88,16 +88,6 @@
   when:
     - rhel8STIG_stigrule_230244_Manage
     - "'openssh-server' in packages"
-# R-230252 RHEL-08-010291
-- name: stigrule_230252__etc_sysconfig_sshd
-  lineinfile:
-    path: /etc/sysconfig/sshd
-    regexp: '^# CRYPTO_POLICY='
-    line: "{{ rhel8STIG_stigrule_230252__etc_sysconfig_sshd_Line }}"
-    create: yes
-  notify: do_reboot
-  when:
-    - rhel8STIG_stigrule_230252_Manage
 # R-230255 RHEL-08-010294
 - name: stigrule_230255__etc_crypto_policies_back_ends_opensslcnf_config
   lineinfile:
@@ -111,6 +101,7 @@
 - name: stigrule_230256__etc_crypto_policies_back_ends_gnutls_config
   lineinfile:
     path: /etc/crypto-policies/back-ends/gnutls.config
+    regexp: '^\+VERS'
     line: "{{ rhel8STIG_stigrule_230256__etc_crypto_policies_back_ends_gnutls_config_Line }}"
     create: yes
   when:
@@ -422,20 +413,6 @@
   when:
     - rhel8STIG_stigrule_230347_Manage
     - "'dconf' in packages"
-# R-230348 RHEL-08-020040
-- name: stigrule_230348_ensure_tmux_is_installed
-  yum:
-    name: tmux
-    state: "{{ rhel8STIG_stigrule_230348_ensure_tmux_is_installed_State }}"
-  when: rhel8STIG_stigrule_230348_Manage
-# R-230348 RHEL-08-020040
-- name: stigrule_230348__etc_tmux_conf
-  lineinfile:
-    path: /etc/tmux.conf
-    line: "{{ rhel8STIG_stigrule_230348__etc_tmux_conf_Line }}"
-    create: yes
-  when:
-    - rhel8STIG_stigrule_230348_Manage
 # R-230352 RHEL-08-020060
 - name: stigrule_230352__etc_dconf_db_local_d_00_screensaver
   ini_file:
@@ -448,20 +425,13 @@
   when:
     - rhel8STIG_stigrule_230352_Manage
     - "'dconf' in packages"
-# R-230353 RHEL-08-020070
-- name: stigrule_230353__etc_tmux_conf
-  lineinfile:
-    path: /etc/tmux.conf
-    line: "{{ rhel8STIG_stigrule_230353__etc_tmux_conf_Line }}"
-    create: yes
-  when:
-    - rhel8STIG_stigrule_230353_Manage
 # R-230354 RHEL-08-020080
 - name: stigrule_230354__etc_dconf_db_local_d_locks_session
   lineinfile:
     path: /etc/dconf/db/local.d/locks/session
     line: "{{ rhel8STIG_stigrule_230354__etc_dconf_db_local_d_locks_session_Line }}"
     create: yes
+  notify: dconf_update
   when:
     - rhel8STIG_stigrule_230354_Manage
 # R-230357 RHEL-08-020110
@@ -1016,7 +986,7 @@
 - name: stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
-    regexp: '^-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -k module_chng$'
+    regexp: '^-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete$'
     line: "{{ rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32_Line }}"
   notify: auditd_restart
   when: rhel8STIG_stigrule_230439_Manage
@@ -1024,7 +994,7 @@
 - name: stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64
   lineinfile:
     path: /etc/audit/rules.d/audit.rules
-    regexp: '^-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -k module_chng$'
+    regexp: '^-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete$'
     line: "{{ rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64_Line }}"
   notify: auditd_restart
   when: rhel8STIG_stigrule_230439_Manage
@@ -1337,13 +1307,33 @@
     - rhel8STIG_stigrule_230527_Manage
     - "'openssh-server' in packages"
 # R-230529 RHEL-08-040170
-- name: stigrule_230529_systemctl_mask_ctrl_alt_del_target
-  systemd:
+- name: check if ctrl-alt-del.target is installed
+  shell: ! systemctl list-unit-files | grep "^ctrl-alt-del.target[ \t]\+"
+  changed_when: False
+  check_mode: no
+  register: result
+  failed_when: result.rc > 1
+- name: stigrule_230529_ctrl_alt_del_target_disable
+  systemd_service:
     name: ctrl-alt-del.target
-    enabled: no
-    masked: yes
+    enabled: "{{ rhel8STIG_stigrule_230529_ctrl_alt_del_target_disable_Enabled }}"
   when:
     - rhel8STIG_stigrule_230529_Manage
+    - result.rc == 0
+# R-230529 RHEL-08-040170
+- name: check if ctrl-alt-del.target is installed
+  shell: ! systemctl list-unit-files | grep "^ctrl-alt-del.target[ \t]\+"
+  changed_when: False
+  check_mode: no
+  register: result
+  failed_when: result.rc > 1
+- name: stigrule_230529_ctrl_alt_del_target_mask
+  systemd_service:
+    name: ctrl-alt-del.target
+    masked: "{{ rhel8STIG_stigrule_230529_ctrl_alt_del_target_mask_Masked }}"
+  when:
+    - rhel8STIG_stigrule_230529_Manage
+    - result.rc == 0
 # R-230531 RHEL-08-040172
 - name: stigrule_230531__etc_systemd_system_conf
   ini_file:
@@ -1623,6 +1613,16 @@
   when:
     - rhel8STIG_stigrule_244525_Manage
     - "'openssh-server' in packages"
+# R-244526 RHEL-08-010287
+- name: stigrule_244526__etc_sysconfig_sshd
+  lineinfile:
+    path: /etc/sysconfig/sshd
+    regexp: '^# CRYPTO_POLICY='
+    line: "{{ rhel8STIG_stigrule_244526__etc_sysconfig_sshd_Line }}"
+    create: yes
+  notify: do_reboot
+  when:
+    - rhel8STIG_stigrule_244526_Manage
 # R-244527 RHEL-08-010472
 - name: stigrule_244527_rng_tools
   yum:
@@ -1663,18 +1663,13 @@
   when:
     - rhel8STIG_stigrule_244536_Manage
     - "'dconf' in packages"
-# R-244537 RHEL-08-020039
-- name: stigrule_244537_tmux
-  yum:
-    name: tmux
-    state: "{{ rhel8STIG_stigrule_244537_tmux_State }}"
-  when: rhel8STIG_stigrule_244537_Manage
 # R-244538 RHEL-08-020081
 - name: stigrule_244538__etc_dconf_db_local_d_locks_session_idle_delay
   lineinfile:
     path: /etc/dconf/db/local.d/locks/session
     line: "{{ rhel8STIG_stigrule_244538__etc_dconf_db_local_d_locks_session_idle_delay_Line }}"
     create: yes
+  notify: dconf_update
   when:
     - rhel8STIG_stigrule_244538_Manage
 # R-244539 RHEL-08-020082
@@ -1683,6 +1678,7 @@
     path: /etc/dconf/db/local.d/locks/session
     line: "{{ rhel8STIG_stigrule_244539__etc_dconf_db_local_d_locks_session_lock_enabled_Line }}"
     create: yes
+  notify: dconf_update
   when:
     - rhel8STIG_stigrule_244539_Manage
 # R-244542 RHEL-08-030181

collections/ansible_collections/demo/compliance/roles/rhel9STIG/defaults/main.yml

@@ -159,7 +159,7 @@ rhel9STIG_stigrule_257834_Manage: True
 rhel9STIG_stigrule_257834_tuned_State: removed
 # R-257835 RHEL-09-215060
 rhel9STIG_stigrule_257835_Manage: True
-rhel9STIG_stigrule_257835_tftp_State: removed
+rhel9STIG_stigrule_257835_tftp_server_State: removed
 # R-257836 RHEL-09-215065
 rhel9STIG_stigrule_257836_Manage: True
 rhel9STIG_stigrule_257836_quagga_State: removed
@@ -302,10 +302,6 @@ rhel9STIG_stigrule_257916__var_log_messages_owner_Owner: root
 rhel9STIG_stigrule_257917_Manage: True
 rhel9STIG_stigrule_257917__var_log_messages_group_owner_Dest: /var/log/messages
 rhel9STIG_stigrule_257917__var_log_messages_group_owner_Group: root
-# R-257933 RHEL-09-232265
-rhel9STIG_stigrule_257933_Manage: True
-rhel9STIG_stigrule_257933__etc_crontab_mode_Dest: /etc/crontab
-rhel9STIG_stigrule_257933__etc_crontab_mode_Mode: '0600'
 # R-257934 RHEL-09-232270
 rhel9STIG_stigrule_257934_Manage: True
 rhel9STIG_stigrule_257934__etc_shadow_mode_Dest: /etc/shadow
@@ -455,9 +451,6 @@ rhel9STIG_stigrule_257985_PermitRootLogin_Line: PermitRootLogin no
 # R-257986 RHEL-09-255050
 rhel9STIG_stigrule_257986_Manage: True
 rhel9STIG_stigrule_257986_UsePAM_Line: UsePAM yes
-# R-257989 RHEL-09-255065
-rhel9STIG_stigrule_257989_Manage: True
-rhel9STIG_stigrule_257989__etc_crypto_policies_back_ends_openssh_config_Line: 'Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr'
 # R-257992 RHEL-09-255080
 rhel9STIG_stigrule_257992_Manage: True
 rhel9STIG_stigrule_257992_HostbasedAuthentication_Line: HostbasedAuthentication no
@@ -509,9 +502,6 @@ rhel9STIG_stigrule_258008_StrictModes_Line: StrictModes yes
 # R-258009 RHEL-09-255165
 rhel9STIG_stigrule_258009_Manage: True
 rhel9STIG_stigrule_258009_PrintLastLog_Line: PrintLastLog yes
-# R-258010 RHEL-09-255170
-rhel9STIG_stigrule_258010_Manage: True
-rhel9STIG_stigrule_258010_UsePrivilegeSeparation_Line: UsePrivilegeSeparation sandbox
 # R-258011 RHEL-09-255175
 rhel9STIG_stigrule_258011_Manage: True
 rhel9STIG_stigrule_258011_X11UseLocalhost_Line: X11UseLocalhost yes
@@ -560,10 +550,9 @@ rhel9STIG_stigrule_258026__etc_dconf_db_local_d_locks_session_lock_delay_Line: '
 # R-258027 RHEL-09-271085
 rhel9STIG_stigrule_258027_Manage: True
 rhel9STIG_stigrule_258027__etc_dconf_db_local_d_00_security_settings_Value: "''"
+# R-258027 RHEL-09-271085
+rhel9STIG_stigrule_258027_Manage: True
 rhel9STIG_stigrule_258027__etc_dconf_db_local_d_locks_00_security_settings_lock_picture_uri_Line: '/org/gnome/desktop/screensaver/picture-uri'
-# R-258029 RHEL-09-271095
-rhel9STIG_stigrule_258029_Manage: True
-rhel9STIG_stigrule_258029__etc_dconf_db_local_d_00_security_settings_Value: "'true'"
 # R-258030 RHEL-09-271100
 rhel9STIG_stigrule_258030_Manage: True
 rhel9STIG_stigrule_258030__etc_dconf_db_local_d_locks_session_disable_restart_buttons_Line: '/org/gnome/login-screen/disable-restart-buttons'
@@ -583,6 +572,8 @@ rhel9STIG_stigrule_258034__etc_modprobe_d_usb_storage_conf_blacklist_usb_storage
 # R-258035 RHEL-09-291015
 rhel9STIG_stigrule_258035_Manage: True
 rhel9STIG_stigrule_258035_usbguard_State: installed
+rhel9STIG_stigrule_258035_usbguard_enable_Enabled: yes
+rhel9STIG_stigrule_258035_usbguard_start_State: started
 # R-258036 RHEL-09-291020
 rhel9STIG_stigrule_258036_Manage: True
 rhel9STIG_stigrule_258036_usbguard_enable_Enabled: yes
@@ -621,12 +612,6 @@ rhel9STIG_stigrule_258057__etc_security_faillock_conf_Line: 'unlock_time = 0'
 # R-258060 RHEL-09-411105
 rhel9STIG_stigrule_258060_Manage: True
 rhel9STIG_stigrule_258060__etc_security_faillock_conf_Line: 'dir = /var/log/faillock'
-# R-258063 RHEL-09-412010
-rhel9STIG_stigrule_258063_Manage: True
-rhel9STIG_stigrule_258063_tmux_State: installed
-# R-258066 RHEL-09-412025
-rhel9STIG_stigrule_258066_Manage: True
-rhel9STIG_stigrule_258066__etc_tmux_conf_Line: 'set -g lock-after-time 900'
 # R-258069 RHEL-09-412040
 rhel9STIG_stigrule_258069_Manage: True
 rhel9STIG_stigrule_258069__etc_security_limits_conf_Line: '* hard maxlogins 10'
@@ -688,9 +673,6 @@ rhel9STIG_stigrule_258104__etc_login_defs_Line: 'PASS_MIN_DAYS 1'
 # R-258107 RHEL-09-611090
 rhel9STIG_stigrule_258107_Manage: True
 rhel9STIG_stigrule_258107__etc_security_pwquality_conf_Line: 'minlen = 15'
-# R-258108 RHEL-09-611095
-rhel9STIG_stigrule_258108_Manage: True
-rhel9STIG_stigrule_258108__etc_login_defs_Line: 'PASS_MIN_LEN 15'
 # R-258109 RHEL-09-611100
 rhel9STIG_stigrule_258109_Manage: True
 rhel9STIG_stigrule_258109__etc_security_pwquality_conf_Line: 'ocredit = -1'
@@ -718,9 +700,6 @@ rhel9STIG_stigrule_258116__etc_libuser_conf_Value: 'sha512'
 # R-258117 RHEL-09-611140
 rhel9STIG_stigrule_258117_Manage: True
 rhel9STIG_stigrule_258117__etc_login_defs_Line: 'ENCRYPT_METHOD SHA512'
-# R-258119 RHEL-09-611150
-rhel9STIG_stigrule_258119_Manage: True
-rhel9STIG_stigrule_258119__etc_login_defs_Line: 'SHA_CRYPT_MIN_ROUNDS 5000'
 # R-258121 RHEL-09-611160
 rhel9STIG_stigrule_258121_Manage: True
 rhel9STIG_stigrule_258121__etc_opensc_conf_Line: 'card_drivers = cac;'
@@ -759,9 +738,6 @@ rhel9STIG_stigrule_258142_rsyslog_start_State: started
 # R-258144 RHEL-09-652030
 rhel9STIG_stigrule_258144_Manage: True
 rhel9STIG_stigrule_258144__etc_rsyslog_conf_Line: 'auth.*;authpriv.*;daemon.*                              /var/log/secure'
-# R-258145 RHEL-09-652035
-rhel9STIG_stigrule_258145_Manage: True
-rhel9STIG_stigrule_258145__etc_audit_plugins_d_syslog_conf_Line: 'active = yes'
 # R-258146 RHEL-09-652040
 rhel9STIG_stigrule_258146_Manage: True
 rhel9STIG_stigrule_258146__etc_rsyslog_conf_Line: '$ActionSendStreamDriverAuthMode x509/name'
@@ -1000,12 +976,9 @@ rhel9STIG_stigrule_258228__etc_audit_rules_d_audit_rules_loginuid_immutable_Line
 # R-258229 RHEL-09-654275
 rhel9STIG_stigrule_258229_Manage: True
 rhel9STIG_stigrule_258229__etc_audit_rules_d_audit_rules_e2_Line: '-e 2'
-# R-258234 RHEL-09-672010
+# R-258234 RHEL-09-215100
 rhel9STIG_stigrule_258234_Manage: True
 rhel9STIG_stigrule_258234_crypto_policies_State: installed
-# R-258239 RHEL-09-672035
-rhel9STIG_stigrule_258239_Manage: True
-rhel9STIG_stigrule_258239__etc_pki_tls_openssl_cnf_Line: '.include = /etc/crypto-policies/back-ends/opensslcnf.config'
-# R-258240 RHEL-09-672040
-rhel9STIG_stigrule_258240_Manage: True
-rhel9STIG_stigrule_258240__etc_crypto_policies_back_ends_opensslcnf_config_Line: 'TLS.MinProtocol = TLSv1.2'
+# R-272488 RHEL-09-215101
+rhel9STIG_stigrule_272488_Manage: True
+rhel9STIG_stigrule_272488_postfix_State: installed

collections/ansible_collections/demo/compliance/roles/rhel9STIG/tasks/main.yml

@@ -474,10 +474,10 @@
     state: "{{ rhel9STIG_stigrule_257834_tuned_State }}"
   when: rhel9STIG_stigrule_257834_Manage
 # R-257835 RHEL-09-215060
-- name: stigrule_257835_tftp
+- name: stigrule_257835_tftp_server
   yum:
-    name: tftp
-    state: "{{ rhel9STIG_stigrule_257835_tftp_State }}"
+    name: tftp-server
+    state: "{{ rhel9STIG_stigrule_257835_tftp_server_State }}"
   when: rhel9STIG_stigrule_257835_Manage
 # R-257836 RHEL-09-215065
 - name: stigrule_257836_quagga
@@ -764,13 +764,6 @@
     group: "{{ rhel9STIG_stigrule_257917__var_log_messages_group_owner_Group }}"
   when:
     - rhel9STIG_stigrule_257917_Manage
-# R-257933 RHEL-09-232265
-- name: stigrule_257933__etc_crontab_mode
-  file:
-    dest: "{{ rhel9STIG_stigrule_257933__etc_crontab_mode_Dest }}"
-    mode: "{{ rhel9STIG_stigrule_257933__etc_crontab_mode_Mode }}"
-  when:
-    - rhel9STIG_stigrule_257933_Manage
 # R-257934 RHEL-09-232270
 - name: stigrule_257934__etc_shadow_mode
   file:
@@ -1237,16 +1230,6 @@
   when:
     - rhel9STIG_stigrule_257986_Manage
     - "'openssh-server' in packages"
-# R-257989 RHEL-09-255065
-- name: stigrule_257989__etc_crypto_policies_back_ends_openssh_config
-  lineinfile:
-    path: /etc/crypto-policies/back-ends/openssh.config
-    regexp: '^\s*Ciphers\s+\S+\s*$'
-    line: "{{ rhel9STIG_stigrule_257989__etc_crypto_policies_back_ends_openssh_config_Line }}"
-    create: yes
-  notify: do_reboot
-  when:
-    - rhel9STIG_stigrule_257989_Manage
 # R-257992 RHEL-09-255080
 - name: stigrule_257992_HostbasedAuthentication
   lineinfile:
@@ -1398,16 +1381,6 @@
   when:
     - rhel9STIG_stigrule_258009_Manage
     - "'openssh-server' in packages"
-# R-258010 RHEL-09-255170
-- name: stigrule_258010_UsePrivilegeSeparation
-  lineinfile:
-    path: /etc/ssh/sshd_config
-    regexp: '(?i)^\s*UsePrivilegeSeparation\s+'
-    line: "{{ rhel9STIG_stigrule_258010_UsePrivilegeSeparation_Line }}"
-  notify: ssh_restart
-  when:
-    - rhel9STIG_stigrule_258010_Manage
-    - "'openssh-server' in packages"
 # R-258011 RHEL-09-255175
 - name: stigrule_258011_X11UseLocalhost
   lineinfile:
@@ -1594,18 +1567,6 @@
   when:
     - rhel9STIG_stigrule_258027_Manage
     - "'dconf' in packages"
-# R-258029 RHEL-09-271095
-- name: stigrule_258029__etc_dconf_db_local_d_00_security_settings
-  ini_file:
-    path: /etc/dconf/db/local.d/00-security-settings
-    section: org/gnome/login-screen
-    option: disable-restart-buttons
-    value: "{{ rhel9STIG_stigrule_258029__etc_dconf_db_local_d_00_security_settings_Value }}"
-    no_extra_spaces: yes
-  notify: dconf_update
-  when:
-    - rhel9STIG_stigrule_258029_Manage
-    - "'dconf' in packages"
 # R-258030 RHEL-09-271100
 - name: stigrule_258030__etc_dconf_db_local_d_locks_session_disable_restart_buttons
   lineinfile:
@@ -1674,6 +1635,34 @@
     name: usbguard
     state: "{{ rhel9STIG_stigrule_258035_usbguard_State }}"
   when: rhel9STIG_stigrule_258035_Manage
+# R-258035 RHEL-09-291015
+- name: check if usbguard.service is installed
+  shell: ! systemctl list-unit-files | grep "^usbguard.service[ \t]\+"
+  changed_when: False
+  check_mode: no
+  register: result
+  failed_when: result.rc > 1
+- name: stigrule_258035_usbguard_enable
+  service:
+    name: usbguard.service
+    enabled: "{{ rhel9STIG_stigrule_258035_usbguard_enable_Enabled }}"
+  when:
+    - rhel9STIG_stigrule_258035_Manage
+    - result.rc == 0
+# R-258035 RHEL-09-291015
+- name: check if usbguard.service is installed
+  shell: ! systemctl list-unit-files | grep "^usbguard.service[ \t]\+"
+  changed_when: False
+  check_mode: no
+  register: result
+  failed_when: result.rc > 1
+- name: stigrule_258035_usbguard_start
+  service:
+    name: usbguard.service
+    state: "{{ rhel9STIG_stigrule_258035_usbguard_start_State }}"
+  when:
+    - rhel9STIG_stigrule_258035_Manage
+    - result.rc == 0
 # R-258036 RHEL-09-291020
 - name: check if usbguard.service is installed
   shell: ! systemctl list-unit-files | grep "^usbguard.service[ \t]\+"
@@ -1821,20 +1810,6 @@
   notify: with_faillock_enable
   when:
     - rhel9STIG_stigrule_258060_Manage
-# R-258063 RHEL-09-412010
-- name: stigrule_258063_tmux
-  yum:
-    name: tmux
-    state: "{{ rhel9STIG_stigrule_258063_tmux_State }}"
-  when: rhel9STIG_stigrule_258063_Manage
-# R-258066 RHEL-09-412025
-- name: stigrule_258066__etc_tmux_conf
-  lineinfile:
-    path: /etc/tmux.conf
-    line: "{{ rhel9STIG_stigrule_258066__etc_tmux_conf_Line }}"
-    create: yes
-  when:
-    - rhel9STIG_stigrule_258066_Manage
 # R-258069 RHEL-09-412040
 - name: stigrule_258069__etc_security_limits_conf
   lineinfile:
@@ -2025,15 +2000,6 @@
     create: yes
   when:
     - rhel9STIG_stigrule_258107_Manage
-# R-258108 RHEL-09-611095
-- name: stigrule_258108__etc_login_defs
-  lineinfile:
-    path: /etc/login.defs
-    regexp: '^PASS_MIN_LEN'
-    line: "{{ rhel9STIG_stigrule_258108__etc_login_defs_Line }}"
-    create: yes
-  when:
-    - rhel9STIG_stigrule_258108_Manage
 # R-258109 RHEL-09-611100
 - name: stigrule_258109__etc_security_pwquality_conf
   lineinfile:
@@ -2116,15 +2082,6 @@
     create: yes
   when:
     - rhel9STIG_stigrule_258117_Manage
-# R-258119 RHEL-09-611150
-- name: stigrule_258119__etc_login_defs
-  lineinfile:
-    path: /etc/login.defs
-    regexp: '^SHA_CRYPT_MIN_ROUNDS'
-    line: "{{ rhel9STIG_stigrule_258119__etc_login_defs_Line }}"
-    create: yes
-  when:
-    - rhel9STIG_stigrule_258119_Manage
 # R-258121 RHEL-09-611160
 - name: stigrule_258121__etc_opensc_conf
   lineinfile:
@@ -2264,16 +2221,6 @@
   notify: rsyslog_restart
   when:
     - rhel9STIG_stigrule_258144_Manage
-# R-258145 RHEL-09-652035
-- name: stigrule_258145__etc_audit_plugins_d_syslog_conf
-  lineinfile:
-    path: /etc/audit/plugins.d/syslog.conf
-    regexp: '^\s*active\s*='
-    line: "{{ rhel9STIG_stigrule_258145__etc_audit_plugins_d_syslog_conf_Line }}"
-    create: yes
-  notify: auditd_restart
-  when:
-    - rhel9STIG_stigrule_258145_Manage
 # R-258146 RHEL-09-652040
 - name: stigrule_258146__etc_rsyslog_conf
   lineinfile:
@@ -3029,27 +2976,15 @@
     line: "{{ rhel9STIG_stigrule_258229__etc_audit_rules_d_audit_rules_e2_Line }}"
   notify: auditd_restart
   when: rhel9STIG_stigrule_258229_Manage
-# R-258234 RHEL-09-672010
+# R-258234 RHEL-09-215100
 - name: stigrule_258234_crypto_policies
   yum:
     name: crypto-policies
     state: "{{ rhel9STIG_stigrule_258234_crypto_policies_State }}"
   when: rhel9STIG_stigrule_258234_Manage
-# R-258239 RHEL-09-672035
-- name: stigrule_258239__etc_pki_tls_openssl_cnf
-  lineinfile:
-    path: /etc/pki/tls/openssl.cnf
-    line: "{{ rhel9STIG_stigrule_258239__etc_pki_tls_openssl_cnf_Line }}"
-    create: yes
-  when:
-    - rhel9STIG_stigrule_258239_Manage
-# R-258240 RHEL-09-672040
-- name: stigrule_258240__etc_crypto_policies_back_ends_opensslcnf_config
-  lineinfile:
-    path: /etc/crypto-policies/back-ends/opensslcnf.config
-    regexp: '^\s*TLS.MinProtocol\s*='
-    line: "{{ rhel9STIG_stigrule_258240__etc_crypto_policies_back_ends_opensslcnf_config_Line }}"
-    create: yes
-  notify: do_reboot
-  when:
-    - rhel9STIG_stigrule_258240_Manage
+# R-272488 RHEL-09-215101
+- name: stigrule_272488_postfix
+  yum:
+    name: postfix
+    state: "{{ rhel9STIG_stigrule_272488_postfix_State }}"
+  when: rhel9STIG_stigrule_272488_Manage

collections/ansible_collections/demo/patching/roles/report_linux/tasks/main.yml

@@ -31,3 +31,7 @@
 - name: Display link to inventory report
   ansible.builtin.debug:
     msg: "Please go to http://{{ hostvars[report_server]['ansible_host'] }}/reports/linux.html"
+
+- name: Display link with a new path
+  ansible.builtin.debug:
+    msg: "Please go to http://{{ hostvars[report_server]['ansible_host'] }}/reports/linux.html"

common/setup.yml

@@ -60,7 +60,8 @@ controller_inventory_sources:
           prefix: purpose
         - key: tags.deployment
           prefix: deployment
-
+        - key: tags.Compliance
+          separator: ''
 controller_groups:
   - name: cloud_aws
     inventory: Demo Inventory
@@ -276,6 +277,44 @@ controller_templates:
           variable: _hosts
           required: true
 
+  - name: Cloud / AWS / Resize EC2
+    job_type: run
+    organization: Default
+    credentials:
+      - AWS
+      - Controller Credential
+    project: Ansible Product Demos
+    playbook: cloud/resize_ec2.yml
+    inventory: Demo Inventory
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    survey_enabled: true
+    survey:
+      name: ''
+      description: ''
+      spec:
+        - question_name: AWS Region
+          type: multiplechoice
+          variable: aws_region
+          required: true
+          default: us-east-1
+          choices:
+            - us-east-1
+            - us-east-2
+            - us-west-1
+            - us-west-2
+        - question_name: Specify target hosts
+          type: text
+          variable: _hosts
+          required: true
+
+        - question_name: Specify target instance type
+          type: text
+          variable: instance_type
+          default: t3a.medium
+          required: true
+
 controller_notifications:
   - name: Telemetry
     organization: Default

linux/multi_profile_compliance.yml

@@ -13,4 +13,3 @@
     - name: Run Compliance Profile
       ansible.builtin.include_role:
         name: "redhatofficial.rhel{{ ansible_distribution_major_version }}-{{ compliance_profile }}"
-...

linux/multi_profile_compliance_report.yml

@@ -9,9 +9,17 @@
       - openscap-utils
       - scap-security-guide
     compliance_profile: ospp
+    # install httpd and use it to host compliance report
     use_httpd: true
 
   tasks:
+    - name: Assert memory meets minimum requirements
+      ansible.builtin.assert:
+        that:
+          - ansible_memfree_mb >= 1000
+          - ansible_memtotal_mb >= 2000
+        fail_msg: "OpenSCAP is a memory intensive operation, the specified enepoint does not meet minimum requirements. See https://access.redhat.com/articles/6999111 for details."
+
     - name: Get our facts straight
       ansible.builtin.set_fact:
         _profile: '{{ compliance_profile | replace("pci_dss", "pci-dss") }}'
@@ -80,11 +88,28 @@
         group: root
         mode: 0644
 
+    - name: Debug output for report
+      ansible.builtin.debug:
+        msg: "http://{{ ansible_host }}/oscap-reports/{{ _profile }}/report-{{ ansible_date_time.iso8601 }}.html"
+      when: use_httpd | bool
+
+    - name: Tag instance as {{ compliance_profile | upper }}_OUT_OF_COMPLIANCE  # noqa name[template]
+      delegate_to: localhost
+      amazon.aws.ec2_tag:
+        region: "{{ placement.region }}"
+        resource: "{{ instance_id }}"
+        state: present
+        tags:
+          Compliance: "{{ compliance_profile | upper }}_OUT_OF_COMPLIANCE"
+      when:
+        - _oscap.rc == 2
+        - instance_id is defined
+      become: false
+
   handlers:
     - name: Restart httpd
       ansible.builtin.service:
         name: httpd
         state: restarted
         enabled: true
-
 ...

linux/remediate_out_of_compliance.yml

@@ -0,0 +1,13 @@
+---
+- name: Apply compliance profile as part of workflow.
+  hosts: "{{ compliance_profile | default('stig') | upper }}_OUT_OF_COMPLIANCE"
+  become: true
+  tasks:
+    - name: Check os type
+      ansible.builtin.assert:
+        that: "ansible_os_family == 'RedHat'"
+
+    - name: Run Compliance Profile
+      ansible.builtin.include_role:
+        name: "redhatofficial.rhel{{ ansible_distribution_major_version }}-{{ compliance_profile }}"
+...

linux/setup.yml

@@ -334,11 +334,33 @@ controller_templates:
             - full
           required: true
 
+  - name: "LINUX / Compliance Enforce"
+    job_type: run
+    inventory: "Demo Inventory"
+    project: "Ansible Product Demos"
+    playbook: "linux/remediate_out_of_compliance.yml"
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    credentials:
+      - "Demo Credential"
+    extra_vars:
+      sudo_remove_nopasswd: false
+    survey_enabled: true
+    survey:
+      name: ''
+      description: ''
+      spec:
+        - question_name: Server Name or Pattern
+          type: text
+          variable: _hosts
+          required: true
+
   - name: "LINUX / DISA STIG"
     job_type: run
     inventory: "Demo Inventory"
     project: "Ansible Product Demos"
-    playbook: "linux/compliance.yml"
+    playbook: "linux/disa_stig.yml"
     notification_templates_started: Telemetry
     notification_templates_success: Telemetry
     notification_templates_error: Telemetry
@@ -360,12 +382,13 @@ controller_templates:
     job_type: run
     inventory: "Demo Inventory"
     project: "Ansible Product Demos"
-    playbook: "linux/compliance-enforce.yml"
+    playbook: "linux/multi_profile_compliance.yml"
     notification_templates_started: Telemetry
     notification_templates_success: Telemetry
     notification_templates_error: Telemetry
     credentials:
       - "Demo Credential"
+      - "AWS"
     extra_vars:
       # used by CIS profile role
       sudo_require_authentication: false
@@ -406,12 +429,13 @@ controller_templates:
     job_type: run
     inventory: "Demo Inventory"
     project: "Ansible Product Demos"
-    playbook: "linux/compliance-report.yml"
+    playbook: "linux/multi_profile_compliance_report.yml"
     notification_templates_started: Telemetry
     notification_templates_success: Telemetry
     notification_templates_error: Telemetry
     credentials:
       - "Demo Credential"
+      - "AWS"
     survey_enabled: true
     survey:
       name: ''
@@ -492,4 +516,52 @@ controller_templates:
           variable: application
           required: true
 
+controller_workflows:
+  - name: "Linux / Compliance Workflow"
+    description: A workflow to generate a SCAP report and run enforce on findings
+    organization: Default
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    survey_enabled: true
+    survey:
+      name: ''
+      description: ''
+      spec:
+        - question_name: Server Name or Pattern
+          type: text
+          default: aws_rhel*
+          variable: _hosts
+          required: true
+        - question_name: Compliance Profile
+          type: multiplechoice
+          variable: compliance_profile
+          required: true
+          choices:
+            - cis
+            - cjis
+            - cui
+            - hipaa
+            - ospp
+            - pci_dss
+            - stig
+        - question_name: Use httpd on the target host(s) to access reports locally?
+          type: multiplechoice
+          variable: use_httpd
+          required: true
+          choices:
+            - "true"
+            - "false"
+          default: "true"
+    simplified_workflow_nodes:
+      - identifier: Compliance Report
+        unified_job_template: "LINUX / Multi-profile Compliance Report"
+        success_nodes:
+          - Update Inventory
+      - identifier: Update Inventory
+        unified_job_template: AWS Inventory
+        success_nodes:
+          - Compliance Enforce
+      - identifier: Compliance Enforce
+        unified_job_template: "LINUX / Compliance Enforce"
 ...

roles/requirements.yml

@@ -2,45 +2,65 @@
 roles:
   # RHEL 7 compliance roles from ComplianceAsCode
   - name: redhatofficial.rhel7-cis
+    src: https://github.com/RedHatOfficial/ansible-role-rhel7-cis
     version: 0.1.72
   - name: redhatofficial.rhel7-cjis
+    src: https://github.com/RedHatOfficial/ansible-role-rhel7-cjis
     version: 0.1.72
   - name: redhatofficial.rhel7-cui
+    src: https://github.com/RedHatOfficial/ansible-role-rhel7-cui
     version: 0.1.72
   - name: redhatofficial.rhel7-hipaa
+    src: https://github.com/RedHatOfficial/ansible-role-rhel7-hipaa
     version: 0.1.72
   - name: redhatofficial.rhel7-ospp
+    src: https://github.com/RedHatOfficial/ansible-role-rhel7-ospp
     version: 0.1.72
   - name: redhatofficial.rhel7-pci-dss
+    src: https://github.com/RedHatOfficial/ansible-role-rhel7-pci-dss
     version: 0.1.72
   - name: redhatofficial.rhel7-stig
+    src: https://github.com/RedHatOfficial/ansible-role-rhel7-stig
     version: 0.1.72
   # RHEL 8 compliance roles from ComplianceAsCode
   - name: redhatofficial.rhel8-cis
+    src: https://github.com/RedHatOfficial/ansible-role-rhel8-cis
     version: 0.1.72
   - name: redhatofficial.rhel8-cjis
+    src: https://github.com/RedHatOfficial/ansible-role-rhel8-cjis
     version: 0.1.72
   - name: redhatofficial.rhel8-cui
+    src: https://github.com/RedHatOfficial/ansible-role-rhel8-cui
     version: 0.1.72
   - name: redhatofficial.rhel8-hipaa
+    src: https://github.com/RedHatOfficial/ansible-role-rhel8-hipaa
     version: 0.1.72
   - name: redhatofficial.rhel8-ospp
+    src: https://github.com/RedHatOfficial/ansible-role-rhel8-ospp
     version: 0.1.72
   - name: redhatofficial.rhel8-pci-dss
+    src: https://github.com/RedHatOfficial/ansible-role-rhel8-pci-dss
     version: 0.1.72
   - name: redhatofficial.rhel8-stig
+    src: https://github.com/RedHatOfficial/ansible-role-rhel8-stig
     version: 0.1.72
   # RHEL 9 compliance roles from ComplianceAsCode
   - name: redhatofficial.rhel9-cis
+    src: https://github.com/RedHatOfficial/ansible-role-rhel9-cis
     version: 0.1.72
   - name: redhatofficial.rhel9-cui
+    src: https://github.com/RedHatOfficial/ansible-role-rhel9-cui
     version: 0.1.72
   - name: redhatofficial.rhel9-hipaa
+    src: https://github.com/RedHatOfficial/ansible-role-rhel9-hipaa
     version: 0.1.72
   - name: redhatofficial.rhel9-ospp
+    src: https://github.com/RedHatOfficial/ansible-role-rhel9-ospp
     version: 0.1.72
   - name: redhatofficial.rhel9-pci-dss
+    src: https://github.com/RedHatOfficial/ansible-role-rhel9-pci-dss
     version: 0.1.72
   - name: redhatofficial.rhel9-stig
+    src: https://github.com/RedHatOfficial/ansible-role-rhel9-stig
     version: 0.1.72
 ...

tests/requirements.yml

@@ -1 +1 @@
-../execution_environments/requirements.yml
+../execution_environments/requirements-25.yml

windows/helpdesk_new_user_portal.yml

@@ -10,7 +10,7 @@
         # Example result: ['&Qw2|E[-']
 
     - name: Create new user
-      community.windows.win_domain_user:
+      microsoft.ad.user:
         name: "{{ firstname }} {{ surname }}"
         firstname: "{{ firstname }}"
         surname: "{{ surname }}"

windows/join_ad_domain.yml

@@ -16,7 +16,7 @@
     - name: Ensure Demo OU exists
       run_once: true
       delegate_to: "{{ domain_controller }}"
-      community.windows.win_domain_ou:
+      microsoft.ad.ou:
         name: Demo
         state: present
 
@@ -26,7 +26,7 @@
 
     - name: Join ansible.local domain
       register: r_domain_membership
-      ansible.windows.win_domain_membership:
+      microsoft.ad.membership:
         dns_domain_name: ansible.local
         hostname: "{{ inventory_hostname.split('.')[0] }}"
         domain_admin_user: "{{ ansible_user }}@ansible.local"