From a5aa9564f5b2c383788ed7c6c8fb376ad92cf4b7 Mon Sep 17 00:00:00 2001 From: Chris Edillon <67980205+jce-redhat@users.noreply.github.com> Date: Mon, 25 Sep 2023 15:13:15 -0400 Subject: [PATCH 1/2] Multi-profile compliance (#87) Co-authored-by: willtome --- .gitignore | 2 + linux/README.md | 12 +++-- linux/compliance-enforce.yml | 17 +++++++ linux/compliance-report.yml | 90 ++++++++++++++++++++++++++++++++++++ linux/compliance_profiles.md | 15 ++++++ linux/setup.yml | 80 ++++++++++++++++++++++++++++++++ roles/requirements.yml | 42 +++++++++++++++++ 7 files changed, 255 insertions(+), 3 deletions(-) create mode 100644 linux/compliance-enforce.yml create mode 100644 linux/compliance-report.yml create mode 100644 linux/compliance_profiles.md create mode 100644 roles/requirements.yml diff --git a/.gitignore b/.gitignore index 73bcc109d..bb9433c6d 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,5 @@ choose_demo_example_aws.yml .ansible.cfg *.gz +**/roles/* +!**/roles/requirements.yml diff --git a/linux/README.md b/linux/README.md index 9984885c8..620ee235a 100644 --- a/linux/README.md +++ b/linux/README.md @@ -26,8 +26,10 @@ This category of demos shows examples of linux operations and management with An - [**Linux / Fact Scan**](https://github.com/ansible/awx-facts-playbooks/blob/master/scan_facts.yml) - Run a fact, package, and service scan against a system and store in fact cache - [**Linux / Podman Webserver**](podman.yml) - Install and run a Podman webserver with given text on the home page - [**Linux / System Roles**](system_roles.yml) - Apply Linux system roles to servers. Must provide variables and role names. -- [**Linux / Compliance Enforce**](compliance.yml) - Apply remediation to meet the requirements of a compliance baseline -- [**Linux / Insights Compliance Scan**](insights_compliance_scan.yml) - Run a Compliance scan based on the configuration in [Red Hat Insights][https://console.redhat.com] +- [**Linux / DISA STIG**](compliance.yml) - Apply the RHEL STIG supplemental content from DISA +- [**Linux / Multi-profile compliance**](compliance-enforce.yml) - Apply remediation from [Compliance as Code](https://github.com/ComplianceAsCode/content) to enforce the requirements of a specified compliance profile +- [**Linux / Report Compliance**](compliance-report.yml) - Run an OpenSCAP report against a specified compliance profile +- [**Linux / Insights Compliance Scan**](insights_compliance_scan.yml) - Run a Compliance scan based on the configuration in [Red Hat Insights](https://console.redhat.com) ### Inventory @@ -86,6 +88,10 @@ timesync_ntp_servers: pool: yes iburst: yes ``` -**Linux / Compliance** - Apply compliance profile hardening configuration from [here](https://galaxy.ansible.com/RedHatOfficial). BE AWARE: this could have unintended results based on the current state of your machine. Always test on a single machine before distributing at scale. For example, AWS instances have NOPASSWD allowed for sudo. Running STIG compliance without adding `sudo_remove_nopasswd: false` to extra_vars on the job template will lock you out of the machine. This variable is configured on the job template by default for this reason. +**Linux / DISA STIG** - Apply the RHEL STIG security hardening configuration using the [DISA Supplemental Automation Content](https://public.cyber.mil/stigs/supplemental-automation-content/). BE AWARE: this could have unintended results based on the current state of your machine. Always test on a single machine before distributing at scale. For example, AWS instances have NOPASSWD allowed for sudo. Running STIG compliance without adding `sudo_remove_nopasswd: false` to extra_vars on the job template will lock you out of the machine. This variable is configured on the job template by default for this reason. + +**Linux / Multi-profile Compliance** - Apply security hardening configuration from a [supported compliance profile role](compliance_profiles.md). BE AWARE: this could have unintended results based on the current state of your machine. Always test on a single machine before distributing at scale. For example, AWS instances have NOPASSWD allowed for sudo. Applying certain compliance profiles without adding `sudo_remove_nopasswd: false` to extra_vars on the job template will lock you out of the machine. This variable is configured on the job template by default for this reason. + +**Linux / Report Compliance** - Run this template before running the "**Linux / Multi-profile Compliance**" template and again afterwards to highlight the changes made by the enforcement template. By default, the reports are available by pointing a web browser to the system(s) where the report runs. By setting the `use_httpd` variable to "false" in the template survey the reports will instead be stored on the target node in the /tmp/oscap-reports directory. **Linux / Insights Compliance Scan** - Scan the system according to the compliance profile configured via [Red Hat Insights](https://console.redhat.com). NOTE: This job will fail if the systems haven't been registered with Insights and associated with a relevant compliance profile. A survey when running the job will ask if you have configured all systems with a compliance profile, and effectively skip all tasks in the job template if the answer is "No". diff --git a/linux/compliance-enforce.yml b/linux/compliance-enforce.yml new file mode 100644 index 000000000..b8122e406 --- /dev/null +++ b/linux/compliance-enforce.yml @@ -0,0 +1,17 @@ +--- +- name: Apply compliance profile + hosts: "{{ _hosts | default(omit) }}" + become: true + vars: + compliance_profile: undef + + tasks: + - name: Check os type + ansible.builtin.assert: + that: "ansible_os_family == 'RedHat'" + + - name: Run Compliance Profile + ansible.builtin.include_role: + name: "redhatofficial.rhel{{ ansible_distribution_major_version }}_{{ compliance_profile }}" + +... diff --git a/linux/compliance-report.yml b/linux/compliance-report.yml new file mode 100644 index 000000000..a1f2274ba --- /dev/null +++ b/linux/compliance-report.yml @@ -0,0 +1,90 @@ +--- +- name: Generate OpenSCAP compliance report + hosts: '{{ _hosts | default(omit) }}' + become: true + + vars: + openscap_packages: + - openscap-scanner + - openscap-utils + - scap-security-guide + compliance_profile: ospp + use_httpd: true + + tasks: + - name: Get our facts straight + ansible.builtin.set_fact: + _profile: '{{ compliance_profile | replace("pci_dss", "pci-dss") }}' + _report_dir: /tmp/oscap-reports + + - name: Ensure OpenSCAP tools are installed + ansible.builtin.dnf: + name: '{{ openscap_packages }}' + state: present + + - name: Configure httpd + when: use_httpd | bool + block: + - name: Install httpd + ansible.builtin.dnf: + name: httpd + state: present + notify: Restart httpd + + - name: Override report directory + ansible.builtin.set_fact: + _report_dir: /var/www/html/oscap-reports + + - name: Gather service facts + ansible.builtin.service_facts: + + - name: Enable firewall http service + ansible.posix.firewalld: + service: http + state: enabled + immediate: true + permanent: true + when: "'firewalld.service' in ansible_facts.services" + + - name: Disable httpd welcome page + ansible.builtin.file: + path: /etc/httpd/conf.d/welcome.conf + state: absent + notify: Restart httpd + + - name: Ensure report directory exists + ansible.builtin.file: + path: '{{ _report_dir }}/{{ _profile }}' + state: directory + owner: root + group: root + mode: 0755 + + - name: Set report name + ansible.builtin.set_fact: + _report: '{{ _report_dir }}/{{ _profile }}/report-{{ ansible_date_time.iso8601 }}.html' + + - name: Generate compliance report + ansible.builtin.command: >- + oscap xccdf eval --profile {{ _profile }} --report {{ _report }} + /usr/share/xml/scap/ssg/content/ssg-rhel{{ ansible_distribution_major_version }}-ds.xml + args: + creates: '{{ _report }}' + register: _oscap + failed_when: _oscap.rc not in [0, 2] + + - name: Set report permissions + ansible.builtin.file: + path: '{{ _report }}' + owner: root + group: root + mode: 0644 + + handlers: + - name: Restart httpd + ansible.builtin.service: + name: httpd + state: restarted + enabled: true + +... diff --git a/linux/compliance_profiles.md b/linux/compliance_profiles.md new file mode 100644 index 000000000..7ef595c0f --- /dev/null +++ b/linux/compliance_profiles.md @@ -0,0 +1,15 @@ +# Supported Compliance Profiles + +The following compliance profiles are supported by the [**Linux / Enforce Compliance**](README.md#jobs) job template: + +| **Profile** | **Role Repository** | +|-------------|---------------------| +| CIS | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-cis | +| CUI | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-cui | +| HIPAA | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-hipaa | +| OSPP | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-ospp | +| PCI-DSS | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-pci-dss | +| DISA STIG | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-stig | + +These roles are derived from the [Compliance as Code](https://github.com/ComplianceAsCode/content) project, which provides SCAP content used by the [OpenSCAP](https://www.open-scap.org/) `oscap` tool. + diff --git a/linux/setup.yml b/linux/setup.yml index dcb031da6..b4ccd526e 100644 --- a/linux/setup.yml +++ b/linux/setup.yml @@ -359,6 +359,84 @@ controller_templates: variable: _hosts required: true + - name: "LINUX / Multi-profile Compliance" + job_type: run + inventory: "Demo Inventory" + project: "Ansible official demo project" + playbook: "linux/compliance-enforce.yml" + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + credentials: + - "Demo Credential" + extra_vars: + # used by CIS profile role + sudo_require_authentication: false + # used by STIG profile role + sudo_remove_nopasswd: false + sudo_remove_no_authenticate: false + # used by CIS and STIG profile role + accounts_password_set_max_life_existing: false + survey_enabled: true + survey: + name: '' + description: '' + spec: + - question_name: Server Name or Pattern + type: text + variable: _hosts + required: true + - question_name: Compliance Profile + type: multiplechoice + variable: compliance_profile + required: true + choices: + - cis + - cui + - hipaa + - ospp + - pci_dss + - stig + + - name: "LINUX / Multi-profile Compliance Report" + job_type: run + inventory: "Demo Inventory" + project: "Ansible official demo project" + playbook: "linux/compliance-report.yml" + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + credentials: + - "Demo Credential" + survey_enabled: true + survey: + name: '' + description: '' + spec: + - question_name: Server Name or Pattern + type: text + variable: _hosts + required: true + - question_name: Compliance Profile + type: multiplechoice + variable: compliance_profile + required: true + choices: + - cis + - cui + - hipaa + - ospp + - pci_dss + - stig + - question_name: Use httpd on the target host(s) to access reports locally? + type: multiplechoice + variable: use_httpd + required: true + choices: + - "true" + - "false" + default: "true" + - name: "LINUX / Insights Compliance Scan" job_type: run inventory: "Demo Inventory" @@ -408,3 +486,5 @@ controller_templates: type: text variable: application required: true + +... diff --git a/roles/requirements.yml b/roles/requirements.yml new file mode 100644 index 000000000..75eaa0ce2 --- /dev/null +++ b/roles/requirements.yml @@ -0,0 +1,42 @@ +--- +roles: + # RHEL 7 compliance roles from ComplianceAsCode + - name: redhatofficial.rhel7_cis + version: 0.1.69 + - name: redhatofficial.rhel7_cui + version: 0.1.67 + - name: redhatofficial.rhel7_hipaa + version: 0.1.69 + - name: redhatofficial.rhel7_ospp + version: 0.1.69 + - name: redhatofficial.rhel7_pci_dss + version: 0.1.69 + - name: redhatofficial.rhel7_stig + version: 0.1.69 + # RHEL 8 compliance roles from ComplianceAsCode + - name: redhatofficial.rhel8_cis + version: 0.1.69 + - name: redhatofficial.rhel8_cui + version: 0.1.69 + - name: redhatofficial.rhel8_hipaa + version: 0.1.69 + - name: redhatofficial.rhel8_ospp + version: 0.1.69 + - name: redhatofficial.rhel8_pci_dss + version: 0.1.69 + - name: redhatofficial.rhel8_stig + version: 0.1.69 + # RHEL 9 compliance roles from ComplianceAsCode + - name: redhatofficial.rhel9_cis + version: 0.1.68 + - name: redhatofficial.rhel9_cui + version: 0.1.64 + - name: redhatofficial.rhel9_hipaa + version: 0.1.68 + - name: redhatofficial.rhel9_ospp + version: 0.1.68 + - name: redhatofficial.rhel9_pci_dss + version: 0.1.68 + - name: redhatofficial.rhel9_stig + version: 0.1.64 +... From d7e9ad637b7f41ef829c7d11018ab9c4b47f1b58 Mon Sep 17 00:00:00 2001 From: willtome Date: Mon, 25 Sep 2023 15:40:43 -0400 Subject: [PATCH 2/2] Update ansible-lint.yml --- .github/workflows/ansible-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml index a085b8286..2f52e0adb 100644 --- a/.github/workflows/ansible-lint.yml +++ b/.github/workflows/ansible-lint.yml @@ -2,7 +2,7 @@ name: Ansible Lint on: - push - - pull_request + - pull_request_target env: ANSIBLE_GALAXY_SERVER_LIST: ah,galaxy