RH415 - ch09s07

The data streams in the SCAP Security Guide include remediation scripts to fix the noncompliant checks. These scripts might take the form of shell scripts, Ansible snippets, Puppet snippets, or even Kickstart commands. Some rules provide multiple remediation scripts in different formats. For example, the rule that verifies whether AIDE is installed provides a remediation shell script, but also an Ansible snippet, a Puppet snippet, and a Kickstart command. Some rules only provide one remediation method, and others do not provide any remediation scripts at all.

Note

Remediation coverage is generally better for shell scripts and Ansible snippets.

By using the oscap command, you can generate an Ansible Playbook from a SCAP Security Guide profile, or from a scan result XML file.

Creating an Ansible Playbook from a Profile

From a SCAP Security Guide profile, the oscap xccdf generate fix command generates an Ansible Playbook that includes all the tasks for remediation for which Ansible snippets are available.

[root@host ~]# oscap xccdf generate fix \
    --profile xccdf_org.ssgproject.content_profile_pci-dss \
    --fix-type ansible \
    /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml > pci-dss.yml

You can include this Ansible Playbook in a more global Ansible infrastructure; for example, as a postinstallation step. Because Ansible Playbooks are idempotent, you can regularly run the playbook on your systems to keep them compliant; there is no impact on the items that are already compliant.

Some SCAP rules do not have Ansible remediation snippets. For those rules, you might have to develop your own playbook tasks for remediation.

Remember that many profiles are meant as catalogs, not checklists, and not every remediation item makes sense in your environment. If you generate a playbook from a profile, then consider using one that has been tailored for your environment.

Creating an Ansible Playbook from an XML Result File

After scanning a system for compliance, the oscap xccdf generate fix command creates an Ansible Playbook from the XML result file to fix the noncompliant checks.

In the following example, the first oscap command scans the local system, and the second oscap command generates the Ansible Playbook for remediation.

[root@host ~]# oscap xccdf eval \
    --profile xccdf_org.ssgproject.content_profile_pci-dss \
    --results /root/results.xml \
    /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
...output omitted...

[root@host ~]# oscap xccdf generate fix \
    --profile xccdf_org.ssgproject.content_profile_pci-dss \
    --fix-type ansible \
    --result-id "" \
    /root/results.xml > remediation-playbook.yml

The generated Ansible Playbook is only relevant for the scanned system because it includes only the tasks that remediate the failed checks.

Adjusting Variables in the Remediation Ansible Playbook

You can edit the Ansible Playbook that the oscap xccdf generate fix command creates. In particular, the playbook uses variables for some parameters that are associated with rules in the SCAP Security Guide profiles.

The following example shows some variables that are defined in a remediation Ansible Playbook:

...output omitted...
- hosts: all
  vars:
     var_accounts_maximum_age_login_defs: 90
     var_account_disable_post_pw_expiration: 90
     var_password_pam_dcredit: -1
     var_password_pam_minlen: 7
     var_password_pam_ucredit: -1
     var_password_pam_lcredit: -1
     var_auditd_space_left_action: email
     var_auditd_admin_space_left_action: single
     sshd_idle_timeout_value: 900
...output omitted...

Running a Remediation Ansible Playbook

The oscap xccdf generate fix command creates Ansible Playbooks with the hosts parameter set to all. You can adapt this parameter to specify the targeted group of systems to remediate, or you can create a custom inventory file that lists all these systems.

To specify a custom inventory file, use the -i inventory_file option with the ansible-playbook command.

[root@host ~]# ansible-playbook -i ./myinventory pci-dss.yml

Warning

The quality of the remediation snippets can vary depending on the content. Review and test the playbook carefully before using it on production systems or at scale.

Filtering Tasks

The remediation Ansible Playbooks can be quite large. Some tasks inside these playbooks might be disruptive, such as performing system updates. Other tasks might remediate low severity issues. Depending on your environment, you might want to skip some playbook tasks.

The tasks in a remediation Ansible Playbook have tags. Tags are an Ansible feature that enable you to run only the tasks that have a specific tag.

The SCAP Security Guide XCCDF files specify particular tags for the Ansible snippets. Rather than running the whole playbook, you can specify one or more tags to filter the tasks to play.

The following playbook extract shows two tasks and their associated tags:

- name: "Security patches are up to date"
  package:
    name: "*"
    state: "latest"
  tags:
    - security_patches_up_to_date
    - high_severity
    - patch_strategy
    - low_complexity
    - high_disruption
    - CCE-26895-3
    - NIST-800-53-SI-2
    - NIST-800-53-SI-2(c)
    - NIST-800-53-MA-1(b)
    - PCI-DSS-Req-6.2
    - CJIS-5.10.4.1
    - DISA-STIG-RHEL-07-020260


- name: disable prelinking
  lineinfile:
    path: /etc/sysconfig/prelink
    regexp: '^PRELINKING='
    line: 'PRELINKING=no'
  tags:
    - disable_prelink
    - low_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27078-5
    - NIST-800-53-CM-6(d)
    - NIST-800-53-CM-6(3)
    - NIST-800-53-SC-28
    - NIST-800-53-SI-7
    - NIST-800-171-3.13.11
    - PCI-DSS-Req-11.5
    - CJIS-5.10.1.3

The following command runs only the tasks with the high_severity tag in the pci-dss.yml Ansible Playbook:

[root@host ~]# ansible-playbook --tags=high_severity pci-dss.yml

You can also specify multiple tags by using a comma-separated list. See the Ansible documentation for more information.

Applying Profiles During Installation

You can call the OpenSCAP installer add-on from a Kickstart file to evaluate system compliance and to automatically remediate deviations during installation. Because the add-on also performs the remediation, your new systems are compliant immediately after installation.

For example, by adding the following lines in your Kickstart file, new systems become compliant with the SCAP Security Guide PCI-DSS profile during installation.

%addon org_fedora_oscap
content-type = scap-security-guide
profile = pci-dss
%end

References

Ansible Tags

For more information, refer to the Scanning the System for Configuration Compliance and Vulnerabilities chapter in the Security Hardening guide at https://access.redhat.com/documentation/es-es/red_hat_enterprise_linux/9/html-single/security_hardening/index#scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening

For more information, refer to the Performing an Automated Installation Using Kickstart chapter in the Performing an Advanced RHEL 9 Installation guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#performing_an_automated_installation_using_kickstart

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299