Red Hat Security: Linux in Physical, Virtual, and Cloud
Use an Ansible Playbook that is provided with the system's SCAP content to remediate a failed compliance check.
Outcomes
Use the output from the customized scan from the previous exercise and an Ansible Playbook provided by the SCAP content to resolve a compliance issue.
Rescan the system to confirm that the issue is reported as resolved.
As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.
[student@workstation ~]$ lab start openscap-remediation
Instructions
On the
workstationmachine, generate a remediation Ansible Playbook. The playbook resolves the compliance issues that you detected in a previous exercise, in a scan that you performed with a customized policy.To create the remediation Ansible Playbook, the
oscapcommand requires:The
RH415-tailoring.xmltailoring fileThe
RH415-results.xmlresults file
Use the
oscap infocommand on theRH415-tailoring.xmltailoring file to retrieve the associated profile identifier.[student@workstation ~]$
oscap info RH415-tailoring.xmlDocument type: XCCDF Tailoring Imported: 2023-10-24T16:58:41 Benchmark Hint: /tmp/scap-workbench-IlIHwP/ssg-rhel9-ds.xml Profiles: Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux 9 [CUSTOMIZED] Id: xccdf_com.example_profile_RH415-rhel9Use the
oscap xccdf generate fixcommand to generate the Ansible Playbook. Save the playbook to the/home/student/playbook.ymlfile.[student@workstation ~]$
oscap xccdf generate fix \ --profile xccdf_com.example_profile_RH415-rhel9 \ --tailoring-file RH415-tailoring.xml \ --fix-type ansible \ --result-id "" \ RH415-results.xml > /home/student/playbook.yml[student@workstation ~]$The command uses an empty string for the
--result-idoption. This way, you do not need to specify the full result identifier.Notice that you do not need to run this command on the scanned system, provided that the tailoring file, the result file, the SCAP Security Guide, and the
oscapcommand are available on your local system.Review the
/home/student/playbook.ymlAnsible Playbook.[student@workstation ~]$
cat playbook.yml...output omitted...The tasks fix the issue that is reported in the scan from the previous exercise.
On the
workstationmachine, run the Ansible Playbook to resolve the compliance issues on theservercmachine.Create an inventory file that contains the
servercmachine.[student@workstation ~]$
echo serverc > inventoryEdit the
/home/student/playbook.ymlfile and add thebecome: trueline....output omitted... - hosts: all
become: truevars: ...output omitted...Use the
ansible-playbookcommand to run the playbook. Include the-Kflag to configure the command to prompt for the become password. Usestudentas the become password.[student@workstation ~]$
ansible-playbook -K -i inventory playbook.ymlBECOME password:studentPLAY [all] ********************************************************************* TASK [Gathering Facts] ********************************************************* ok: [serverc] TASK [Gather the package facts] ************************************************ ok: [serverc] TASK [Ensure PAM Enforces Password Requirements - Minimum Length - Ensure PAM variable minlen is set accordingly] ******************************************* changed: [serverc] PLAY RECAP ********************************************************************* serverc : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Scan the
servercmachine again to confirm that the system is now compliant.Log in to the
servercmachine as thestudentuser. No password is required.[student@workstation ~]$
ssh student@serverc[student@serverc ~]$Change to the
rootuser. Usestudentas the password.[student@serverc ~]$
sudo -i[sudo] password for student:student[root@serverc ~]#Use the
oscap infocommand on the/root/RH415-tailoring.xmltailoring file to retrieve the associated profile.[root@serverc ~]#
oscap info RH415-tailoring.xmlDocument type: XCCDF Tailoring Imported: 2023-10-24T17:56:55 Benchmark Hint: /tmp/scap-workbench-IlIHwP/ssg-rhel9-ds.xml Profiles: Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux 9 [CUSTOMIZED] Id: xccdf_com.example_profile_RH415-rhel9Use the
oscap xccdf evalcommand to scan the system for compliance.[root@serverc ~]#
oscap xccdf eval \ --profile xccdf_com.example_profile_RH415-rhel9 \ --tailoring-file RH415-tailoring.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml...output omitted... --- Starting Evaluation --- Title Ensure dnf Removes Previous Package Versions Rule xccdf_org.ssgproject.content_rule_clean_components_post_updating Ident CCE-83458-0 Result pass Title Ensure gpgcheck Enabled In Main dnf Configuration Rule xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated Ident CCE-83457-2 Result pass Title Ensure gpgcheck Enabled for All dnf Package Repositories Rule xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled Ident CCE-83464-8 Result pass Title Ensure PAM Enforces Password Requirements - Minimum Length Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen Ident CCE-83579-3 Result passAll the tests pass. The system now complies with your custom policy.
Return to the
workstationmachine when done.[root@serverc ~]#
logout[student@serverc ~]$logout[student@workstation ~]$
