Exercise 3.0 - Using Ansible to Implement Security

Return to Workshop

In this exercise, we are going to use Ansible Tower to run DISA STIG and NIST 800-53 evaluations of our environment. Note that the NIST 800-53 role also includes the execution of DISA STIG evaluation against targeted hosts.

Adding the DISA STIG and NIST 800-53 role to your Tower node

Step 1:

In your wetty window (if you closed it, see the SETUP step, in your workbook), type the following:

sudo ansible-galaxy install rhtps.800-53 -p /etc/ansible/roles

You will then see the following, showing that the role has been downloaded to your system-wide Ansible roles directory, /etc/ansible/roles:

- downloading role '800-53', owned by rhtps
- downloading role from https://github.com/rhtps/ansible-role-800-53/archive/v1.1.1.tar.gz
- extracting rhtps.800-53 to /etc/ansible/roles/rhtps.800-53
- rhtps.800-53 (v1.1.1) was installed successfully

Step 2:

First, in Ansible Tower, click on PROJECTS

Step 3:

Next, Select + Add

Step 4:

Complete the form using the following entries

NAME

Ansible 800-53 Project

DESCRIPTION

800-53 Role Playbook

ORGANIZATION

Default

SCM TYPE

Git

SCM URL

https://github.com/ajacocks/rhtps-800-53

SCM BRANCH

SCM UPDATE OPTIONS

  • Clean

  • Delete on Update

  • Update Revision on Launch

Cred_Detail
Figure 1: Defining a Project

Step 5:

Select SAVE Save

Step 6:

In your Tower window, click on TEMPLATES

Step 7:

Click on + Add, and select Job Template

Step 8:

Complete the form using the following values. Note that the PLAYBOOK field should offer 800-53.yml as an option, when clicked.

NAME

NIST 800-53 and DISA STIG Job Template

DESCRIPTION

Template for security playbooks

JOB TYPE

Run

INVENTORY

Ansible Workshop Inventory

PROJECT

Ansible 800-53 Project

PLAYBOOK

main.yml

MACHINE CREDENTIAL

Ansible Workshop Credential

LIMIT

web

OPTIONS

  • Enable Privilege Escalation

Cred_Detail
Figure 2: Defining a Job

Step 9:

Click SAVE Save, to store your new template, and we are ready to run it.

Click on the rocketship icon Add next to the NIST 800-53 and DISA STIG Job Template entry, to launch the job.

You can see what the job looks like, as it is executing, and what the SCAP results look like, when uploaded to your second node, in the panel, below.

End Result

You can watch the scan run against your managed node. Note that each compliance check is named and detailed.

Once the check is complete, you can open a new tab in your web browser, and navigate to the following URL, where workshopname is the workshop prefix, and # is the number that your instructor gave you:

http://example.node.0.redhatgov.io/scap

Click on the link called scan-xccdf-report-…​ to refiew the SCAP report that was generated. Note the failures in the report; look at the machines, if you want, via your Wetty ssh session, to see what the problems might be.


Workshop Details

Domain Red Hat Logo
Workshop
Student ID

Return to Workshop