Exercise 3.0 - Using Ansible to Implement Security

Return to Workshop

Exercise Description

In this exercise, we are going to use Red Hat Ansible Tower to run DISA STIG and NIST 800-53 evaluations of our environment. Note that the NIST 800-53 role also includes the execution of DISA STIG evaluation against targeted hosts.

Step 1: Download role to Ansible roles directory

In your wetty window (if you closed it, see the SETUP step, in your workbook), type the following:

sudo ansible-galaxy install rhtps.800-53 -p /etc/ansible/roles

The image below illustrates that the role has been downloaded to your system-wide Ansible roles directory, /etc/ansible/roles:

- downloading role '800-53', owned by rhtps
- downloading role from https://github.com/rhtps/ansible-role-800-53/archive/v1.1.1.tar.gz
- extracting rhtps.800-53 to /etc/ansible/roles/rhtps.800-53
- rhtps.800-53 (v1.1.1) was installed successfully

Step 2: Select Projects

Click the Projects tab, in the Ansible Tower UI. PROJECTS

Step 3: Click Add

Next, Select Add

Step 4: Complete the Project form

Complete the project form, using the following entries:

NAME

Ansible 800-53 Project

DESCRIPTION

800-53 Role Playbook

ORGANIZATION

Default

SCM TYPE

Git

SCM URL

https://github.com/ajacocks/rhtps-800-53

SCM BRANCH

SCM UPDATE OPTIONS

  • Clean

  • Delete on Update

  • Update on Launch

Cred_Detail
Figure 1: Defining a Project

Step 5: Save

Select SAVE Save

Step 6: Select Template tab

In your Tower window, click TEMPLATES

Step 7: Add the job template

Click ADD Add, and select JOB TEMPLATE

Step 8: Complete the job Template form

Complete the form using the following values. Note that the PLAYBOOK field should offer 800-53.yml as an option, when clicked.

NAME

NIST 800-53 and DISA STIG Job Template

DESCRIPTION

Template for security playbooks

JOB TYPE

Run

INVENTORY

Ansible Workshop Inventory

PROJECT

Ansible 800-53 Project

PLAYBOOK

main.yml

MACHINE CREDENTIAL

Ansible Workshop Credential

LIMIT

web

OPTIONS

  • Enable Privilege Escalation

Cred_Detail
Figure 2: Defining a Job

Step 9: Save the template and run it

Click SAVE Save, to store your new template, and we are ready to run it.

Click the rocketship icon Add next to the NIST 800-53 and DISA STIG Job Template entry, to launch the job.

View what the job looks like as it is executing, as well as what the SCAP results look like, when uploaded to your second node, in the panel, below.

Step 10: Observe the scanning process and view reports

You can watch the scan run against your managed node. Note that each compliance check is named and detailed.

Once the check is complete, you can open a new tab in your web browser, and navigate to the following URL, where workshopname is the workshop prefix, and # is the number that your instructor gave you:

http://example.node.0.redhatgov.io/scap

Click the link called scan-xccdf-report-…​ to review the SCAP report that was generated. Note the failures in the report; look at the machines, if you want, via your Wetty ssh session, to analyze what the problems might be.


Workshop Details

Domain Red Hat Logo
Workshop
Student ID

Return to Workshop