sudo ansible-galaxy install rhtps.800-53 -p /etc/ansible/roles
In this exercise, we are going to use Ansible Tower to run DISA STIG and NIST 800-53 evaluations of our environment. Note that the NIST 800-53 role also includes the execution of DISA STIG evaluation against targeted hosts.
DISA STIG controls https://galaxy.ansible.com/MindPointGroup/RHEL7-STIG/
NIST 800-53 controls https://galaxy.ansible.com/rhtps/800-53/
In your wetty window (if you closed it, see the SETUP step, in your workbook), type the following:
sudo ansible-galaxy install rhtps.800-53 -p /etc/ansible/roles
You will then see the following, showing that the role has been downloaded to your system-wide Ansible roles directory, /etc/ansible/roles
:
- downloading role '800-53', owned by rhtps
- downloading role from https://github.com/rhtps/ansible-role-800-53/archive/v1.1.1.tar.gz
- extracting rhtps.800-53 to /etc/ansible/roles/rhtps.800-53
- rhtps.800-53 (v1.1.1) was installed successfully
First, in Ansible Tower, click on
Next, Select ADD
Complete the form using the following entries
NAME |
Ansible 800-53 Project |
DESCRIPTION |
800-53 Role Playbook |
ORGANIZATION |
Default |
SCM TYPE |
Git |
SCM URL |
|
SCM BRANCH |
|
SCM UPDATE OPTIONS |
|
Select SAVE
In your Tower window, click TEMPLATES TEMPLATES
Click ADD , and select JOB TEMPLATE
Complete the form using the following values. Note that the PLAYBOOK
field should offer 800-53.yml
as an option, when clicked.
NAME |
NIST 800-53 and DISA STIG Job Template |
DESCRIPTION |
Template for security playbooks |
JOB TYPE |
Run |
INVENTORY |
Ansible Workshop Inventory |
PROJECT |
Ansible 800-53 Project |
PLAYBOOK |
main.yml |
MACHINE CREDENTIAL |
Ansible Workshop Credential |
LIMIT |
web |
OPTIONS |
|
Click SAVE , to store your new template, and we are ready to run it.
Click on the rocket ship icon next to the NIST 800-53 and DISA STIG Job Template
entry, to launch the job.
You can see what the job looks like, as it is executing, and what the SCAP results look like, when uploaded to your second node, in the panel, below.
You can watch the scan run against your managed node. Note that each compliance check is named and detailed.
Once the check is complete, you can open a new tab in your web browser, and navigate to the following URL, where workshopname
is the workshop prefix, and #
is the number that your instructor gave you:
http://example-node0.example.redhatgov.io/scap
Click on the link called scan-xccdf-report-…
to refiew the SCAP report that was generated. Note the failures in the report; look at the machines, if you want, via your Wetty ssh session, to see what the problems might be.
|
|
|
|
Domain: | ||
Workshop Name: | ||
Region: | ||
User ID: |