Welcome to the meetup. This page is to help you take part in the Ansible-lockdown talk. Request access to one of the Ansible control nodes and run ansible-lockdown against a Rocky Linux 8 server. He're the setup:
The ubuntu Ansible control Node has all the requisite software installed already.
These were the updates made for this demo:
- Making sure port 80 was allowed and not removed - This didn't work yet...
vi RHEL8-CIS/defaults/main.yml
rhel8cis_firewall_services:
- cockpit
- dhcpv6-client
- ssh
- http #<-- Add this line
rhel8cis_httpd_server: true #<-- was false
Step 1.
- Checkout your "pre" openscap report and see how your Rocky Linux 8 server scores as delivered by AWS.
http://<IP_ADDRESS>/reports/pre_report.html
Step 2.
- Log into your Ubuntu Ansible control node and navigate to the
~/RHEL8-CISdirectory. - IP Address will be supplied by your Meetup host.
- Username:
ubuntu- Password:Student8882 - The ansible inventory has already been populated for you.
cd RHEL8-CIS/
ansible-playbook -i hosts.ini site.yml -t level1-server
Once the playbook has finished enforcing level1 CIS compliance, run this quick command to run another OpenScap report for the Rocky Linux 8 server.
From the Ubuntu server:
ansible -i hosts.ini rhel8 -m shell -a 'sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --report /var/www/html/reports/post_report1.html /usr/share/xml/scap/ssg/content/ssg-rl8-ds-1.2.xml; sudo firewall-cmd --zone=public --add-port=80/tcp --permanent; sudo firewall-cmd --reload; sudo chmod 744 /var/www/html/reports/post_report1.html'
I had to add back in http to the firewall. Can you let me know which setting it is to leave it alone or make sure it's added into the FW. - Thanks.
Step 3.
- Check the new report in the browser and compare the difference.
Have a play with the setting and see how easy it is to customise which compliance settings you enforce.