Security compliance with Ansible and OpenScap - Part 2

Automating security scans

Now that we have defined our policies and customizations for OpenScap, let’s continue with the Ansible portion.
If you missed Part 1, feel free to read it here and then return to this page.

Master playbook

Below is a snippet for the master playbook, along with the first steps of the included task.
The master playbook includes a vars file used for settings like proxy servers etc.
In addition, take note of the following:

vars:
oscap_profile: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced_customized
oscap_policy: ssg-centos8-ds

Above, looking at the excerpt containing the first few tasks, this is what Ansible is doing:

  • Installing openscap

  • Sending customization files and policies to the remote Workload for oscap to reference

Scan Task - continued (1)

Below, the next excerpt from the task which scans a machine, the code shows the next steps we introduce to the flow, where we execute oscap (outputs a HTML report, which we download locally to the Ansible Controller) and then execute oscap again to generate a remediation playbook:

In the above task, the following is being done:

  • Execute oscap (to scan), passing in the following arguments:

    • Profile and customization files

    • Path to output the generated data to (arf)

    • Path to output the HTML report to

  • Execute oscap again (to generate a remediation playbook), passing the following arguments:

    • Profile and customization files

    • The arf file we generated from the previous command

    • Path to output the playbook to

  • Finally, we download the HTML report locally, on the Ansible Controller

Scan Task - Continued (2)

In this next snippet (from the same task yml file), we download the remediation playbook and perform some magic to execute it dynamically.

As you can see above, we are performing the following:

  • Downloading, reading and parsing the remediation playbook

  • Generating a dynamic vars file from the vars listed in the playbook

  • Generating a dynamic task file from the tasks listed in the playbook

  • Executing the new tasks dynamically against the remote machine

  • Cleaning up

Now, you might ask, “why don’t you just execute the playbook you downloaded?”. Ah, well, this is where Ansible imposes certain limitations…

First, you can’t dynamically include a top-level playbook without creating a mess. Therefore, since we can include dynamic vars and tasks, I split the playbook up into vars and task files, then simply dynamically include those files.

Note that the files I create are named after the machine I’m configuring, which are then cleaned up afterwards.

For a complete code sample of the above (both the playbook and the whole task file), you can get those here.

The report

A sample of the resulting oscap report is shown below. I ran this after executing my remediation and I now have a clean, secure VM. In addition, as part of my IaC pipeline, security scans are performed on every VM created, and the resulting HTML reports are stored as artifacts in my Gitlab instance. This means that my security team can review results any time a deployment is created, and if a scan fails, we can rap any naughty developers over the knuckles ;-)