Skip to content

Instantly share code, notes, and snippets.

@dmccuk

dmccuk/oscap_ansible.md

Last active January 2, 2024 02:17
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 8 You must be signed in to fork a gist
  • Save dmccuk/9ea12f6d30dc4bcd1991e8e30c2d1b89 to your computer and use it in GitHub Desktop.
Save dmccuk/9ea12f6d30dc4bcd1991e8e30c2d1b89 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
oscap_ansible.md

Docs:

https://github.com/RedHatDemos/SecurityDemos/blob/master/2019Labs/RHELSecurityLab/documentation/lab1_OpenSCAP.adoc

Generate the report first:

sudo oscap xccdf eval --oval-results --profile cis --results-arf /tmp/arf.xml --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Now create the playbook based on the report:

oscap xccdf generate fix --fix-type ansible --result-id "" /tmp/arf.xml > playbook.yml

Run the playbook against your server to force CIS compliance:

ansible-playbook -i hosts.ini playbook.yml --become

Re-run the report and check the result:

sudo oscap xccdf eval --oval-results --profile cis --results-arf /tmp/arf.xml --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Now your Centos 8 server is almost 95% compliant with the CIS benchmark!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment