Running the initial scan

Now that we have both the install and scan roles completed, we can run our first scan. The only file we have not covered yet is the site.yml one; this one looks like slightly different to the ones we have been using in other chapters:

---

- hosts: scap
  gather_facts: true
  become: yes
  become_method: sudo

  vars_files:
    - group_vars/common.yml

  roles:
    - { role: install, tags: [ "scan" ] }
    - { role: scan, tags: [ "scan" ], report_name: "01-initial-scan" }

As you can see, we are tagging the roles as well as passing a parameter when running the scan. For now, we are just going to run playbook without using any tags. To run the playbook, issue the following command:

$ ansible-playbook -i production site.yml

This will give us the following results:

PLAY [scap] ****************************************************************************************

TASK [Gathering Facts] *****************************************************************************
ok: [box1]

TASK [install : install the packages needed] *******************************************************
changed: [box1] => (item=openscap-scanner)
changed: [box1] => (item=scap-security-guide)

TASK [scan : run the openscap scan] ****************************************************************
fatal: [box1]: FAILED! => {"changed": true, "cmd": ["oscap", "xccdf", "eval", "--profile", "xccdf_org.ssgproject.content_profile_pci-dss", "--fetch-remote-resources", "--results-arf", "/tmp/box1_results_01-initial-scan.xml", "--report", "/tmp/box1_report_01-initial-scan.html", "/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml"], "delta": "0:01:03.459407", "end": "2018-05-16 08:17:50.970321", "msg": "non-zero return code", "rc": 2, "start": "2018-05-16 08:16:47.510914", "stderr": "Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 ... ok", "stderr_lines": ["Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 ... ok"], "stdout": "Title
	Ensure Red Hat GPG Key Installed
Rule
	xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
Result
	pass

Title
	Ensure gpgcheck Enabled In Main Yum "	xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers", "Result", "	pass"]}
...ignoring

TASK [scan : download the html report] *************************************************************
changed: [box1]

PLAY RECAP *****************************************************************************************
box1 : ok=4 changed=3 unreachable=0 failed=0

I have truncated the scan results in this output, but when you run it, you will see a large section of failed output colored red. As already mentioned, this is to be expected and is nothing to worry about.

A copy of the HTML report for our initial scan should be on your Ansible controller now; you can open it in your browser with the following command:

$ open generated/box1_report_01-initial-scan.html

Or, open the generated folder and double-click on box1_report_01-initial-scan.html:

As you can see from the example, our host failed 51 of the 94 checks OpenSCAP ran. Let's look at doing something about getting that number of failed checks down.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.188.152.162