To remediate the remaining issues, we should generate and execute the bash script:
$ ansible-galaxy init roles/fix-bash
As this is a nice-to-have, I am not going to go into any detail about the ins and outs of what we are adding here. The contents of roles/fix-bash/defaults/main.yml are similar to those in the fix-ansible role:
bash_file:
remote: "/tmp/{{ inventory_hostname }}_bash.sh"
log: "generated/{{ inventory_hostname }}_bash.log"
bash_fix_command: >
oscap xccdf generate fix
--profile {{ oscap.profile }}
--output {{ bash_file.remote }}
{{ report.results }}
The tasks in roles/fix-bash/tasks/main.yml are also similar and shouldn't need any explanation:
- name: do we already have the bash script?
stat:
path: "{{ bash_file.remote }}"
register: bash_script_check
- name: generate the bash script
command: "{{ bash_fix_command }}"
args:
creates: "{{ bash_file.remote }}"
ignore_errors: yes
- name: run the bash script
command: "bash {{ bash_file.remote }}"
ignore_errors: yes
register: bash_run
when: bash_script_check.stat.exists == False
- name: write the results to a log file
local_action:
module: "copy content={{ bash_run.stdout }} dest={{ bash_file.log }}"
become: no
when: bash_script_check.stat.exists == False
Update the site.yml file so it reads:
- hosts: scap
gather_facts: true
become: yes
become_method: sudo
vars_files:
- group_vars/common.yml
roles:
- { role: install, tags: [ "scan" ] }
- { role: scan, tags: [ "scan" ], report_name: "01-initial-scan" }
- { role: fix-ansible, report_name: "01-initial-scan" }
- { role: scan, report_name: "02-post-ansible-fix" }
- { role: fix-bash, report_name: "02-post-ansible-fix" }
- { role: scan, report_name: "03-post-bash-fix" }
This means we can take the results of the scan that ran after the Ansible fix to generate the bash script that contains the remaining fixes; we are then doing one final scan. To apply the final batch of fixes, run the following:
$ ansible-playbook -i production site.yml
This gives the following output:
PLAY [scap] *************************************************************************************
TASK [Gathering Facts] **************************************************************************
ok: [box1]
TASK [install : update all of the installed packages] *******************************************
ok: [box1]
TASK [install : install the packages needed] ****************************************************
ok: [box1] => (item=openscap-scanner)
ok: [box1] => (item=scap-security-guide)
TASK [scan : run the openscap scan] *************************************************************
ok: [box1]
TASK [scan : download the html report] **********************************************************
ok: [box1]
TASK [fix-ansible : fix missing folders] ********************************************************
ok: [box1] => (item=/etc/dconf/db/local.d/locks/)
TASK [fix-ansible : fix missing files] **********************************************************
changed: [box1] => (item=/etc/dconf/db/local.d/locks/00-security-settings-lock)
changed: [box1] => (item=/etc/sysconfig/prelink)
TASK [fix-ansible : do we already have the playbook?] *******************************************
ok: [box1]
TASK [fix-ansible : generate the ansible playbook with the fixes] *******************************
skipping: [box1]
TASK [fix-ansible : download the ansible playbook] **********************************************
skipping: [box1]
TASK [fix-ansible : run the ansible playbook locally] *******************************************
skipping: [box1]
TASK [fix-ansible : write the results to a log file] ********************************************
skipping: [box1]
TASK [scan : run the openscap scan] *************************************************************
ok: [box1]
TASK [scan : download the html report] **********************************************************
ok: [box1]
TASK [fix-bash : do we already have the bash script?] *******************************************
ok: [box1]
TASK [fix-bash : generate the bash script] ******************************************************
changed: [box1]
TASK [fix-bash : run the bash script] ***********************************************************
changed: [box1]
TASK [fix-bash : write the results to a log file] ***********************************************
changed: [box1 -> localhost]
TASK [scan : run the openscap scan] *************************************************************
fatal: [box1]: FAILED! =>
...ignoring
TASK [scan : download the html report] **********************************************************
changed: [box1]
PLAY RECAP **************************************************************************************
box1 : ok=16 changed=6 unreachable=0 failed=0
Check the final report by running:
$ open generated/box1_report_03-post-bash-fix.html
This should show that the overall number of failed checks has reduced to just five: