Тёмный

OpenScap: Generate Ansible playbook to remediate CIS benchmark in centos 8 | Part 2 

LondonIAC / Dennis McCarthy / Automation Engineer
Подписаться 6 тыс.
Просмотров 7 тыс.
50% 1

Опубликовано:

 

30 окт 2024

Поделиться:

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист
Посмотреть позже
Комментарии : 27   
@aamir.sq11
@aamir.sq11 2 года назад
Thanks for the awesome content, it really helped to achieve CIS compliance on CentOS Stream 8
@LondonIAC
@LondonIAC 2 года назад
Thanks Aamir, I'm glad it helped!
@johnjames_cowperthwaite
@johnjames_cowperthwaite Год назад
Dennis, your part 1 show notes link points to "Complete Jenkins Pipeline Tutorial | Jenkinsfile | Github Webhook, the original one you did," and not part 1 for CIS, other than that great video. It almost worked out the box for OL8 however I had to go and lint/syntax check some of tasks created in the playbook.
@LondonIAC
@LondonIAC Год назад
Hi John, I've moved away from Oscap now and instead use ansible-lockdown. It's actually pretty easy to use and you can be up and running in a few minutes. Ansible-lockdown doesn't care if you're RHEL, OEL, Centos, alma or Rocky. It just applies the compliance standards you choose. Check it out here: github.com/ansible-lockdown I'll be doing a short video on it soon.
@johnjames_cowperthwaite
@johnjames_cowperthwaite Год назад
@@LondonIAC I saw you mentioned lockdown somewhere else and had a look at it., looks good. Looking forward to the video, cheers
@kayne3619
@kayne3619 Год назад
Is it possible to generate remediation files simply from .CKL files/Host/Host OS Type inputted into OpenScap? For example, what if I already scanned the endpoint, have my checklists and need to quickly build a Ansible PB.
@akimyucel3900
@akimyucel3900 2 года назад
Great explanation, thank you!
@LondonIAC
@LondonIAC 2 года назад
Glad it was helpful!
@yasserkhan2297
@yasserkhan2297 3 года назад
I'm stuck at the ansible part, can't do ssh any guide that I can follow?
@LondonIAC
@LondonIAC 3 года назад
Hi Yasser, yes you can run it locally. I'm just used to running Ansible from an [ansible] control node. That's just how I work but yes you are free to run it locally.
@yasserkhan2297
@yasserkhan2297 3 года назад
@@LondonIAC I'm unable to configure this ansible could guide me, im getting ssh fatal error not used ansible before!
@LondonIAC
@LondonIAC 3 года назад
@@yasserkhan2297 I don't have time to guide you as I'm working full time. Depending on what OS you're using, checkout this video and some of my others: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-mOHhYZyooXM.html This ansible Doc contains the information on how to install Ansible on multiple platforms: docs.ansible.com/ansible/latest/installation_guide/intro_installation.html Alternatively, I would recommend this Ansible course. It has lots of demo's and Labs to follow: www.udemy.com/course/diveintoansible/ I know Udemy run lots of promotions so it should it should be cheap.
@yasserkhan2297
@yasserkhan2297 3 года назад
@@LondonIACI'm using centos7, Thanks for the help
@yasserkhan2297
@yasserkhan2297 3 года назад
@@LondonIAC Thanks a lot for this, I have run it locally!
@khuddusabdul2143
@khuddusabdul2143 3 года назад
how to specify podman image in ansible hosts file? localhost not working for images. Kindly help
@LondonIAC
@LondonIAC 2 года назад
Hi Did you manage to resolve your issue?
@arrey11
@arrey11 2 года назад
Should your server have access to internet to generate ansible playbook?
@LondonIAC
@LondonIAC 2 года назад
Hi Arrey, I did this a while ago now but I think there is a part of the this that does need to get some extra info from the internet. (fetch remote resources I think). If you're working in an locked down environment on a corporate network, that could be an issue. I would also lookup ansible-lockdown. This is a very good alternative to CIS - github.com/ansible-lockdown I might do a video on this in the future.
@amitchettri_ac
@amitchettri_ac 2 года назад
Can it be use for suse and Ubuntu as well?
@LondonIAC
@LondonIAC 2 года назад
Hi Amit, Checking google, both suse and Ubuntu are supported: SUSE: documentation.suse.com/external-tree/en-us/suma/4.0/suse-manager/reference/audit/audit-openscap-overview.html Ubuntu: ubuntu.com/security/oval I've not scanned either OS using open-scap so have a read. You'll probably need to look both up in more details. Good luck!
@gauravmanshani206
@gauravmanshani206 2 года назад
Hi Sir, Can you tell how can i attach an iam role to ec2 instance using ansible.
@LondonIAC
@LondonIAC 2 года назад
Hi, It's not that clear how to do this. Have you looked at: docs.ansible.com/ansible/2.9/modules/ec2_module.html Check instance_profile_name. That might be what you're looking for. Let me know if that resolves it for you.
@srinivasraju03
@srinivasraju03 2 года назад
do we have CIS Benchmark for SUSE linux
@LondonIAC
@LondonIAC 2 года назад
Checking the OpenScap website, they have this: static.open-scap.org/ssg-guides/ssg-sle15-guide-index.html CIS themselves let you download the PDF for free here: www.cisecurity.org/benchmark/suse_linux I think you have to give them your email for that. Hope that helps.
Далее
Security: Intro to OpenSCAP | Into the Terminal 61
47:02
OpenScap on Centos 8 - CIS benchmark | Part 1
8:59
Просмотров 12 тыс.
Rhel9 Security OpenScap CIS L1
17:40
Просмотров 495
SCAP and STIG Scan Demonstration
15:34
Просмотров 1,8 тыс.