7.7. Using OpenSCAP with Ansible

To assist with integrating configuration compliance into your existing Ansible workflow, OpenSCAP generates remediations for use with Ansible. The remediations are generated in a form of Ansible playbooks, either based on profiles or based on scan results.
A playbook based on a SCAP Security Guide (SSG) profile contains fixes for all rules, and the system is remediated according to the profile regardless of the state of the machine. On the other hand, playbooks based on scan results contain only fixes for rules that failed during an evaluation.
In Red Hat Enterprise Linux 7, SSG provides pre-built Ansible playbooks for each profile and Red Hat product. The playbooks are stored in the /usr/share/scap-security-guide/ansible/ directory.
To generate an Ansible playbook based on a profile (for example, the DISA STIG profile for Red Hat Enterprise Linux 7), enter the following command:
$ oscap xccdf generate fix --fix-type ansible --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --output stig-rhel7-role.yml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
To generate an Ansible playbook based on the results of a scan, enter the following command:
$ oscap xccdf generate fix --fix-type ansible --result-id xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_stig-rhel7-disa --output stig-playbook-result.yml results.xml
where the results.xml file contains results of the scan obtained when scanning with the --results option and the result-id option contains an ID of the TestResult component in the file with results. To obtain the ID of the TestResult component, use the oscap info command on the results.xml file:
$ oscap info results.xml | grep "Result ID"
To apply the Ansible playbook, enter the following command:
$ ansible-playbook playbook.yml
Note that the ansible-playbook command is provided by the ansible package. See the ansible-playbook(1) man page and the Ansible Tower User Guide for more information.

Filtering Tasks

Tasks contained in playbooks are tagged with the same metadata as rules in an Extensible Configuration Checklist Description Format (XCCDF) file. These tags refer to rule ID, strategy, complexity, disruption, and references, and they can be used to filter the tasks to apply.
For example, to remediate only the rules from the PCI-DSS policy requirement 6.2, enter the following command:
$ ansible-playbook --tags=PCI-DSS-Req-6.2 /usr/share/scap-security-guide/ansible/ssg-rhel7-role-pci-dss.yml
To remediate only high-severity rules from the RHEL7 OSPP playbook that are not highly disruptive, enter the following command:
$ ansible-playbook --tags=high_severity --skip-tags=high_disruption /usr/share/scap-security-guide/ansible/ssg-rhel7-role-ospp-rhel7.yml

Customizing Playbooks

You can choose between two approaches to customize your playbooks. The first is to generate playbooks from already customized profiles. This approach is better if a customization changes selected rules.
The second approach is just to change the variables in a playbook. This is the Ansible way to customize a playbook.
To generate Ansible playbooks for tailored profiles, use the --profile option to specify an ID of a customized profile, and use the --tailoring-file option to indicate where a tailoring file is located. These arguments are the same as when performing a scan using a tailored profile, for example:
$ oscap xccdf generate fix--fix-type ansible --profile xccdf_org.ssgproject.content_profile_common_customized --tailoring-file ssg-rhel7-ds-tailoring.xml --output tailored-playbook.yml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
To customize variables, use a text editor to edit a playbook. All used variables are listed at the beginning of a playbook, located after the vars: string.