8.6. Creating a Remediation Ansible Playbook to Align the System with a Specific Baseline
Use this procedure to create an Ansible playbook containing only the remediations that are needed to align your system with a specific baseline. This example uses the Protection Profile for General Purpose Operating Systems (OSPP). With this procedure, you create a smaller playbook that does not cover already satisfied requirements. By following these steps, you do not modify your system in any way, you only prepare a file for later application.
Prerequisites
- The scap-security-guide package is installed on your system.
Procedure
- Scan the system and save the results:
~]#
oscap xccdf eval --profile ospp --results ospp-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml - Generate an Ansible playbook based on the file generated in the previous step:
~]#
oscap xccdf generate fix --fix-type ansible --profile ospp --output ospp-remediations.yml ospp-results.xml - The
ospp-remediations.yml
file contains Ansible remediations for rules that failed during the scan performed in step 1. After you review this generated file, you can apply it with theansible-playbook ospp-remediations.yml
command.
Verification
- In a text editor of your choice, review that the
ospp-remediations.yml
file contains rules that failed in the scan performed in step 1.
Additional Resources
scap-security-guide(8)
andoscap(8)
man pages