Dennis, your part 1 show notes link points to "Complete Jenkins Pipeline Tutorial | Jenkinsfile | Github Webhook, the original one you did," and not part 1 for CIS, other than that great video. It almost worked out the box for OL8 however I had to go and lint/syntax check some of tasks created in the playbook.
Hi John, I've moved away from Oscap now and instead use ansible-lockdown. It's actually pretty easy to use and you can be up and running in a few minutes. Ansible-lockdown doesn't care if you're RHEL, OEL, Centos, alma or Rocky. It just applies the compliance standards you choose. Check it out here: github.com/ansible-lockdown I'll be doing a short video on it soon.
Is it possible to generate remediation files simply from .CKL files/Host/Host OS Type inputted into OpenScap? For example, what if I already scanned the endpoint, have my checklists and need to quickly build a Ansible PB.
Hi Yasser, yes you can run it locally. I'm just used to running Ansible from an [ansible] control node. That's just how I work but yes you are free to run it locally.
@@yasserkhan2297 I don't have time to guide you as I'm working full time. Depending on what OS you're using, checkout this video and some of my others: th-cam.com/video/mOHhYZyooXM/w-d-xo.html This ansible Doc contains the information on how to install Ansible on multiple platforms: docs.ansible.com/ansible/latest/installation_guide/intro_installation.html Alternatively, I would recommend this Ansible course. It has lots of demo's and Labs to follow: www.udemy.com/course/diveintoansible/ I know Udemy run lots of promotions so it should it should be cheap.
Hi Amit, Checking google, both suse and Ubuntu are supported: SUSE: documentation.suse.com/external-tree/en-us/suma/4.0/suse-manager/reference/audit/audit-openscap-overview.html Ubuntu: ubuntu.com/security/oval I've not scanned either OS using open-scap so have a read. You'll probably need to look both up in more details. Good luck!
Hi Arrey, I did this a while ago now but I think there is a part of the this that does need to get some extra info from the internet. (fetch remote resources I think). If you're working in an locked down environment on a corporate network, that could be an issue. I would also lookup ansible-lockdown. This is a very good alternative to CIS - github.com/ansible-lockdown I might do a video on this in the future.
Hi, It's not that clear how to do this. Have you looked at: docs.ansible.com/ansible/2.9/modules/ec2_module.html Check instance_profile_name. That might be what you're looking for. Let me know if that resolves it for you.
Checking the OpenScap website, they have this: static.open-scap.org/ssg-guides/ssg-sle15-guide-index.html CIS themselves let you download the PDF for free here: www.cisecurity.org/benchmark/suse_linux I think you have to give them your email for that. Hope that helps.
Thanks for the awesome content, it really helped to achieve CIS compliance on CentOS Stream 8
Thanks Aamir, I'm glad it helped!
Dennis, your part 1 show notes link points to "Complete Jenkins Pipeline Tutorial | Jenkinsfile | Github Webhook, the original one you did," and not part 1 for CIS, other than that great video. It almost worked out the box for OL8 however I had to go and lint/syntax check some of tasks created in the playbook.
Hi John, I've moved away from Oscap now and instead use ansible-lockdown. It's actually pretty easy to use and you can be up and running in a few minutes. Ansible-lockdown doesn't care if you're RHEL, OEL, Centos, alma or Rocky. It just applies the compliance standards you choose. Check it out here: github.com/ansible-lockdown
I'll be doing a short video on it soon.
@@LondonIAC I saw you mentioned lockdown somewhere else and had a look at it., looks good. Looking forward to the video, cheers
Great explanation, thank you!
Glad it was helpful!
Is it possible to generate remediation files simply from .CKL files/Host/Host OS Type inputted into OpenScap? For example, what if I already scanned the endpoint, have my checklists and need to quickly build a Ansible PB.
how to specify podman image in ansible hosts file? localhost not working for images. Kindly help
Hi Did you manage to resolve your issue?
I'm stuck at the ansible part, can't do ssh any guide that I can follow?
Hi Yasser, yes you can run it locally.
I'm just used to running Ansible from an [ansible] control node. That's just how I work but yes you are free to run it locally.
@@LondonIAC I'm unable to configure this ansible could guide me, im getting ssh fatal error not used ansible before!
@@yasserkhan2297 I don't have time to guide you as I'm working full time. Depending on what OS you're using, checkout this video and some of my others:
th-cam.com/video/mOHhYZyooXM/w-d-xo.html
This ansible Doc contains the information on how to install Ansible on multiple platforms: docs.ansible.com/ansible/latest/installation_guide/intro_installation.html
Alternatively, I would recommend this Ansible course. It has lots of demo's and Labs to follow:
www.udemy.com/course/diveintoansible/
I know Udemy run lots of promotions so it should it should be cheap.
@@LondonIACI'm using centos7, Thanks for the help
@@LondonIAC Thanks a lot for this, I have run it locally!
Can it be use for suse and Ubuntu as well?
Hi Amit,
Checking google, both suse and Ubuntu are supported:
SUSE: documentation.suse.com/external-tree/en-us/suma/4.0/suse-manager/reference/audit/audit-openscap-overview.html
Ubuntu: ubuntu.com/security/oval
I've not scanned either OS using open-scap so have a read. You'll probably need to look both up in more details.
Good luck!
Should your server have access to internet to generate ansible playbook?
Hi Arrey, I did this a while ago now but I think there is a part of the this that does need to get some extra info from the internet. (fetch remote resources I think). If you're working in an locked down environment on a corporate network, that could be an issue. I would also lookup ansible-lockdown. This is a very good alternative to CIS - github.com/ansible-lockdown
I might do a video on this in the future.
Hi Sir, Can you tell how can i attach an iam role to ec2 instance using ansible.
Hi,
It's not that clear how to do this. Have you looked at:
docs.ansible.com/ansible/2.9/modules/ec2_module.html
Check instance_profile_name. That might be what you're looking for.
Let me know if that resolves it for you.
do we have CIS Benchmark for SUSE linux
Checking the OpenScap website, they have this: static.open-scap.org/ssg-guides/ssg-sle15-guide-index.html
CIS themselves let you download the PDF for free here: www.cisecurity.org/benchmark/suse_linux
I think you have to give them your email for that.
Hope that helps.