Setup an Ansible control node

To setup an Ansible control node, execute the following steps from the SUSE Manager Web UI.

procedure: Setup an Ansible control node
  1. From the Web UI under Admin  Setup Wizard  Products, verify that the product SUSE Linux Enterprise Server 15 SP3 x86_64 channel and SUSE Manager Client Tools for SLE 15 x86_64 are installed and synchronized.

  2. Deploy a SUSE Linux Enterprise 15 SP3 client.

  3. Select the client from the Systems Overview  ] page. Select menu:Software[Software Channels and subscribe the client to the channels SUSE Linux Enterprise Server 15 SP3 x86_64 and SUSE Manager Client Tools for SLE 15 x86_64.

    The SUSE Manager client tools contains the Ansible package.

  4. From the System  Overview page, select your client.

  5. Select Details  Properties, and under Add-On System Types: enable Ansible Control Node and click Update Properties.

  6. Navigate to the client overview page, select menu:[State > Highstate], and click Apply Highstate.

  7. Select the Events tab and verify the status of the highstate.

1. Install the SCAP security guide package

For executing remediations you need to install the SCAP security guide package on the Ansible control node.

procedure: Install the SCAP security guide package
  1. From Systems Overview  ], select the client. Then click menu:[Software  Packages  Install.

  2. Search for scap-security-guide and install the package suitable for your system. See the following table for package distribution requirements:

    Table 1. SCAP security guide package requirements
    Package name Supported Systems

    scap-security-guide

    OpenSUSE, SLES12, SLES15

    scap-security-guide-redhat

    CentOS 7, CentOS 8, Fedora, Oracle Linux 7, Oracle Linux 8, RHEL7, RHEL8, RHEL9, Red Hat OpenStack Platform 10, Red Hat OpenStack Platform 13, Red Hat Virtualization 4, Scientific Linux

    scap-security-guide-debian

    Debian 9, Debian 10

    scap-security-guide-ubuntu

    Ubuntu 16.04. Ubuntu 18.04, Ubuntu 20.04

2. Creating Ansible inventory files

Ansible Integration tools deploy a playbook as an inventory file. Therefore, you should create one inventory file for each distinct OS listed in Table 1.

Procedure: Creating the Ansible inventory files
  1. Create and add your hosts to an inventory file to be managed by Ansible. The default path for an Ansible inventory is etc/ansible/hosts.

    Listing 1. Inventory Example
    client240.mgr.example.org
    client241.mgr.example.org
    client242.mgr.example.org
    client243.mgr.example.org  ansible_ssh_private_key_file=/etc/ansible/some_ssh_key
    
    [mygroup1]
    client241.mgr.example.org
    client242.mgr.example.org
    
    [mygroup2]
    client243.mgr.example.org
    
    [all:vars]
    ansible_ssh_private_key_file=/etc/ansible/my_ansible_private_key

    For additional playbook examples, see https://github.com/ansible/ansible-examples.

  2. Create the SSH keys that you are using in your inventory.

    ssh-keygen -f /etc/ansible/my_ansible_private_key
  3. Copy the generated SSH keys to the Ansible managed clients. Example:

    ssh-copy-id -i /etc/ansible/my_ansible_private_key root@client240.mgr.example.org
  4. Test that Ansible is working by executing the following commands from the control node:

    ansible all -m ping
    ansible mygroup1 -m ping
    ansible client240.mgr.example.org -m ping

3. Add inventory files to the Ansible control node

Procedure: Adding Ansible inventory files to the control node
  1. From the ansible control menu select: Ansible  Control Node.

  2. Under the Playbook Directories section add /usr/share/scap-security-guide/ansible to the Add a Playbook Directories field and then click Save.

  3. Under Inventory Files add your inventory file locations to the Add an Inventory file field and click Save.

    Listing 2. Examples
    /etc/ansible/sles15
    /etc/ansible/sles12
    /etc/ansible/centos7

You may now run remediations For more information, see: ansible-compliance-as-code.adoc.