Setup Ansible control node
To setup an Ansible control node, execute the following steps from the SUSE Manager Web UI.
-
From the Web UI under
, verify that the productSUSE Linux Enterprise Server 15 SP5 x86_64
channel andSUSE Manager Client Tools for SUSE Linux Enterprise Server 15 x86_64
are installed and synchronized. -
Deploy a SUSE Linux Enterprise Server 15 SP5 client.
-
Select the client from the
page. Select and subscribe the client to the channelsSUSE Linux Enterprise Server 15 SP5 x86_64
andSUSE Manager Client Tools for SUSE Linux Enterprise Server 15 x86_64
.The SUSE Manager client tools contain the Ansible package.
-
From the
page, select your client. -
Select
, and underAdd-On System Types
enableAnsible Control Node
and click Update Properties. -
Navigate to the client overview page, select
, and click Apply Highstate. -
Select the Events tab and verify the status of the highstate.
1. Install the SCAP security guide package
For executing remediations you need to install the SCAP security guide package on the Ansible control node.
-
From
, select the client. Then click . -
Search for
scap-security-guide
and install the package suitable for your system. See the following table for package distribution requirements:Table 1. SCAP security guide package requirements Package name Supported Systems scap-security-guide
OpenSUSE, SLES12, SLES15
scap-security-guide-redhat
CentOS 7, CentOS 8, Fedora, Oracle Linux 7, Oracle Linux 8, RHEL7, RHEL8, RHEL9, Red Hat OpenStack Platform 10, Red Hat OpenStack Platform 13, Red Hat Virtualization 4, Scientific Linux
scap-security-guide-debian
Debian 9, Debian 10
scap-security-guide-ubuntu
Ubuntu 16.04. Ubuntu 18.04, Ubuntu 20.04
2. Creating Ansible inventory files
Ansible Integration tools deploy a playbook as an inventory file. Therefore, you should create one inventory file for each distinct OS listed in Table 1.
-
Create and add your hosts to an inventory file to be managed by Ansible. The default path for an Ansible inventory is
etc/ansible/hosts
.Listing 1. Inventory Exampleclient240.mgr.example.org client241.mgr.example.org client242.mgr.example.org client243.mgr.example.org ansible_ssh_private_key_file=/etc/ansible/some_ssh_key [mygroup1] client241.mgr.example.org client242.mgr.example.org [mygroup2] client243.mgr.example.org [all:vars] ansible_ssh_private_key_file=/etc/ansible/my_ansible_private_key
For additional playbook examples, see https://github.com/ansible/ansible-examples.
-
Create the SSH keys that you are using in your inventory.
ssh-keygen -f /etc/ansible/my_ansible_private_key
-
Copy the generated SSH keys to the Ansible managed clients. Example:
ssh-copy-id -i /etc/ansible/my_ansible_private_key root@client240.mgr.example.org
-
Test that Ansible is working by executing the following commands from the control node:
ansible all -m ping ansible mygroup1 -m ping ansible client240.mgr.example.org -m ping
3. Add inventory files to the Ansible control node
-
From the ansible control menu select:
. -
Under the
Playbook Directories
section add/usr/share/scap-security-guide/ansible
to the [literal] Add a Playbook Directories`` field and then click Save. -
Under
Inventory Files
add your inventory file locations to theAdd an Inventory file
field and click Save.Listing 2. Examples/etc/ansible/sles15 /etc/ansible/sles12 /etc/ansible/centos7
You may now run remediations For more information, see Compliance as code.