Merge of RedHatGov/product-demos (#56)

Co-authored-by: MKletz <michael.kletz.27@gmail.com> Co-authored-by: Ajay Chenampara <ajay.chenampara@gmail.com> Co-authored-by: dlemons-redhat <69318976+dlemons-redhat@users.noreply.github.com> Co-authored-by: Nicolas Leiva <nicolasleiva@gmail.com> Co-authored-by: benblasco <42140583+benblasco@users.noreply.github.com> Co-authored-by: Benjamin Blasco <bblasco@redhat.com> Co-authored-by: calvingsmith <4283930+calvingsmith@users.noreply.github.com> Co-authored-by: Calvin Smith <calvingsmith@users.noreply.github.com> Co-authored-by: Hicham Mourad <43329991+HichamMourad@users.noreply.github.com>
2023-03-17 09:07:02 -04:00
parent 8acff9c9b1
commit c18a206499
279 changed files with 5191 additions and 4649 deletions
--- a/collections/ansible_collections/demo/satellite/roles/register_host/defaults/main.yml
+++ b/collections/ansible_collections/demo/satellite/roles/register_host/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+instance_name: "{{ inventory_hostname | regex_replace('_', '-') }}"
+activation_key: "{{ 'RHEL' + ansible_distribution_major_version + '_' + env }}"
+rex_user: root # "{{ ansible_user }}"
+force_register: true
--- a/collections/ansible_collections/demo/satellite/roles/register_host/tasks/main.yml
+++ b/collections/ansible_collections/demo/satellite/roles/register_host/tasks/main.yml
@@ -0,0 +1,67 @@
+---
+- name: Verify operating system
+  ansible.builtin.assert:
+    that:
+      - ansible_os_family == 'RedHat'
+      - (ansible_distribution_major_version == '7') or (ansible_distribution_major_version == '8')
+
+- name: Set hostname
+  ansible.builtin.hostname:
+    name: "{{ instance_name }}"
+
+- name: Remove rhui client packages
+  ansible.builtin.yum:
+    name:
+      - google-rhui-client*
+      - rh-amazon-rhui-client*
+    state: removed
+
+- name: Get current repos
+  ansible.builtin.command:
+    cmd: ls /etc/yum.repos.d/
+  register: repos
+  changed_when: false
+
+- name: Remove existing rhui repos
+  ansible.builtin.file:
+    path: "/etc/yum.repos.d/{{ item }}"
+    state: absent
+  loop: "{{ repos.stdout_lines }}"
+
+- name: Install satellite certificate
+  ansible.builtin.yum:
+    name: "{{ satellite_url }}/pub/katello-ca-consumer-latest.noarch.rpm"
+    state: present
+    validate_certs: false
+    disable_gpg_check: true
+
+- name: Register system via subscription-mangler
+  community.general.redhat_subscription:
+    state: present
+    activationkey: "{{ activation_key }}"
+    consumer_name: "{{ instance_name }}"
+    org_id: "{{ org_id | default('Default_Organization') }}"
+    force_register: "{{ force_register }}"
+  throttle: 1
+
+- name: Include repos
+  ansible.builtin.include_vars: "vars/{{ ansible_distribution + ansible_distribution_major_version }}.yml"
+
+- name: Enable repos
+  community.general.rhsm_repository:
+    name: "{{ rhsm_enabled_repos }}"
+    state: enabled
+
+- name: Install satellite client
+  ansible.builtin.yum:
+    name:
+      - katello-host-tools
+      - katello-host-tools-tracer
+    state: installed
+
+- name: Enable remote execution
+  ansible.posix.authorized_key:
+    user: "{{ rex_user }}"
+    state: present
+    key: "{{ satellite_url }}:9090/ssh/pubkey"
+    validate_certs: false
--- a/collections/ansible_collections/demo/satellite/roles/register_host/vars/RedHat7.yml
+++ b/collections/ansible_collections/demo/satellite/roles/register_host/vars/RedHat7.yml
@@ -0,0 +1,4 @@
+---
+rhsm_enabled_repos:
+  - rhel-7-server-rpms
+  # - rhel-7-server-satellite-maintenance-6.11-rpms
--- a/collections/ansible_collections/demo/satellite/roles/register_host/vars/RedHat8.yml
+++ b/collections/ansible_collections/demo/satellite/roles/register_host/vars/RedHat8.yml
@@ -0,0 +1,5 @@
+---
+rhsm_enabled_repos:
+  - rhel-8-for-x86_64-baseos-rpms
+  - rhel-8-for-x86_64-appstream-rpms
+  - satellite-client-6-for-rhel-8-x86_64-rpms
--- a/collections/ansible_collections/demo/satellite/roles/scap_client/Changelog.md
+++ b/collections/ansible_collections/demo/satellite/roles/scap_client/Changelog.md
@@ -0,0 +1,17 @@
+# Change Log
+All notable changes to this project will be documented in this file.
+## [0.0.1] - 20/03/2018 - First Release
+### Added
+- Install required packages
+- Obtain data from satellite API
+- Configure crontab and config.yaml
+
+### Changed
+
+### Removed
+
+### Pending
+- Allow a list of policies to be applied (only one is allowed at the moment)
+- Get schedule from the policy instead of configure it using parameters
+- Configure URI tasks to ask capsule instead of Satellite (for hosts without network access to the satellite api)
+- Add tests to vars to be correctly formatted
--- a/collections/ansible_collections/demo/satellite/roles/scap_client/LICENSE
+++ b/collections/ansible_collections/demo/satellite/roles/scap_client/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2018 morenod
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/collections/ansible_collections/demo/satellite/roles/scap_client/README.md
+++ b/collections/ansible_collections/demo/satellite/roles/scap_client/README.md
@@ -0,0 +1,45 @@
+# Openscap client configuration Role
+
+## About
+
+Role created to configure a client to execute openscap policies based on the information obtained from a Red Hat Satellite/Foreman Host.
+
+Steps and configuration changes obtained from the [foreman_scap_client puppet module](https://github.com/theforeman/puppet-foreman_scap_client)
+
+The role has to be executed with root permission, using the root user or via sudo because it will modify system parameters.
+
+## Ansible Requirements
+
+RPM Repositories have to be enabled and containing required packages.
+
+## Configuration parameters
+
+### Required vars to be overwritten
+
+- `satellite_server`: Used to obtain policy parameters
+- `satellite_username`: Used to obtain policy parameters
+- `satellite_password`: Used to obtain policy parameters
+- `capsule_server`: Used to configure openscap client config.yaml file
+- `capsule_port`: Used to configure openscap client config.yaml file
+- `policy_name`: Name of the SCAP Policy to be configured
+
+## Example playbook
+
+```yml
+---
+- name: openscap client
+  hosts: <<host list>>
+  remote_user: <<user>>
+  gather_facts: true
+  become: yes
+  become_user: root
+  become_method: sudo
+  vars:
+    satellite_server: satellite.example.com
+    satellite_username`: admin
+    satellite_password`: verycomplexpassword
+    capsule_server`: capsule.example.com
+    policy_name`: 'rhel7-pci'
+  roles:
+        - ansible-ipaRegister
+```
--- a/collections/ansible_collections/demo/satellite/roles/scap_client/defaults/main.yaml
+++ b/collections/ansible_collections/demo/satellite/roles/scap_client/defaults/main.yaml
@@ -0,0 +1,12 @@
+foreman_server_url: "{{ lookup('env', 'SATELLITE_SERVER') }}"
+foreman_username: "{{ lookup('env', 'SATELLITE_USERNAME') }}"
+foreman_password: "{{ lookup('env', 'SATELLITE_PASSWORD') }}"
+foreman_validate_certs: "{{ lookup('env', 'FOREMAN_VALIDATE_CERTS') | default(true) }}"
+capsule_server: "{{ foreman_server_url }}"
+capsule_port: '9090'
+policy_name: 'all'
+policy_scan: "{{ policy_name }}"
+crontab_hour: 2
+crontab_minute: 0
+crontab_weekdays: 0
+foreman_operations_scap_client_secure_logging: true
--- a/collections/ansible_collections/demo/satellite/roles/scap_client/tasks/main.yaml
+++ b/collections/ansible_collections/demo/satellite/roles/scap_client/tasks/main.yaml
@@ -0,0 +1,85 @@
+---
+- name: Install openscap client packages
+  ansible.builtin.yum:
+    name:
+      - openscap-scanner
+      - rubygem-foreman_scap_client
+    state: present
+
+- name: Get Policy parameters
+  ansible.builtin.uri:
+    url: "{{ foreman_server_url }}/api/v2/compliance/policies"
+    method: GET
+    user: "{{ foreman_username }}"
+    password: "{{ foreman_password }}"
+    force_basic_auth: true
+    body_format: json
+    validate_certs: false
+  register: policies
+  no_log: "{{ foreman_operations_scap_client_secure_logging }}"
+
+- name: Build policy {{ policy_name }}
+  ansible.builtin.set_fact:
+    policy: "{{ policy | default([]) }} + {{ [item] }}"
+  loop: "{{ policies.json.results }}"
+  when: item.name in policy_name or policy_name == 'all'
+
+- name: Fail if no policy found with required name
+  ansible.builtin.fail:
+  when: policy is not defined
+
+- name: Get scap content information
+  ansible.builtin.uri:
+    url: "{{ foreman_server_url }}/api/v2/compliance/scap_contents/{{ item.scap_content_id }}"
+    method: GET
+    user: "{{ foreman_username }}"
+    password: "{{ foreman_password }}"
+    force_basic_auth: false
+    body_format: json
+    validate_certs: false
+  register: scapcontents
+  loop: "{{ policy }}"
+  no_log: "{{ foreman_operations_scap_client_secure_logging }}"
+
+- name: Get tailoring content information
+  ansible.builtin.uri:
+    url: "{{ foreman_server_url }}/api/v2/compliance/tailoring_files/{{ item.tailoring_file_id }}"
+    method: GET
+    user: "{{ foreman_username }}"
+    password: "{{ foreman_password }}"
+    force_basic_auth: false
+    body_format: json
+    validate_certs: false
+  register: tailoringfiles
+  when: item.tailoring_file_id | int > 0 | d(False)
+  loop: "{{ policy }}"
+  no_log: "{{ foreman_operations_scap_client_secure_logging }}"
+
+- name: Build scap content parameters
+  ansible.builtin.set_fact:
+    scap_content: "{{ scap_content | default({}) | combine({item.json.id: item.json}) }}"
+  loop: "{{ scapcontents.results }}"
+
+- name: Build tailoring content parameters
+  ansible.builtin.set_fact:
+    tailoring_files: "{{ tailoring_files | default({}) | combine({item.json.id: item.json}) }}"
+  when: item.json is defined
+  loop: "{{ tailoringfiles.results }}"
+
+- name: Apply openscap client configuration template
+  ansible.builtin.template:
+    src: openscap_client_config.yaml.j2
+    dest: /etc/foreman_scap_client/config.yaml
+    mode: "0644"
+    owner: root
+    group: root
+
+# - name: Configure execution crontab
+#   cron:
+#     name: "Openscap Execution"
+#     cron_file: 'foreman_openscap_client'
+#     job: '/usr/bin/foreman_scap_client {{policy.id}} > /dev/null'
+#     weekday: "{{crontab_weekdays}}"
+#     hour: "{{crontab_hour}}"
+#     minute: "{{crontab_minute}}"
+#     user: root
--- a/collections/ansible_collections/demo/satellite/roles/scap_client/templates/openscap_client_config.yaml.j2
+++ b/collections/ansible_collections/demo/satellite/roles/scap_client/templates/openscap_client_config.yaml.j2
@@ -0,0 +1,47 @@
+# Foreman proxy to which reports should be uploaded
+:server: {{ capsule_server | urlsplit('hostname') }}
+:port: {{ capsule_port }}
+
+## SSL specific options ##
+# Client CA file.
+# It could be Puppet CA certificate (e.g., '/var/lib/puppet/ssl/certs/ca.pem')
+# Or (recommended for client reporting to Katello) subscription manager CA file, (e.g., '/etc/rhsm/ca/katello-server-ca.pem')
+:ca_file: '/etc/rhsm/ca/katello-server-ca.pem'
+# Client host certificate.
+# It could be Puppet agent host certificate (e.g., '/var/lib/puppet/ssl/certs/myhost.example.com.pem')
+# Or (recommended for client reporting to Katello) consumer certificate (e.g., '/etc/pki/consumer/cert.pem')
+:host_certificate: '/etc/pki/consumer/cert.pem'
+#
+# Client private key
+# It could be Puppet agent private key (e.g., '/var/lib/puppet/ssl/private_keys/myhost.example.com.pem')
+# Or (recommended for client reporting to Katello) consumer private key (e.g., '/etc/pki/consumer/key.pem')
+:host_private_key: '/etc/pki/consumer/key.pem'
+# policy (key is id as in Foreman)
+{% for item in policy %} 
+{{ item.id }}:
+{% if item.tailoring_file_id | int > 0 | d(False) %}
+{% for profile in tailoring_files[item.tailoring_file_id].tailoring_file_profiles %}
+{% if profile.id == item.tailoring_file_profile_id %}
+  :profile: {{profile.profile_id}}
+{% endif%}
+{% endfor %}
+  :content_path: '/var/lib/openscap/content/{{scap_content[item.scap_content_id].digest}}.xml'
+  # Download path
+  # A path to download SCAP content from proxy
+  :download_path: '/compliance/policies/{{item.id}}/content/{{scap_content[item.scap_content_id].digest}}'
+  :tailoring_path: '/var/lib/openscap/content/{{tailoring_files[item.tailoring_file_id].digest}}.xml'
+  :tailoring_download_path: '/compliance/policies/{{item.id}}/tailoring/{{tailoring_files[item.tailoring_file_id].digest}}'
+{% else %}
+{% for profile in scap_content[item.scap_content_id].scap_content_profiles %}
+{% if profile.id == item.scap_content_profile_id %}
+  :profile: {{profile.profile_id}}
+{% endif%}
+{% endfor %}
+  :content_path: '/var/lib/openscap/content/{{scap_content[item.scap_content_id].digest}}.xml'
+  # Download path
+  # A path to download SCAP content from proxy
+  :download_path: '/compliance/policies/{{item.id}}/content/{{scap_content[item.scap_content_id].digest}}'
+  :tailoring_path: ''
+  :tailoring_download_path: ''
+{% endif %}
+{% endfor %}