Ansible role for Foreman SCAP client configures foreman_scap_client to run scans and upload results to foreman proxy.
This role will automatically install foreman_scap_client (if not installed), it will configure /etc/foreman_scap_client/config.yaml with parameters which are needed for the operation of foreman_scap_client and create a cron which schedules the client execution.
The following example ensures that every week an SCAP audit is executed and the results are sent to proxy at proxy.example.com:9090. The example will automatically attempt to install foreman_scap_client on the system. If you do not wish to use your tailoring file with policy, just pass empty strings to tailoring variables.
---
- hosts: all
become: true
roles:
- theforeman.foreman_scap_client
vars:
foreman_scap_client_server: https://proxy.example.com
foreman_scap_client_port: 9090
foreman_scap_client_policies: [{
"id": "1",
"hour": "12",
"minute": "1",
"month": "*",
"monthday": "*",
"weekday": "1",
"profile_id": "",
"content_path": "/usr/share/xml/scap/ssg/fedora/ssg-fedora-ds.xml",
"download_path": "/compliance/policies/1/content",
"tailoring_path": "/var/lib/openscap/ssg-fedora-ds-tailored.xml",
"tailoring_download_path": "/compliance/policies/1/tailoring"
}]
}
When using this role together with foreman_openscap, no further configuration
should be necessary as values come from Foreman's ENC. However, verify the values for server, port and policies after
importing the role; they should have overrides enabled and the policies should be <%= @host.policies_enc %>
Tests are set up to run in Docker using Molecule and Testinfra. Make sure to install dependencies:
pip install -r requirements.txt
Check if your current user is able to connect to Docker without sudo. If not, create docker group and add your user. To run tests:
molecule test
Galaxy imports content from GitHub and uses git tags for versioning. Galaxy expects tags to have semantic version format.