Harden your Ansible roles with OpenScap
Posted: Wed Feb 12, 2025 5:36 am
This article is a follow-up to the one dedicated to maintaining Ansible collections and roles with Renovate . Today, we will see how to harden your roles with the help of OpenScap.
If we analyze the roles present on Ansible Galaxy , it is quite rare to find mom data roles allowing to configure services, middlewares that integrate the few good security practices. And it is a shame. Securing our assetsshould be the priority of All!
To help you accomplish this task, I wrote a simple Ansible role that will install and run a security scan with OpenScap . OpenScap is a RedHat Open-Source product that provides auditing tools to secure your assets.
Writing the OpenScap installation role
OpenScap is normally provided as packages, but for the latest versions of some Linux Distributions (like Debian) this is not the case. And rather than installing the package, we will simply build the product from its source code . This way we will benefit from the latest stable version.
The code for this role is available on my GitHub account ↗ .
As with all my roles, I use Moleculefor the testing part. This role does not currently include any tests, but this time it uses not the driver docker, but that of vagrant. Indeed, I have noticed that in some cases the official Docker images do not necessarily include the same packages and configurations as those found in a classic installation with an ISO image .
If we analyze the roles present on Ansible Galaxy , it is quite rare to find mom data roles allowing to configure services, middlewares that integrate the few good security practices. And it is a shame. Securing our assetsshould be the priority of All!
To help you accomplish this task, I wrote a simple Ansible role that will install and run a security scan with OpenScap . OpenScap is a RedHat Open-Source product that provides auditing tools to secure your assets.
Writing the OpenScap installation role
OpenScap is normally provided as packages, but for the latest versions of some Linux Distributions (like Debian) this is not the case. And rather than installing the package, we will simply build the product from its source code . This way we will benefit from the latest stable version.
The code for this role is available on my GitHub account ↗ .
As with all my roles, I use Moleculefor the testing part. This role does not currently include any tests, but this time it uses not the driver docker, but that of vagrant. Indeed, I have noticed that in some cases the official Docker images do not necessarily include the same packages and configurations as those found in a classic installation with an ISO image .