Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1800

Can't run SCAP playbooks on RHEL 9 with ansible-core

Details

    • sst_security_compliance
    • ssg_security
    • False
    • Hide

      None

      Show
      None
    • RN only
    • Yes
    • Known Issue
    • Hide
      .Ansible remediations require additional collections

      With the replacement of Ansible Engine by the `ansible-core` package, the list of Ansible modules provided with the RHEL subscription is reduced. As a consequence, running remediations that use Ansible content included within the `scap-security-guide` package requires collections from the `rhc-worker-playbook` package.

      For an Ansible remediation, perform the following steps:

      . Install the required packages:
      +
      ----
      # dnf install -y ansible-core scap-security-guide rhc-worker-playbook
      ----

      . Navigate to the `/usr/share/scap-security-guide/ansible` directory:
      +
      ----
      # cd /usr/share/scap-security-guide/ansible
      ----

      . Run the relevant Ansible playbook using environment variables that define the path to the additional Ansible collections:
      +
      [subs="+quotes",options="nowrap",role="white-space-pre"]
      ----
      # ANSIBLE_COLLECTIONS_PATH=/usr/share/rhc-worker-playbook/ansible/collections/ansible_collections/ ansible-playbook -c local -i localhost, rhel9-playbook-_cis_server_l1_.yml
      ----
      +
      Replace `_cis_server_l1_` with the ID of the profile against which you want to remediate the system.

      As a result, the Ansible content is processed correctly.

      [NOTE]
      ====
      Support of the collections provided in `rhc-worker-playbook` is limited to enabling the Ansible content sourced in `scap-security-guide`.
      ====
      Show
      .Ansible remediations require additional collections With the replacement of Ansible Engine by the `ansible-core` package, the list of Ansible modules provided with the RHEL subscription is reduced. As a consequence, running remediations that use Ansible content included within the `scap-security-guide` package requires collections from the `rhc-worker-playbook` package. For an Ansible remediation, perform the following steps: . Install the required packages: + ---- # dnf install -y ansible-core scap-security-guide rhc-worker-playbook ---- . Navigate to the `/usr/share/scap-security-guide/ansible` directory: + ---- # cd /usr/share/scap-security-guide/ansible ---- . Run the relevant Ansible playbook using environment variables that define the path to the additional Ansible collections: + [subs="+quotes",options="nowrap",role="white-space-pre"] ---- # ANSIBLE_COLLECTIONS_PATH=/usr/share/rhc-worker-playbook/ansible/collections/ansible_collections/ ansible-playbook -c local -i localhost, rhel9-playbook-_cis_server_l1_.yml ---- + Replace `_cis_server_l1_` with the ID of the profile against which you want to remediate the system. As a result, the Ansible content is processed correctly. [NOTE] ==== Support of the collections provided in `rhc-worker-playbook` is limited to enabling the Ansible content sourced in `scap-security-guide`. ====
    • Done

    Description

      Description of problem:
      On a RHEL 9 server/minimal installation without non-RHEL Ansible bits installed it seems not possible to run SCAP playbooks locally in an offline (non-RH connected) environment:

      1. rm -rf ~/.ansible
      2. dnf install -y ansible-core scap-security-guide
      3. cd /usr/share/scap-security-guide/ansible
      4. ansible-playbook -c local -i localhost, rhel9-playbook-cis_server_l1.yml
        ERROR! couldn't resolve module/action 'ini_file'. This often indicates a
        misspelling, missing collection, or incorrect module path.
        ...

      Version-Release number of selected component (if applicable):
      ansible-core-2.12.2-1.el9.x86_64
      openscap-1.3.6-3.el9.x86_64
      openscap-scanner-1.3.6-3.el9.x86_64
      scap-security-guide-0.1.60-6.el9_0.noarch

      Attachments

        Issue Links

          Activity

            People

              maburgha@redhat.com Marcus Burghardt
              myllynen Marko Myllynen
              Vojtech Polasek Vojtech Polasek
              SSG Security QE SSG Security QE
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              15 Start watching this issue

              Dates

                Created:
                Updated: