Awesome Video, I am trying to put together a presentation selling your solution. I am working on getting your environment up and running in my personal AWS account. Do you have a playbook that you use to deploy your web server? How are you sending emails? Are you using an SMTP Server or AWS SES?
The web server creation is part of the shadowman.reports roles. So as long as you are pointing to a registered RHEL8 or RHEL9 VM with the delegate_to portion of this role: github.com/shadowman-lab/shadowman.reports/tree/main/roles/build_report_linux_patch, it will ensure apache is running plus the CSS styling. For e-mail, I have a Roundcube Webmail server running locally.
I will be taking a look at automating Linux patching - what patch repository management solutions are best to integrate with Ansible? Thank you for the overview (seems you might be using Satellite?).
Correct, I am using Red Hat Satellite in my environment. Most of the patching work itself is running on the individual servers, so what repository they have set is less important. As long as the OS itself is set to pull from that repository when running yum/dnf/etc, Ansible can use it. I enjoy using Satellite because I can also manage my content views with Ansible and control when I update packages (I update my content views once a month with Ansible for my monthly patching)
@@alexdworjan - thank you so much for the prompt feedback. One more follow up question, so our environment has RHEL, Fedora, Oracle Linux, and Ubuntu (mostly) and we currently use their "Internet" repositories (i.e. we go over Internet connection for each host to download patches) - if we wanted to localize (on our LAN and have a single repo host pull patches for each distro so that each host can pull patches from this single point rather than each going over the Internet) what solution might you recommend? It seems Satellite is a RHEL only solution unless I am mistaken. So instead of hundreds of these multi distro hosts getting patches downloaded directly to each individual host, is there a good solution to centralize patching on our LAN for each of these distros? I hope that question makes sense. We are gaining steam with Ansible but it seems like it would be important to be able to address patching for multiple Linux distros in our use case, not just RHEL. Thanks again - in short, looking for something heterogenous in the OS patch repository management arena and assuming Satellite is a RHEL only solution.
Hi Alex, will you able to share the ansible playbooks in a github repo? If you can also include how you are passing the data over to the splunk dashboard as well, would be great. I am trying to setup the same environment you have, and just running into different road blocks. Thanks
A lot of my playbooks have some extra tasks for building out the reports, but here are all of the roles The patching role: github.com/shadowman-lab/Ansible-Config/tree/main/roles/shadowman_patching SCAP scans Linux: github.com/shadowman-lab/Ansible-Config/tree/main/roles/shadowman_run_scap SCAP scans Windows: github.com/shadowman-lab/Ansible-Config/tree/main/roles/shadowman_run_scap_windows Creating your own enforcing playbook using SCAP: github.com/shadowman-lab/Ansible-Config/tree/main/roles/shadowman_compliance_playbook_create My reports collection (for all the web pages and e-mail reports): github.com/shadowman-lab/shadowman.reports For Splunk, I set up external logging in automation controller: docs.ansible.com/automation-controller/latest/html/administration/logging.html#splunk I then have created multiple dashboards and reports using the data that is sent over.
Actually I want to copy a file from localhost to the remote server using copy module but it triggers an error like couldn't access or find the file in the respective path when I'm running the playbook
@@janakiramug7178 localhost is the execution environment. If your file isn't in the EE itself, you'll either need to use delegate_to or use the fetch module first
unable to install the collectionas per git ansible-galaxy collection install shadowman.reports error: ERROR! Failed to find collection shadowman.reports:*
The collection hasn't been uploaded to galaxy so you'll need to install it directly from my git repo. docs.ansible.com/ansible/latest/user_guide/collections_using.html#installing-a-collection-from-a-git-repository-at-the-command-line
@@alexdworjan Thanks Alex however I am seeing below error which installing the collection ERROR! Collection artifact at '/root/.ansible/tmp/ansible-local-5100swe3mgo5/tmpb_r079o2/shadowmanb78uwaxk.reports' is not a valid tar file.
I just ran ansible-galaxy collection install git+h ttps://github.com/shadowman-lab/shadowman.reports.git successfully. You might need to be on Ansible 2.10 or greater to install a collection from git. You can also just fork the repo or copy the role into a project you already have
Awesome Video, I am trying to put together a presentation selling your solution. I am working on getting your environment up and running in my personal AWS account. Do you have a playbook that you use to deploy your web server? How are you sending emails? Are you using an SMTP Server or AWS SES?
The web server creation is part of the shadowman.reports roles. So as long as you are pointing to a registered RHEL8 or RHEL9 VM with the delegate_to portion of this role: github.com/shadowman-lab/shadowman.reports/tree/main/roles/build_report_linux_patch, it will ensure apache is running plus the CSS styling.
For e-mail, I have a Roundcube Webmail server running locally.
I will be taking a look at automating Linux patching - what patch repository management solutions are best to integrate with Ansible? Thank you for the overview (seems you might be using Satellite?).
Correct, I am using Red Hat Satellite in my environment. Most of the patching work itself is running on the individual servers, so what repository they have set is less important. As long as the OS itself is set to pull from that repository when running yum/dnf/etc, Ansible can use it. I enjoy using Satellite because I can also manage my content views with Ansible and control when I update packages (I update my content views once a month with Ansible for my monthly patching)
@@alexdworjan - thank you so much for the prompt feedback. One more follow up question, so our environment has RHEL, Fedora, Oracle Linux, and Ubuntu (mostly) and we currently use their "Internet" repositories (i.e. we go over Internet connection for each host to download patches) - if we wanted to localize (on our LAN and have a single repo host pull patches for each distro so that each host can pull patches from this single point rather than each going over the Internet) what solution might you recommend? It seems Satellite is a RHEL only solution unless I am mistaken. So instead of hundreds of these multi distro hosts getting patches downloaded directly to each individual host, is there a good solution to centralize patching on our LAN for each of these distros? I hope that question makes sense. We are gaining steam with Ansible but it seems like it would be important to be able to address patching for multiple Linux distros in our use case, not just RHEL. Thanks again - in short, looking for something heterogenous in the OS patch repository management arena and assuming Satellite is a RHEL only solution.
Hi Alex, will you able to share the ansible playbooks in a github repo? If you can also include how you are passing the data over to the splunk dashboard as well, would be great. I am trying to setup the same environment you have, and just running into different road blocks. Thanks
A lot of my playbooks have some extra tasks for building out the reports, but here are all of the roles
The patching role: github.com/shadowman-lab/Ansible-Config/tree/main/roles/shadowman_patching
SCAP scans Linux: github.com/shadowman-lab/Ansible-Config/tree/main/roles/shadowman_run_scap
SCAP scans Windows: github.com/shadowman-lab/Ansible-Config/tree/main/roles/shadowman_run_scap_windows
Creating your own enforcing playbook using SCAP: github.com/shadowman-lab/Ansible-Config/tree/main/roles/shadowman_compliance_playbook_create
My reports collection (for all the web pages and e-mail reports): github.com/shadowman-lab/shadowman.reports
For Splunk, I set up external logging in automation controller: docs.ansible.com/automation-controller/latest/html/administration/logging.html#splunk
I then have created multiple dashboards and reports using the data that is sent over.
impressive
Hi
Getting an error Ansible error “ Could not find or access on Ansible Controller” in ansible automation platform if u can suggest a quick solution
Using NFS storage and mounted to all the 3controllers running in a cluster setup and 2.9 execution environment
@@janakiramug7178 Could you describe where in the process you are seeing that error?
Actually I want to copy a file from localhost to the remote server using copy module but it triggers an error like couldn't access or find the file in the respective path when I'm running the playbook
@@janakiramug7178 localhost is the execution environment. If your file isn't in the EE itself, you'll either need to use delegate_to or use the fetch module first
Sure ,will give a try thanks for the prompt reply
unable to install the collectionas per git
ansible-galaxy collection install shadowman.reports
error: ERROR! Failed to find collection shadowman.reports:*
The collection hasn't been uploaded to galaxy so you'll need to install it directly from my git repo.
docs.ansible.com/ansible/latest/user_guide/collections_using.html#installing-a-collection-from-a-git-repository-at-the-command-line
@@alexdworjan Thanks Alex however I am seeing below error which installing the collection
ERROR! Collection artifact at '/root/.ansible/tmp/ansible-local-5100swe3mgo5/tmpb_r079o2/shadowmanb78uwaxk.reports' is not a valid tar file.
I just ran ansible-galaxy collection install git+h
ttps://github.com/shadowman-lab/shadowman.reports.git successfully. You might need to be on Ansible 2.10 or greater to install a collection from git. You can also just fork the repo or copy the role into a project you already have