 All right. The next talk is by Amit and he will talk about OpenScap and Ansible. Please, are you unmuted? Yes. Go ahead. Once again, am I audible? Am I audible? Yeah, thank you. My name is Amit and I'm going to talk about compliance management with OpenScap and Ansible. A few things about me. I'm a senior software engineer at Red Hat Pune. I'm a member of Foreman community and mostly work on Foreman related components. So after this talk, I'm also available at Foreman booth. So if you want to talk about OpenScap and Ansible or Foreman, then we can have good talk about that on the booth. Apart from that, I also like power lifting and I'm beginner level power lifter. This is my first visit to Belgium, Europe, and this is my first post-demo. So if it works well, then maybe I will come next year. So this is today's agenda. It's more about what you can do with OpenScap, OpenScap security guide and Ansible. The Scap has very vast applications and what I'm going to discuss today is basic and common use case of Scap for remote system and the local system. So what is the Scap? So anyone here actually using the Scap or OpenScap? Okay, so some basics regarding OpenScap. It's security content automation protocol. It helps you to automate the vulnerability management and measurement. So when we think of big organization or suppose even if you have the 20 or 50 systems, you need to continuously monitor the systems for security threats and compliance management. So what I mean by compliance management here? So there may be cases that you should be having some rules or some possibilities like this, like disable SSH root login for all of your systems. Maybe enable the bootloader password in Grub or put all of your systems in Pipsmore. So in that case, Scap can help you because Scap has multiple policies and provides already written from where you can choose what suits you better or what suits your organization better. And as per that, you can run the compliance scan. So this is the sort of basic basics about Scap. Now you know about the Scap. The next thing is OpenScap security guide. So there are already many rules are written and those are in the OpenScap security guide format. This guide is available in the form of Archim package or even you can directly forward the repository. The Scap documents are written in XML format and when you open the Scap, any Scap file. So this is how you can see that. So you can see that the Scap guide is distributed in terms of profiles. So like I highlighted one. And the next is each profile contains multiple rules. Those are by default enabled. If you want to disable those, we can do the customizations also. Now how you can get this Scap security guide on your system? Maybe you prefer the gateway like clone the gate repository and have it on your system or multiple systems. Or if you're not sort of very technical person and you want to just go with the package installation like DNF install or APT install, that is also possible. Scap is very good example of compliance as a management. This means that the content is written in human readable format. So even if you're not that much into the Scap development, you should be able to understand what has been written and what it will do. Now you got the Scap security guide on your system. The next thing is get some information about the Scap policies. I embedded the commands directly. So if in case you are already connected to internet, you can try to install the Scap security guide and get the information using this command, Scap info command. So what basic information you should be aware about? The date of generation. So can you see that generated attribute there? So it mentions when that Scap security file was generated. I was unable to find the frequency at which they release the Scap security guides like new version. But if you're having the gate in automated way, like you keep on fetching the gate content, then you should be getting the policies in regular way and you should not be using the old policy. The next important thing is profiles. So as you can see here, there are multiple profiles. So maybe you should have question which profile I should be using. It is up to you or it is up to your organization, which standards you are going to follow or which profile you are going to follow. Like I said, it is possible to get the rules list of each profile and you can decide which one is suitable for you. Now you've got the Scap security guide. You got the basic information about the profiles. The next is doing the compliance scan. I again embedded the commands here because if you're using the laptop, you can directly run these commands and you can try all of these things side-by-side. The command says that we are going to do XCCDF evaluation and please give me the results in ARF format and HTML format. The ARF format is mostly used by applications like Foreman where you can upload that report and get better results or get the display of that report on Foreman. The later on that report.html, it is plain HTML file. It is human readable. We'll also see that in demo, what all things it has. And it gives you good information about which all rules are passed, which all rules are failed. It is also possible you want to have the Scap content on local system and execute the Scap run on another remote system. In that case, you don't actually need to copy all of this content to a remote system. You can directly use the IP address or the hosting of that system and use the OpenScap SSH command. So there are still guys. I'm not the one like that. I don't hate command line, but if you hate the command line, then there is a Scap workbench, which is a nice GUI and it has sort of minimal architecture, nothing fancy. You can load the Scap content and do the evaluation. What are the features are available on command line? Those features are available in Scap workbench. You can do the evaluation of remote system also. Now when we think of getting something from the gate, most of the time we think that we need to customize something or we need to enable or disable something. So in that case, very first thought we get is open the original file, modify it. That's it what we get. So if you are using the gate, it is very easy to track the changes, but if you don't want to use the gate, then in that case, OpenScap provides you a way to customize the file. In this case, what you are actually going to do is don't modify the original content. Create one customization file, which is totally different and when you will run the Scap, use both of the files. So you are not touching the original content and you still have the customization. And with customization, you can select multiple rules from profiles or if you want to drop some rules from profile, that is also possible. You can play with all of the content of Scap Security Guide and there is no problem with that. Now this is sort of last stage. You got the Scap Security Guide, you installed it. Now the thing is you got some failures and you want to fix those failures. So in that case, Scap Security Guide already includes the Ansible playbooks, which can directly use to fix whatever the problems you can see on the report. And this is again possible that you upload the Ansible playbooks on Ansible Tower or even Foreman and trigger that from that side instead of locally running it. The limitation here is Ansible playbooks do not cover all of the rules and all of the policies which are there in your Scap Security Guide. So there is still a chance that you need to manually do something and maybe if you are interested, then you can commit those changes in the p3 repository. So I am having the demo now. Okay, so what I am having is already Scap package is downloaded. So it's already installed. I copied the command already. So I am just going to execute it. So this is how you can see the Scap scanning or when it scans your system. This is how it shows the output. And at the end, report will be saved in report.html file. So that verify file has with RBM. It is going to take long time. So meantime, what I will do? I will switch to Scap Workbench. I'm not sure if it can detect my operating system, but I can see it is selecting Fedora by default. So I hope it is that much intelligent. And yes, you can load the content from here. And very similar way, you can do the scan from here. So I'm not going to do it. So what I will do? I will do the customization. So here can you see 187 rules are selected now? So I go to customize. Name it something like this. Here is another dialog. Or just demo purpose. I'm going to select all the rules. Clicking OK button. So can you see that now it says 5, 1, 8 rules selected? So what I did? I selected all the rules. And after that, you can do the scan. So meantime, we have this completed. I will start the Ansible run. Let's see. OK. And OK, I will show you the report. So this is the report you get when you run the Scap scan. It shows, on the top, you can see how many rules are passed and how many failures are there. So you can see 27 rules are passed now. And if you click on any specific rule, it will give you more details about the overall definition. So it has, when you have the XECDF file, it actually refers to O1 file, which has actual implementation of that rule. And if you want to go and see what it is doing on system level, then you can check that role in Oval file. OK, so Ansible run has completed. So I have already copied the report after doing the Ansible run. And you should be able to see the difference here. So if you go here, you can see 169 rules are passed now after running the Ansible playbook. But we still have 22 failed rules. So there could be some rules where we can't automate those using Ansible. So you need to manually fix those. So this is sort of from my side. Do you have any questions? Do you have a central place where you have all these rules open source? Yeah, so there is a gate repository for that one. I will just go back to the slide where we have the link. Yeah, is there a central repository for all the open source rules out there? So here you can see all of the rules are there. And you can directly forward that repository. And for customization, you can either use the gate or use the SCAP way of customization. Thank you. You can just shout out your question and we can repeat it. Yeah, so actually those, sorry. So Ansible rules. So your question is Ansible rules are from the host on which I'm running the definition, or those are available already in this repository. Am I correct? Actually the thing is like if you're talking about remote host and you think of running or executing the scan from local host to remote host, in that case you don't need to have anything on that remote host. You can directly have the Ansible inventory run the playbook from local system on that system. So likewise, so you don't need to have anything on that host. It is sort of, I may call it like managed host. No more questions then thank you very much Amit.