Calgary RHCE

A linux and open source technology blog.

Connect

PCI-DSS Compliance with Ansible Tower

by Leave a Comment

Compliance scanning and remediation with Ansible is a common question that comes up. How does Ansible do this? What are its capabilities? Within the Ansible Galaxy community, there’s been some significant investment in developing ansible roles for security and compliance. I’ll show you how to download this Ansible role and make use of it within Ansible Tower.

First off, you can view the available security roles. Here we’ll use the rhel7-role-pci-dss role:

Ansible security compliance

On the Tower host, let’s download and install this role using ansible-galaxy:

Download and install

Create a playbook that makes use of this role, here’s an example you can use and then modify to your liking:

github repo

I’ve created a job template in Ansible Tower to then run this playbook via a github project integration in Tower. A user can then just click launch:

Launch via Tower

Finally, we see the PCI-DSS compliance role run on the example host, and apply all the remediations contained in the role:

Compliance result

Making email a little more secure

by Leave a Comment

Every so often I try to make an effort to increase the security surrounding the technology I use. Its usually after I read a notable CVE bulletin, or hear of the latest hack. I’ve been wanting a more secure solution to webmail for the longest time, but knew I didn’t have many options if I enjoyed using webmail clients. They’re just so darn convenient. After enabling two-factor authentication on everything I could, I still was looking for a better solution for encrypted email. I like the project mailpile, but they’re not as far along yet in features for my needs. (Consider donating if you value secure email!) I ended up going back to a local mail client (Thunderbird), which I’ve connected to my webmail accounts, and downloaded the Enigmail add-on for OpenPGP encryption and digital signing.

Once I installed the add-on, it was pretty easy to get started. There’s a setup wizard that will either create you a new PGP/GPG2 key, or you can select to use an existing key already:

enigmail-wizard

I selected advanced, and picked an existing GPG2 key I have already. It imported it in one step, and I was ready to go. Next, a test email to myself to test enabling a digital signature (I had to manually accept my own key as “trusted” once I received the mail):

And writing an encrypted mail was just as easy:

The Enigmail plugin makes it easy to add others to your GPG circle of trust, and GPG2 encrypted email is a now click away.