AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible Automation Platform In-Platform Compliance Dashboard: DISA STIG, CIS, and OpenSCAP

By Luca Berton · Published 2024-01-01 · Category: installation

Use the AAP Compliance Dashboard for DISA STIG and CIS scanning with OpenSCAP, per-host remediation, and audit-grade results.

The Ansible Automation Platform now includes an in-platform Compliance Dashboard — an end-to-end compliance experience built into the Ansible Portal for scanning infrastructure against DISA STIG, CIS, and other compliance profiles, reviewing per-host findings, and executing targeted remediation.

Compliance Posture Overview

The dashboard displays a real-time compliance posture with: • Overall score — percentage compliance across all hosts • Initial SCAP score — baseline from first scan • CIS Benchmark score — current CIS compliance level • PCI-DSS score — payment card industry compliance • Summary counts: hosts scanned, critical findings, remediated items

See also: Ansible Policy and Migration Engine (APME): AI-Powered Playbook Scanning and Compliance

Three-Tier Scanner Orchestration

The Compliance Dashboard uses a three-tier scanning model:

Tier 1: Built-In Scanners

Ships with OpenSCAP and PowerSTIG out of the box — no additional licensing required. 
- name: Run OpenSCAP compliance scan
  ansible.builtin.include_role:
    name: redhat.rhel_system_roles.compliance
  vars:
    compliance_profile: stig
    compliance_report_format: html
    compliance_report_path: /tmp/stig-report.html

Tier 2: Partner Integrations

Integrate enterprise scanners via bring-your-own-scanner adapters: • Tenable (Nessus) • QualysRed Hat Insights

Tier 3: Custom Adapters

Build custom scanner integrations for proprietary or industry-specific tools.

Granular Remediation Builder

The remediation builder provides: • Per-rule toggles — enable or disable remediation for individual findings • Parameter customization — adjust remediation parameters per organizational policy • Host-level targeting — apply fixes to specific hosts or groups • Powered by Compliance-As-Code content from the trusted RHEL supply chain

- name: Remediate STIG findings
  hosts: rhel_servers
  roles:
    - role: redhat.rhel_system_roles.compliance
      vars:
        compliance_profile: stig
        compliance_remediate: true
        compliance_rules_exclude:
          - xccdf_org.ssgproject.content_rule_disable_host_auth
          - xccdf_org.ssgproject.content_rule_require_smartcard

See also: Ansible for Healthcare: HIPAA Compliance, EHR Systems, and Medical Device Management

Agentless Pre-Assessment

Agentless scanning — no agents required on target hosts • Scalable — scan thousands of hosts in parallel • Continuous monitoring — scheduled scans for drift detection • Audit-grade results — scanner output suitable for compliance certification audits

Scan Results Workflow

1. Define compliance profile (DISA STIG, CIS Level 1/2, PCI-DSS)
2. Select host inventory
3. Run agentless scan
4. Review findings by severity (Critical → Low)
5. Toggle individual rules for remediation
6. Execute targeted remediation playbook
7. Re-scan to verify compliance
8. Export audit-grade report

See also: Automate CIS Benchmark Hardening for RHEL 9 with Ansible

Supported Compliance Profiles

| Profile | Description | Platform | |---|---|---| | DISA STIG | DoD Security Technical Implementation Guide | RHEL, Windows | | CIS Level 1 | Center for Internet Security baseline | RHEL, Ubuntu, Windows | | CIS Level 2 | CIS enhanced security | RHEL, Ubuntu, Windows | | PCI-DSS | Payment Card Industry Data Security | Multi-platform | | HIPAA | Health Insurance Portability (via SCAP) | RHEL | | NIST 800-53 | Federal information systems | RHEL |

FAQ

Does the Compliance Dashboard require a separate license?

No. It's built into the Ansible Portal as part of AAP. OpenSCAP and PowerSTIG are included. Partner scanners (Tenable, Qualys) require their own licenses.

Can I use this for Windows compliance?

Yes. PowerSTIG provides Windows DISA STIG scanning and remediation. The infra.windows_ops collection adds CIS benchmark support.

How does agentless scanning work?

AAP connects to target hosts via SSH (Linux) or WinRM (Windows) and executes SCAP evaluations remotely. No persistent agent installation required.

Can I export reports for auditors?

Yes. The dashboard generates audit-grade reports in HTML, XML (XCCDF), and ARF formats suitable for compliance certification.

Related Articles

Ansible Policy and Migration Engine (APME)Red Hat Ansible Automation Platform 2.7: What's NewNew Ansible Content Collections 2026Red Hat Summit 2026 Highlights

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home