Skip to main content

Ansible & Mondoo

This page covers how you can use Mondoo alongside Ansible.

Overview of Mondoo and Ansible​

Mondoo is designed to work seamlessly with configuration management tools in the DevOps ecosystem. For businesses already using Ansible to automate their environments, there are two primary ways to use Mondoo and Ansible together:

  • Continuous Configuration Assessments of Hosts - Use Ansible to install and configure Mondoo Client on supported Linux and Windows hosts, register hosts with Mondoo Platform, and configure hosts to continuously scan the with Mondoo policies, and report scan results to Mondoo Platform.
  • On-Demand Scanning of Ansible Inventories - Use Mondoo Client for on-demand scans of Ansible inventories without needing to install and configure Mondoo Client as a service on the host. Hosts from your Ansible inventory authenticate with your Mondoo Platform account to retrieve policies you have ENABLED, and results from the scan are sent to Mondoo Platform where assets are scored, and reports are generated.

Before you begin​

Before attempting to use Mondoo and Ansible for either continuous configuration assessments of hosts, or on-demand scanning on Ansible inventories, you should have the following set up and configured:

  • Mondoo Platform Account - You should already have an account on Mondoo Platform set up and configured. Be sure to check out our Quick Start guide if you do not have an account already. Additionally, you should have already ENABLED any policies you want to run against your Ansible inventory.
  • Ansible Inventory - You should have an inventory of Linux and/or Windows hosts that you plan to either install Mondoo Client on, or run an on-demand scan against. In either case you should have root/administrator access on the hosts.
  • Ansible Installed - Ansible must already be installed on your workstation. See the official Installing Ansible documentation for more information.
  • Connectivity to Mondoo Platform - All hosts in your inventory must allow outbound traffic on port 443 (HTTPS) to Mondoo Platform at https://us.api.mondoo.com:443 (IP address 34.98.71.94) to send results back to your account.
info

If you experience any issues with using our Mondoo Ansible role, or implementing any of the hands-on guides on this page feel free to open issues on GitHub, or contact us directly in the Mondoo Slack Community We are happy to help!

Continuous configuration assessments with Mondoo and Ansible​

This section covers how to use Ansible to install and configure Mondoo Client on supported Linux and Windows hosts so that Mondoo runs continuously as a service, and the host is registered with Mondoo Platform.

Mondoo maintains and publishes an official Mondoo Client Role which is available on Ansible Galaxy. The code for the role is open-source and available on our GitHub organization.

Mondoo Client Ansible Role provides the following capabilities:

  • Install Mondoo Client on supported Linux and Windows hosts.
  • Register host to Mondoo Platform.
  • Configure Mondoo to run as a service at system startup.
  • Start Mondoo as a service to run continuous security assessments of the host.

Once configured, Mondoo will authenticate with Mondoo Platform every 60 minutes run every policy that has been ENABLED in the policy POLICY HUB. Results from the scan are sent back to Mondoo Platform where a score is generated for the asset, along with detailed results from the policies run.

info

To learn more about enabling and disabling policies, see Policy Management

Hands-on: Continuous configuration assessments with Mondoo & Ansible​

This section provides a hands-on guide for using the Mondoo Ansible role.

This guide covers how to set up continuous configuration assessments on Linux and Windows hosts with Ansible. After completing this guide, you will have an Ansible inventory running Mondoo Client as a service, registered with your Mondoo Platform account, running policy scans, and reporting the findings to Mondoo Platform.

Step 1: Generate a registration token​

The Mondoo Ansible role provides a registration_token variable to specify a Mondoo registration token to use to register the client with Mondoo Platform.

  1. In Mondoo Platform navigate to the INTEGRATIONS page.
  2. Select "Add Another Integration".
  3. Select Workstation.
info

By default, tokens expire every 600 seconds, but expiration time can be extended by selecting Token Options and setting the expiration time (max: 86400 seconds).

  1. Copy the registration token to the clipboard.

Generate a registration token in Mondoo Platform

Step 2: Install Mondoo role and create playbook​

Next you will need to install the Mondoo Ansible role from Ansible Galaxy on your local workstation, and create an Ansible playbook to call that role on your inventory.

  1. Download the Ansible Mondoo role on your workstation:

    Download Mondoo role on your workstation
    ansible-galaxy install mondoo.client
  2. Create a playbook.yaml to run the Ansible Mondoo role on your inventory of hosts. You will need to update the registration_token value with your registration token the previous step. The following example has both Linux and Windows hosts, and should be updated accordingly if only using one platform or another:

    Example playbook.yml
     ---
    - hosts: mondoo_linux_clients
    become: yes
    roles:
    - role: mondoo.client
    vars:
    registration_token: "PASTE MONDOO REGISTRATION TOKEN"

    - hosts: mondoo_windows_clients
    roles:
    - role: mondoo.client
    vars:
    registration_token: "PASTE MONDOO REGISTRATION TOKEN"
    force_registration: false
  3. Save the playbook.yaml file.

Step 3: Run Ansible​

You should already have a hosts.ini file with your Ansible inventory. The following is an example hosts.ini with both Linux and Windows hosts:

EXAMPLE hosts.ini

# Linux Hosts
[mondoo_linux_clients]
3.92.154.110 ansible_user=admin
3.95.154.111 ansible_user=ec2-user
3.82.22.136 ansible_user=ec2-user
54.211.122.215 ansible_user=ec2-user
54.209.155.66 ansible_user=ubuntu
54.146.154.182 ansible_user=ubuntu

# Windows Hosts
[mondoo_windows_clients]
# Windows Hosts WinRM
3.85.201.162 ansible_port=5986 ansible_connection=winrm ansible_user=Administrator ansible_password=changeme ansible_shell_type=powershell ansible_winrm_server_cert_validation=ignore
54.66.89.204 ansible_port=5986 ansible_connection=winrm ansible_user=Administrator ansible_password=changeme ansible_shell_type=powershell ansible_winrm_server_cert_validation=ignore
# Windows Hosts SSH
3.235.247.76 ansible_port=22 ansible_connection=ssh ansible_user=Administrator ansible_password=changeme ansible_shell_type=cmd

Run Ansible against your inventory:

Run Ansible against existing inventory
ansible-playbook -i hosts.ini playbook.yml

Step 4: View scan reports in Mondoo Platform​

Once Ansible runs the playbook.yaml against your inventory, you can view the scan results in Mondoo Platform.

  1. In Mondoo Platform navigate to the FLEET page.
  2. All servers should now be reporting in and have received an asset score for the policies executed. Ansible inventory asset scores and reports in Mondoo Platform
  3. To view the policies that ran on a given asset, and detailed information, select an asset in the list. Ansible asset details in Mondoo Platform

This view shows each policy that ran against an asset, and the individual score for each policy. Select any policy in the list to view the results from each query.

info

To learn more about how asset scores are generated see Policy Scoring documentation.

Conclusion​

If you have followed the steps above, Mondoo should now be running as a service on your Ansible inventory. Mondoo will continue to scan your assets every 60 minutes and report findings back to your account.

On-Demand scanning of Ansible inventories​

This section covers how to use Mondoo Client for on-demand scans of Ansible inventories without needing to install and configure Mondoo Client as a service on the host.

While Mondoo Client can very easily be configured to run as a service to continuously scan your infrastructure, there may be times when you just want to scan an Ansible inventory without having to install and configure Mondoo Client on your infrastructure.

Mondoo supports on-demand scanning of an Ansible inventory in two ways:

  • Run mondoo scan --ansible-inventory - Use the mondoo scan --ansible-inventory command to parse the output of ansible-inventory -i <host_file.ini> --list command, and scan with Mondoo.
  • Run Mondoo Scan as an Ansible Task - Create an Ansible task to scan your infrastructure.

With both of the scenarios above your infrastructure will authenticate to the Mondoo Platform account using Mondoo Client configuration on your local workstation, run any policies ENABLED in that space, and report the results back to Mondoo Platform where reports and asset scores are generated for all assets.

Mondoo will not be installed on your infrastructure, and must be scanned each time you want to refresh the results.

The next section provides hands-on tutorials for running both on-demand scenarios.

Hands-On: On-demand scan of Ansible inventory with mondoo scan --ansible-inventory​

This section is a hands-on guide on how to trigger an on-demand scan of an Ansible inventory. After completing this guide, you will have scanned an existing Ansible inventory, and have asset scores, and reports generated for all of your Ansible inventory in your Mondoo Platform account.

caution

Currently, on-demand scans of Ansible inventories run serially and are not recommended for large inventories. If you are interested in running on-demand scans that execute in parallel, please reach out to us in the Mondoo Community Slack channel.

Step 1: Set up or validate your Ansible inventory​

An Ansible inventory is a list of hosts that is mostly stored in the two common formats ini and yaml. The following examples illustrate their structure. The ini format allows grouping and easy configuration of additional properties.

Example hosts.ini
[workers]
34.243.41.251 ansible_user=ec2-user
instance1 ansible_host=18.203.250.158 ansible_user=ubuntu

The same structure in yaml:

Example hosts.yml
all:
children:
ungrouped: {}
workers:
hosts:
34.243.41.251:
ansible_user: ec2-user
instance1:
ansible_host: 18.203.250.158
ansible_user: ubuntu

You can validate connectivity with the Ansible inventory by running the following command :

Ping Ansible inventory
ansible all -i hosts.ini -m ping

Example output

instance1 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
34.243.41.251 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}

Step 2: Scan the Ansible inventory​

Mondoo Client provides the mondoo scan --ansible-inventory command to scan existing Ansible inventories. There are two main ways to use this command.

Option 1: Pipe the Ansible inventory to Mondoo scan​

The first option if you are using a shell such as bash or zsh that supports | redirects is to pipe the outputs of the ansible-inventory -i hosts.ini --list command, to mondoo scan --ansible-inventory

Pipe the contents of an Ansible inventory to the mondoo scan --ansible-inventory command
ansible-inventory -i hosts.ini --list | mondoo scan --inventory-file - --ansible-inventory --insecure
info

The --insecure flag is used for hosts that have not been added to ~/.ssh/known_hosts, and for use with Windows winrm using self-signed certificates.

Option 2: Scan Ansible inventory hosts.json​

If your shell does not support pipes, you can also generate a hosts.json from the ansible-inventory command, and then pass that file to mondoo scan using the --inventory flag.

Generate hosts.json and scan with mondoo scan command
ansible-inventory -i hosts.ini --list > hosts.json
mondoo scan --inventory-file hosts.json --ansible-inventory

Results from each policy that run against your assets will be displayed in the shell, and in Mondoo Platform.

Example shell output

Mondoo Platform End-of-Life Policy
----------------------------------

β”Œβ–„β–„β–„β–„β–„β–„β–„β–„β–„β”
β”‚ ___ β”‚ Policy: Mondoo Platform End-of-Life Policy
β”‚ | _ )- β”‚ Version: 1.0.0
β”‚ | _ \ β”‚ Mrn: //policy.api.mondoo.app/policies/platform-eol
β”‚ |___/ β”‚ Score: 60 (completion: 100%, via worst score)
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Scoring Queries:
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ Passed: β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ 75.0% β”‚
β”‚ Failed: β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ 25.0% β”‚
β”‚ Errors: 0.0% β”‚
β”‚ Ignored: 0.0% β”‚
β”‚ Unknown: 0.0% β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

β–  Title: Ensure the platform is not End-of-Life (failed)
Query:
diff = platform.eol.date - time.now
switch {
case diff.days > 180: score(100);
case diff.days > 30: score(60);
case diff.days > 14: score(40);
default: score(0);
}
platform.eol.date

Assessment:
[ok] value: 2021-12-30 16:00:00 -0800 PST

β–  Title: Ensure Python 2 is not End-of-Life (passed)
β–  Title: Ensure Python 3 is not End-of-Life (passed)
β–  Title: Ensure Ruby is not End-of-Life (passed)

Data Queries:

β–  Title: Platform End-of-Life Date
ID: //policy.api.mondoo.app/queries/mondoo-platform-vulnerability-platform-eol-date
Query: platform.eol.date
Result:platform.eol.date: 2021-12-30 16:00:00 -0800 PST

Mondoo Platform Vulnerability Policy
------------------------------------

β”Œβ–„β–„β–„β–„β–„β–„β–„β–„β–„β”
β”‚ ___ β”‚ Policy: Mondoo Platform Vulnerability Policy
β”‚ | \ - β”‚ Version: 1.0.0
β”‚ | |) | β”‚ Score: 12 (completion: 100%)
β”‚ |___/ β”‚ CVSS: 8.8
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

β”Œβ”€ Advisories ─────────────────────────┐
β”‚ Critical: 0.0% β”‚
β”‚ High: β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ 30.0% β”‚
β”‚ Medium: β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ 70.0% β”‚
β”‚ Low: 0.0% β”‚
β”‚ None: 0.0% β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

β”Œβ”€ Packages ───────────────────────────┐
β”‚ Total: β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ 377 β”‚
β”‚ Critical: 0 β”‚
β”‚ High: 8 β”‚
β”‚ Medium: 16 β”‚
β”‚ Low: 0 β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

β–  SCORE PACKAGE INSTALLED FIXED AVAILABLE
β–  8.8 kernel-default 5.3.18-24.78.1 5.3.18-24.86.2
β–  7.5 glibc 2.26-13.56.1 2.26-13.59.1
β–  7.5 glibc-locale 2.26-13.56.1 2.26-13.59.1
β–  7.5 glibc-locale-base 2.26-13.56.1 2.26-13.59.1
β–  7 kmod 25-6.7.1 25-6.10.1
β–  7 kmod-compat 25-6.7.1 25-6.10.1
β–  7 libkmod2 25-6.7.1 25-6.10.1
β–  7 perl-Bootloader 0.931-3.3.1 0.931-3.5.1
β–  6.8 libncurses6 6.1-5.6.2 6.1-5.9.1
β–  6.8 ncurses-utils 6.1-5.6.2 6.1-5.9.1
β–  6.8 terminfo 6.1-5.6.2 6.1-5.9.1
β–  6.8 terminfo-base 6.1-5.6.2 6.1-5.9.1
β–  5.8 libcroco-0_6-3 0.6.13-1.26 0.6.13-3.3.1
β–  5.1 rpm-ndb 4.14.1-20.3 4.14.1-22.4.2
β–  5 curl 7.66.0-4.22.1 7.66.0-4.27.1
β–  5 libcurl4 7.66.0-4.22.1 7.66.0-4.27.1
β–  4.9 libsystemd0 234-24.90.1 234-24.93.1
β–  4.9 libudev1 234-24.90.1 234-24.93.1
β–  4.9 systemd 234-24.90.1 234-24.93.1
β–  4.9 systemd-sysvinit 234-24.90.1 234-24.93.1
β–  4.9 udev 234-24.90.1 234-24.93.1
β–  4.4 xen-libs 4.13.3_02-3.34.1 4.13.3_04-3.37.1
β–  4.4 xen-tools-domU 4.13.3_02-3.34.1 4.13.3_04-3.37.1
β–  4 krb5 1.16.3-3.21.1 1.16.3-3.24.1

Installed Kernel Versions:
* 5.3.18-24.78.1-default (running)

Additional Checks:
β–  Platform is not end-of-life (passed)


Summary
=======

Asset Overview

β–  D ip-10-0-101-11
β–  C- ip-10-0-101-163
β–  D ip-10-0-101-28
β–  B ip-10-0-101-71
β–  C ip-10-0-101-253.ec2.internal
β–  B ip-10-0-101-32

Aggregated Policy Overview

Mondoo Platform Vulnerability Policy β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ F: 3 A: 2 D: 1
Mondoo Platform End-of-Life Policy β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ F: 2 A: 3 B: 1
CIS Distribution Independent Linux β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ C: 3 B: 3
Benchmark Level 1 - Server Profile β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ
β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ
CIS Distribution Independent Linux β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ D: 5 C: 1
Benchmark Level 2 - Server Profile β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ
β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ

Step 3: View scan reports in Mondoo Platform​

Once Ansible completes, scan results are sent to Mondoo Platform where asset scores and reports are generated for all assets scanned.

To view the reports in Mondoo Platform:

  1. In Mondoo Platform navigate to the FLEET page.
  2. All servers should now be reporting in and have received a asset score for the policies executed. Ansible inventory asset scores and reports in Mondoo Platform
  3. To view the policies that ran on a given asset, and detailed information, select an asset in the list. Ansible asset details in Mondoo Platform

This view shows each policy that ran against an asset, and the individual score for each policy. Select any policy in the list to view the results from each query.

info

To learn more about how asset scores are generated see Policy Scoring documentation.

We rely on ansible-inventory command to be able to support various inventory formats and to be able to re-use dynamic inventory too. This command outputs a standardized format independently if a ini or yaml inventory is used.

info

Note: At this point, we do not support group patterns. If you need additional support, please do not hesitate to contact us.

Hands-On: On-demand scan of Ansible inventory using an Ansible task​

As an alternative, mondoo scan can be used as a command in an Ansible task. Mondoo leverages the ssh-agent, therefore you do not need to set up additional credentials configuration.

Step 1: Set up or validate your Ansible Inventory​

An Ansible inventory is a list of hosts that is mostly stored in the two common formats ini and yaml. The following examples illustrate their structure. The ini format allows grouping and easy configuration of additional properties.

Example hosts.ini
[workers]
34.243.41.251 ansible_user=ec2-user
instance1 ansible_host=18.203.250.158 ansible_user=ubuntu

The same structure in yaml:

Example hosts.yml
all:
children:
ungrouped: {}
workers:
hosts:
34.243.41.251:
ansible_user: ec2-user
instance1:
ansible_host: 18.203.250.158
ansible_user: ubuntu

You can validate connectivity with the Ansible inventory by running the following command :

Ping Ansible inventory
ansible all -i hosts.ini -m ping

Example output

instance1 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
34.243.41.251 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}

Step 2: Set up playbook.yaml to run Mondoo Scan​

Next, you will need to create a playbook to run the mondoo scan against your inventory. The following is an example playbook.yaml used to execute mondoo scan locally with a playbook against Linux hosts:

Example playbook.yml for executing Mondoo scan against Linux hosts
---
- hosts: all
gather_facts: no
tasks:
- name: add key to ssh-agent
local_action: ansible.builtin.command ssh-agent
run_once: true
- name: add key to ssh-agent
# activate rsa key if that is used
# local_action: command ssh-agent ssh-add ~/.ssh/id_rsa
local_action: ansible.builtin.command ssh-add ~/.ssh/id_ed25519
run_once: true
- name: run mondoo scan for target destination
local_action: ansible.builtin.command mondoo scan --insecure --score-threshold 0 ssh {{ ansible_user }}@{{ inventory_hostname }}

Be sure to SAVE the file.

Step 3: Run Ansible​

Run the playbook with the following command:

Command Line
ansible-playbook -i hosts.ini playbook.yml
info

The --insecure flag is used for hosts that have not been added to ~/.ssh/known_hosts, and for use with Windows winrm using self-signed certificates.

Step 4: View scan reports in Mondoo Platform​

Once Ansible completes, scan results are sent to Mondoo Platform where asset scores and reports are generated for all assets scanned.

To view the reports in Mondoo Platform:

  1. In Mondoo Platform navigate to the FLEET page.
  2. All servers should now be reporting in and have received an asset score for the policies executed. Ansible inventory asset scores and reports in Mondoo Platform
  3. To view the policies that ran on a given asset, and detailed information, select an asset in the list. Ansible asset details in Mondoo Platform

This view shows each policy that ran against an asset, and the individual score for each policy. Select any policy in the list to view the results from each query.

info

To learn more about how asset scores are generated see Policy Scoring documentation.