This document discusses using Ansible to automate compliance with security technical implementation guides (STIGs) on Red Hat Enterprise Linux 6 systems. It provides an overview of Ansible and how the MindPoint Group created an Ansible role to remediate STIG findings. Attendees will learn how to install the STIG role, apply it to remediate systems, and use Ansible Tower for fully automated compliance. The role addresses high, medium, and low-impact STIG requirements and can be run repeatedly to maintain compliance.
2. PRESENTERS
DAN SHEPHERD // MINDPOINT GROUP
daniels@mindpointgroup.com
o IT security Consultant
o Helps USG and commercial customers respond to
difficult IT security challenges
JUSTIN NEMMERS // ANSIBLE GOVERNMENT
jnemmers@ansible.com
o IT architect and (recovering) sysadmin
o 15 years of USG experience
o Wrote first STIG Kickstarts w/ DISA for RHEL 3 and 4
3. ORGANIZATIONS
MINDPOINT GROUP
o IT security consultancy
o Helps customers consistently meet stringent security
requirements
o Well-versed in Ansible
ANSIBLE
o Simplest way to automate IT
o Fastest growing IT automation platform
o Simple, agentless, powerful
4. WEBCAST GOALS
Learn about Ansible
Get started with Ansible and the STIG role
Install the STIG role
Apply role and remediate findings
Fully automate compliance with Ansible
Tower
5. Ansible Enterprise Automation
Simple. Agentless. Powerful.
Control. Security. Delegation.
/ Uses OpenSSH
/ No extra code to manage
/ Ready for cloud-scale
/ Uses YAML for playbooks
/ No special coding skills needed
/ Fast learning curve
/ App deployment
/ Orchestration
/ Configuration management
/ Role-Based Access Control
/ Delegation of credentials/keys
/ Audit trail for automation
/ Centralized job runs
/ Job scheduling
/ Automation dashboard
/ Push-button job execution
/ Portal mode for delegation
/ REST API for integration
Ansible
Open Source
Ansible
Tower
6. ANSIBLE IS COMPLETE
AUTOMATION
Ansible was written to
automate complex multi-tier
deployments, including:
o Configuration management
o App deployment
o Provisioning
o Servers & network devices
o Cloud management & VMs
o Zero-downtime rolling upgrades
o Ad-hoc patches & updates
7. ANSIBLE: THE LANGUAGE OF
ENTERPRISE IT
o Ansible is the first “infrastructure-as-code” that can be read and written
across IT… from sys-admins to developers to managers
o Ansible is the only automation engine that can automate the entire
application lifecycle & continuous delivery pipeline
DEV/TES
T
Q/A OPERATIONS MANAGEMENT INFRASTRUCTU
RE
Ansible Playbook
From development… to production.
8. HISTORY OF BASELINES
GOLD DISK
o Infrequent, time consuming, and error prone
o Inconsistent, relies on staff’s capability
o No ongoing remediation or validation
SEMI-AUTOMATION
o Shell scripts, other tooling
o Brittle. Changes really, really hurt
o No ongoing remediation or compliance
validation
9. And both of these options suck.
And how do you keep up with
changes?
10. ANSIBLE AND SECURITY
BASELINES
REPEAT
o Same process every time
REMEDIATE
o Apply STIG whenever desired
VALIDATE
o Confirm compliance
IDEMPOTENT
o Run and re-run over and over
11. HOW
MINDPOINT GROUP
o Trusted
o Capable
RHEL 6.x (and variants)
o Very common
DISA STIG
o Significant pain points for USG customers
o SCAP for easy validation
12. STIG ROLE COVERAGE
CAT 1 (HIGH): 100%
CAT 2 (MEDIUM): 91%
CAT 3 (LOW): 82%
We don’t automatically correct every finding,
as some are not always safe to run on live
systems (i.e. partitioning).
13. PLAYBOOK EXAMPLE
Apply-stig.yml
---
- name: Apply STIG to a RHEL 6.x System
hosts: all
sudo: yes
vars:
rhel6stig_cat1: true
rhel6stig_cat2: true
rhel6stig_cat3: true
rhel6stig_fullauto: true
roles:
- rhel6stig
14. CAT 1 ROLE EXAMPLE PLAY
cat1.yml
---
# CAT I Findings
- name: V-38653 High The snmpd service must not use a default
password
replace: backup=yes dest=/etc/snmp/snmpd.conf
regexp=(^com2sec.*defaults+)public replace=1{{ rhel6stig_snmp_community
}}
ignore_errors: yes
when: snmpconf_test.stat.exists
notify: restart snmpd
tags: [ 'cat1' , 'V-38653' , 'snmp' ]
- name: V-38491 High There must be no hosts.equiv file on the system
file: state=absent dest=/etc/hosts.equiv
tags: [ 'cat1' , 'V-38491' , 'hosts_equiv' ]
- name: V-38491 High There must be no .rhosts files on the system
file: state=absent dest=~{{ item }}/.rhosts
with_items: users.stdout_lines
tags: [ 'cat1' , 'V-38491' , 'rhosts' ]
15. GET THE STIG ROLE
$ ansible-galaxy install
https://github.com/MindPointGroup/RHEL6-STIG.git,devel
$ ansible-galaxy install -r requirements.yml
requirements.yml
- src: https://github.com/MindPointGroup/RHEL6-STIG
name: rhel6-stig
$ git clone https://github.com/MindPointGroup/RHEL6-STIG.git
16. APPLY STIG ROLE FROM CLI
Requires Ansible version >= 1.8
$ ansible-playbook -i hosts apply-stig.yml
19. MORE ROLE INFO
INFORMATION AND STATUS
www.ansible.com/security-stig
GALAXY
galaxy.ansible.com/list#/roles/2955
GITHUB
github.com/ansible/ansible-lockdown
github.com/MindPointGroup/RHEL6-STIG
20. OUR COMMUNITY
FOLLOW US OR CONTRIBUTE
o github.com/ansible/ansible-lockdown
SEE SOMETHING THAT NEEDS FIXING?
o Let us know, and help fix it!
NEED HELP?
o Paying customer? support@ansible.com
o MindPoint Group Services
o groups.google.com/forum/#!forum/ansible-
project