SlideShare una empresa de Scribd logo

STIG Compliance and Remediation with Ansible

Descargar como PPTX, PDF
Ansible
Ansible

This document discusses using Ansible to automate compliance with security technical implementation guides (STIGs) on Red Hat Enterprise Linux 6 systems. It provides an overview of Ansible and how the MindPoint Group created an Ansible role to remediate STIG findings. Attendees will learn how to install the STIG role, apply it to remediate systems, and use Ansible Tower for fully automated compliance. The role addresses high, medium, and low-impact STIG requirements and can be run repeatedly to maintain compliance.

Gobierno y org. sin ánimo de lucro
1 de 21
STIG Compliance and Remediation with Ansible April 2015
PRESENTERS DAN SHEPHERD // MINDPOINT GROUP daniels@mindpointgroup.com o IT security Consultant o Helps USG and commercial customers respond to difficult IT security challenges JUSTIN NEMMERS // ANSIBLE GOVERNMENT jnemmers@ansible.com o IT architect and (recovering) sysadmin o 15 years of USG experience o Wrote first STIG Kickstarts w/ DISA for RHEL 3 and 4
ORGANIZATIONS MINDPOINT GROUP o IT security consultancy o Helps customers consistently meet stringent security requirements o Well-versed in Ansible ANSIBLE o Simplest way to automate IT o Fastest growing IT automation platform o Simple, agentless, powerful
WEBCAST GOALS Learn about Ansible Get started with Ansible and the STIG role Install the STIG role Apply role and remediate findings Fully automate compliance with Ansible Tower
Ansible Enterprise Automation Simple. Agentless. Powerful. Control. Security. Delegation. / Uses OpenSSH / No extra code to manage / Ready for cloud-scale / Uses YAML for playbooks / No special coding skills needed / Fast learning curve / App deployment / Orchestration / Configuration management / Role-Based Access Control / Delegation of credentials/keys / Audit trail for automation / Centralized job runs / Job scheduling / Automation dashboard / Push-button job execution / Portal mode for delegation / REST API for integration Ansible Open Source Ansible Tower
ANSIBLE IS COMPLETE AUTOMATION Ansible was written to automate complex multi-tier deployments, including: o Configuration management o App deployment o Provisioning o Servers & network devices o Cloud management & VMs o Zero-downtime rolling upgrades o Ad-hoc patches & updates
ANSIBLE: THE LANGUAGE OF ENTERPRISE IT o Ansible is the first “infrastructure-as-code” that can be read and written across IT… from sys-admins to developers to managers o Ansible is the only automation engine that can automate the entire application lifecycle & continuous delivery pipeline DEV/TES T Q/A OPERATIONS MANAGEMENT INFRASTRUCTU RE Ansible Playbook From development… to production.
HISTORY OF BASELINES GOLD DISK o Infrequent, time consuming, and error prone o Inconsistent, relies on staff’s capability o No ongoing remediation or validation SEMI-AUTOMATION o Shell scripts, other tooling o Brittle. Changes really, really hurt o No ongoing remediation or compliance validation
And both of these options suck. And how do you keep up with changes?
ANSIBLE AND SECURITY BASELINES REPEAT o Same process every time REMEDIATE o Apply STIG whenever desired VALIDATE o Confirm compliance IDEMPOTENT o Run and re-run over and over
HOW MINDPOINT GROUP o Trusted o Capable RHEL 6.x (and variants) o Very common DISA STIG o Significant pain points for USG customers o SCAP for easy validation
STIG ROLE COVERAGE CAT 1 (HIGH): 100% CAT 2 (MEDIUM): 91% CAT 3 (LOW): 82% We don’t automatically correct every finding, as some are not always safe to run on live systems (i.e. partitioning).
PLAYBOOK EXAMPLE Apply-stig.yml --- - name: Apply STIG to a RHEL 6.x System hosts: all sudo: yes vars: rhel6stig_cat1: true rhel6stig_cat2: true rhel6stig_cat3: true rhel6stig_fullauto: true roles: - rhel6stig
CAT 1 ROLE EXAMPLE PLAY cat1.yml --- # CAT I Findings - name: V-38653 High The snmpd service must not use a default password replace: backup=yes dest=/etc/snmp/snmpd.conf regexp=(^com2sec.*defaults+)public replace=1{{ rhel6stig_snmp_community }} ignore_errors: yes when: snmpconf_test.stat.exists notify: restart snmpd tags: [ 'cat1' , 'V-38653' , 'snmp' ] - name: V-38491 High There must be no hosts.equiv file on the system file: state=absent dest=/etc/hosts.equiv tags: [ 'cat1' , 'V-38491' , 'hosts_equiv' ] - name: V-38491 High There must be no .rhosts files on the system file: state=absent dest=~{{ item }}/.rhosts with_items: users.stdout_lines tags: [ 'cat1' , 'V-38491' , 'rhosts' ]
GET THE STIG ROLE $ ansible-galaxy install https://github.com/MindPointGroup/RHEL6-STIG.git,devel $ ansible-galaxy install -r requirements.yml requirements.yml - src: https://github.com/MindPointGroup/RHEL6-STIG name: rhel6-stig $ git clone https://github.com/MindPointGroup/RHEL6-STIG.git
APPLY STIG ROLE FROM CLI Requires Ansible version >= 1.8 $ ansible-playbook -i hosts apply-stig.yml
CLI RESULTS Skipping Conditional caused test to be skipped (OK) Changed Role made a change on the system OK No action required
Demo of the STIG role + Ansible Tower
MORE ROLE INFO INFORMATION AND STATUS www.ansible.com/security-stig GALAXY galaxy.ansible.com/list#/roles/2955 GITHUB github.com/ansible/ansible-lockdown github.com/MindPointGroup/RHEL6-STIG
OUR COMMUNITY FOLLOW US OR CONTRIBUTE o github.com/ansible/ansible-lockdown SEE SOMETHING THAT NEEDS FIXING? o Let us know, and help fix it! NEED HELP? o Paying customer? support@ansible.com o MindPoint Group Services o groups.google.com/forum/#!forum/ansible- project
MindPoint Group www.mindpointgroup.com Ansible www.ansible.com/government CONTACT US

Recomendados

Ansible for Enterprise
Ansible for EnterpriseAnsible for Enterprise
Ansible for EnterpriseAnsible
 
IcingaCamp Stockholm - How to make your monitoring shut up
IcingaCamp Stockholm - How to make your monitoring shut upIcingaCamp Stockholm - How to make your monitoring shut up
IcingaCamp Stockholm - How to make your monitoring shut upIcinga
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSSonatype
 
Are Your Microservices Naked and Afraid?
Are Your Microservices Naked and Afraid? Are Your Microservices Naked and Afraid?
Are Your Microservices Naked and Afraid? VMware Tanzu
 
Firewall and its analytics using Splunk
Firewall and its analytics using SplunkFirewall and its analytics using Splunk
Firewall and its analytics using SplunkVikram Kumar Yadav
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOpsCloudPassage
 
What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4Puppet
 

Recomendados

Ansible for Enterprise
Ansible for EnterpriseAnsible for Enterprise
Ansible for EnterpriseAnsible
 
IcingaCamp Stockholm - How to make your monitoring shut up
IcingaCamp Stockholm - How to make your monitoring shut upIcingaCamp Stockholm - How to make your monitoring shut up
IcingaCamp Stockholm - How to make your monitoring shut upIcinga
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSSonatype
 
Are Your Microservices Naked and Afraid?
Are Your Microservices Naked and Afraid? Are Your Microservices Naked and Afraid?
Are Your Microservices Naked and Afraid? VMware Tanzu
 
Firewall and its analytics using Splunk
Firewall and its analytics using SplunkFirewall and its analytics using Splunk
Firewall and its analytics using SplunkVikram Kumar Yadav
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOpsCloudPassage
 
What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4What's New in Puppet Enterprise 2016.4
What's New in Puppet Enterprise 2016.4Puppet
 
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin ParmOSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin ParmNETWAYS
 
Experiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectExperiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectGene Gotimer
 
Making AI based monitoring a platform feature with the power of BOSH
Making AI based monitoring a platform feature with the power of BOSHMaking AI based monitoring a platform feature with the power of BOSH
Making AI based monitoring a platform feature with the power of BOSHMike Villiger
 
Tests your pipeline might be missing
Tests your pipeline might be missingTests your pipeline might be missing
Tests your pipeline might be missingGene Gotimer
 
Meetup - An introduction to Salt
Meetup - An introduction to SaltMeetup - An introduction to Salt
Meetup - An introduction to SaltRichard Woudenberg
 
Bootiful Microservices in a Legacy Environment: Lessons Learned
Bootiful Microservices in a Legacy Environment: Lessons LearnedBootiful Microservices in a Legacy Environment: Lessons Learned
Bootiful Microservices in a Legacy Environment: Lessons LearnedVMware Tanzu
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
Making AI based monitoring a platform feature with the power of BOSH
Making AI based monitoring a platform feature with the power of BOSHMaking AI based monitoring a platform feature with the power of BOSH
Making AI based monitoring a platform feature with the power of BOSHVMware Tanzu
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
 
Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?Kris Buytaert
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachMatt Tesauro
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
 
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachSecurity as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachVMware Tanzu
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
 
Principles Of Chaos Engineering - Chaos Engineering Hamburg
Principles Of Chaos Engineering - Chaos Engineering HamburgPrinciples Of Chaos Engineering - Chaos Engineering Hamburg
Principles Of Chaos Engineering - Chaos Engineering HamburgNils Meder
 
Building an SRE Organization @ Squarespace
Building an SRE Organization @ SquarespaceBuilding an SRE Organization @ Squarespace
Building an SRE Organization @ SquarespaceFranklin Angulo
 
DevOpsDays Galway 2019 - SRE at Genesys
DevOpsDays Galway 2019 - SRE at GenesysDevOpsDays Galway 2019 - SRE at Genesys
DevOpsDays Galway 2019 - SRE at GenesysColm Hally
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityMatt Tesauro
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Matt Tesauro
 
Create Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and PuppetCreate Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and PuppetGene Gotimer
 
Chef Fundamentals Training Series Module 6: Roles, Environments, Community Co...
Chef Fundamentals Training Series Module 6: Roles, Environments, Community Co...Chef Fundamentals Training Series Module 6: Roles, Environments, Community Co...
Chef Fundamentals Training Series Module 6: Roles, Environments, Community Co...Chef Software, Inc.
 
Chef vs Puppet vs Ansible vs SaltStack | Configuration Management Tools Compa...
Chef vs Puppet vs Ansible vs SaltStack | Configuration Management Tools Compa...Chef vs Puppet vs Ansible vs SaltStack | Configuration Management Tools Compa...
Chef vs Puppet vs Ansible vs SaltStack | Configuration Management Tools Compa...Edureka!
 

Más contenido relacionado

La actualidad más candente

OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin ParmOSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin ParmNETWAYS
 
Experiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectExperiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectGene Gotimer
 
Making AI based monitoring a platform feature with the power of BOSH
Making AI based monitoring a platform feature with the power of BOSHMaking AI based monitoring a platform feature with the power of BOSH
Making AI based monitoring a platform feature with the power of BOSHMike Villiger
 
Tests your pipeline might be missing
Tests your pipeline might be missingTests your pipeline might be missing
Tests your pipeline might be missingGene Gotimer
 
Meetup - An introduction to Salt
Meetup - An introduction to SaltMeetup - An introduction to Salt
Meetup - An introduction to SaltRichard Woudenberg
 
Bootiful Microservices in a Legacy Environment: Lessons Learned
Bootiful Microservices in a Legacy Environment: Lessons LearnedBootiful Microservices in a Legacy Environment: Lessons Learned
Bootiful Microservices in a Legacy Environment: Lessons LearnedVMware Tanzu
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
Making AI based monitoring a platform feature with the power of BOSH
Making AI based monitoring a platform feature with the power of BOSHMaking AI based monitoring a platform feature with the power of BOSH
Making AI based monitoring a platform feature with the power of BOSHVMware Tanzu
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
 
Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?Kris Buytaert
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachMatt Tesauro
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
 
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachSecurity as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachVMware Tanzu
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
 
Principles Of Chaos Engineering - Chaos Engineering Hamburg
Principles Of Chaos Engineering - Chaos Engineering HamburgPrinciples Of Chaos Engineering - Chaos Engineering Hamburg
Principles Of Chaos Engineering - Chaos Engineering HamburgNils Meder
 
Building an SRE Organization @ Squarespace
Building an SRE Organization @ SquarespaceBuilding an SRE Organization @ Squarespace
Building an SRE Organization @ SquarespaceFranklin Angulo
 
DevOpsDays Galway 2019 - SRE at Genesys
DevOpsDays Galway 2019 - SRE at GenesysDevOpsDays Galway 2019 - SRE at Genesys
DevOpsDays Galway 2019 - SRE at GenesysColm Hally
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityMatt Tesauro
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Matt Tesauro
 
Create Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and PuppetCreate Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and PuppetGene Gotimer
 

La actualidad más candente (20)

OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin ParmOSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
 
Experiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectExperiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD Project
 
Making AI based monitoring a platform feature with the power of BOSH
Making AI based monitoring a platform feature with the power of BOSHMaking AI based monitoring a platform feature with the power of BOSH
Making AI based monitoring a platform feature with the power of BOSH
 
Tests your pipeline might be missing
Tests your pipeline might be missingTests your pipeline might be missing
Tests your pipeline might be missing
 
Meetup - An introduction to Salt
Meetup - An introduction to SaltMeetup - An introduction to Salt
Meetup - An introduction to Salt
 
Bootiful Microservices in a Legacy Environment: Lessons Learned
Bootiful Microservices in a Legacy Environment: Lessons LearnedBootiful Microservices in a Legacy Environment: Lessons Learned
Bootiful Microservices in a Legacy Environment: Lessons Learned
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
 
Making AI based monitoring a platform feature with the power of BOSH
Making AI based monitoring a platform feature with the power of BOSHMaking AI based monitoring a platform feature with the power of BOSH
Making AI based monitoring a platform feature with the power of BOSH
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
 
Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's Reach
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
 
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachSecurity as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
 
Principles Of Chaos Engineering - Chaos Engineering Hamburg
Principles Of Chaos Engineering - Chaos Engineering HamburgPrinciples Of Chaos Engineering - Chaos Engineering Hamburg
Principles Of Chaos Engineering - Chaos Engineering Hamburg
 
Building an SRE Organization @ Squarespace
Building an SRE Organization @ SquarespaceBuilding an SRE Organization @ Squarespace
Building an SRE Organization @ Squarespace
 
DevOpsDays Galway 2019 - SRE at Genesys
DevOpsDays Galway 2019 - SRE at GenesysDevOpsDays Galway 2019 - SRE at Genesys
DevOpsDays Galway 2019 - SRE at Genesys
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based Security
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program
 
Create Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and PuppetCreate Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and Puppet
 

Destacado

Chef Fundamentals Training Series Module 6: Roles, Environments, Community Co...
Chef Fundamentals Training Series Module 6: Roles, Environments, Community Co...Chef Fundamentals Training Series Module 6: Roles, Environments, Community Co...
Chef Fundamentals Training Series Module 6: Roles, Environments, Community Co...Chef Software, Inc.
 
Chef vs Puppet vs Ansible vs SaltStack | Configuration Management Tools Compa...
Chef vs Puppet vs Ansible vs SaltStack | Configuration Management Tools Compa...Chef vs Puppet vs Ansible vs SaltStack | Configuration Management Tools Compa...
Chef vs Puppet vs Ansible vs SaltStack | Configuration Management Tools Compa...Edureka!
 
Survey: Frozen Yogurt Market in India (2013)
Survey: Frozen Yogurt Market in India (2013)Survey: Frozen Yogurt Market in India (2013)
Survey: Frozen Yogurt Market in India (2013)Chef at Large
 
Chef Delivery
Chef DeliveryChef Delivery
Chef DeliveryChef
 
Compliance Automation Workshop
Compliance Automation WorkshopCompliance Automation Workshop
Compliance Automation WorkshopChef
 
Puppet overview
Puppet overviewPuppet overview
Puppet overviewjoshbeard
 
Infrastructure Automation with Chef
Infrastructure Automation with Chef Infrastructure Automation with Chef
Infrastructure Automation with Chef REAN Cloud
 
Ansible is the simplest way to automate. MoldCamp, 2015
Ansible is the simplest way to automate. MoldCamp, 2015Ansible is the simplest way to automate. MoldCamp, 2015
Ansible is the simplest way to automate. MoldCamp, 2015Alex S
 
Introduction to Chef
Introduction to ChefIntroduction to Chef
Introduction to ChefKnoldus Inc.
 
Introduction to puppet
Introduction to puppetIntroduction to puppet
Introduction to puppetHabeeb Rahman
 
Ansible tips & tricks
Ansible tips & tricksAnsible tips & tricks
Ansible tips & tricksbcoca
 
3 Steps to Expand DevOps and Automation Throughout the Enterprise
3 Steps to Expand DevOps and Automation Throughout the Enterprise3 Steps to Expand DevOps and Automation Throughout the Enterprise
3 Steps to Expand DevOps and Automation Throughout the EnterprisePuppet
 
Ansible Introduction
Ansible Introduction Ansible Introduction
Ansible Introduction Robert Reiz
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationJohn Lynch
 

Destacado (17)

Chef Fundamentals Training Series Module 6: Roles, Environments, Community Co...
Chef Fundamentals Training Series Module 6: Roles, Environments, Community Co...Chef Fundamentals Training Series Module 6: Roles, Environments, Community Co...
Chef Fundamentals Training Series Module 6: Roles, Environments, Community Co...
 
Chef vs Puppet vs Ansible vs SaltStack | Configuration Management Tools Compa...
Chef vs Puppet vs Ansible vs SaltStack | Configuration Management Tools Compa...Chef vs Puppet vs Ansible vs SaltStack | Configuration Management Tools Compa...
Chef vs Puppet vs Ansible vs SaltStack | Configuration Management Tools Compa...
 
Puppets
PuppetsPuppets
Puppets
 
Introduction to chef
Introduction to chefIntroduction to chef
Introduction to chef
 
Survey: Frozen Yogurt Market in India (2013)
Survey: Frozen Yogurt Market in India (2013)Survey: Frozen Yogurt Market in India (2013)
Survey: Frozen Yogurt Market in India (2013)
 
Chef Delivery
Chef DeliveryChef Delivery
Chef Delivery
 
Compliance Automation Workshop
Compliance Automation WorkshopCompliance Automation Workshop
Compliance Automation Workshop
 
Puppet overview
Puppet overviewPuppet overview
Puppet overview
 
Infrastructure Automation with Chef
Infrastructure Automation with Chef Infrastructure Automation with Chef
Infrastructure Automation with Chef
 
Ansible
AnsibleAnsible
Ansible
 
Ansible is the simplest way to automate. MoldCamp, 2015
Ansible is the simplest way to automate. MoldCamp, 2015Ansible is the simplest way to automate. MoldCamp, 2015
Ansible is the simplest way to automate. MoldCamp, 2015
 
Introduction to Chef
Introduction to ChefIntroduction to Chef
Introduction to Chef
 
Introduction to puppet
Introduction to puppetIntroduction to puppet
Introduction to puppet
 
Ansible tips & tricks
Ansible tips & tricksAnsible tips & tricks
Ansible tips & tricks
 
3 Steps to Expand DevOps and Automation Throughout the Enterprise
3 Steps to Expand DevOps and Automation Throughout the Enterprise3 Steps to Expand DevOps and Automation Throughout the Enterprise
3 Steps to Expand DevOps and Automation Throughout the Enterprise
 
Ansible Introduction
Ansible Introduction Ansible Introduction
Ansible Introduction
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
 

Similar a STIG Compliance and Remediation with Ansible

Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Thin Client and VDI Evolution: Igel Technology and the bright future of IT En...
Thin Client and VDI Evolution: Igel Technology and the bright future of IT En...Thin Client and VDI Evolution: Igel Technology and the bright future of IT En...
Thin Client and VDI Evolution: Igel Technology and the bright future of IT En...MarketingArrowECS_CZ
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON
 
Impacts of integrated safety on machine and plant concepts
Impacts of integrated safety on machine and plant conceptsImpacts of integrated safety on machine and plant concepts
Impacts of integrated safety on machine and plant conceptsNinad Deshpande
 
API Security: Assume Possible Interference
API Security: Assume Possible InterferenceAPI Security: Assume Possible Interference
API Security: Assume Possible InterferenceJulie Tsai
 
Svarbiausios ESET technologijos
Svarbiausios ESET technologijosSvarbiausios ESET technologijos
Svarbiausios ESET technologijosBaltimax
 
App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5Dinis Cruz
 
Common NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid themCommon NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid themGreg Swedosh
 
Continues Deployment - Tech Talk week
Continues Deployment - Tech Talk weekContinues Deployment - Tech Talk week
Continues Deployment - Tech Talk weekrantav
 
Normal accidents and outpatient surgeries
Normal accidents and outpatient surgeriesNormal accidents and outpatient surgeries
Normal accidents and outpatient surgeriesJonathan Creasy
 
KraQA#39 - Jak testowac tool do testow
KraQA#39 - Jak testowac tool do testowKraQA#39 - Jak testowac tool do testow
KraQA#39 - Jak testowac tool do testowkraqa
 
Security in the Context of Business Processes: Thoughts from a System Vendor'...
Security in the Context of Business Processes: Thoughts from a System Vendor'...Security in the Context of Business Processes: Thoughts from a System Vendor'...
Security in the Context of Business Processes: Thoughts from a System Vendor'...Achim D. Brucker
 
OSMC 2017 | Icinga2 in a 24/7 Broadcast Environment by Dave Kempe
OSMC 2017 | Icinga2 in a 24/7 Broadcast Environment by Dave KempeOSMC 2017 | Icinga2 in a 24/7 Broadcast Environment by Dave Kempe
OSMC 2017 | Icinga2 in a 24/7 Broadcast Environment by Dave KempeNETWAYS
 
How to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsHow to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsDevOps.com
 
Continuous delivery in Pipedrive
Continuous delivery in PipedriveContinuous delivery in Pipedrive
Continuous delivery in PipedriveTomas Rehor
 
SplunkSummit 2015 - ES Hands On Workshop
SplunkSummit 2015 - ES Hands On Workshop SplunkSummit 2015 - ES Hands On Workshop
SplunkSummit 2015 - ES Hands On Workshop Splunk
 
Risk-Based Testing - Designing & managing the test process (2002)
Risk-Based Testing - Designing & managing the test process (2002)Risk-Based Testing - Designing & managing the test process (2002)
Risk-Based Testing - Designing & managing the test process (2002)Neil Thompson
 
DFMEA: Reduce Design Errors, Time and Cost
DFMEA: Reduce Design Errors, Time and CostDFMEA: Reduce Design Errors, Time and Cost
DFMEA: Reduce Design Errors, Time and CostRicardo Gonzalez Luna
 
Scaling DevOps Adoption
Scaling DevOps AdoptionScaling DevOps Adoption
Scaling DevOps AdoptionMark Rendell
 

Similar a STIG Compliance and Remediation with Ansible (20)

Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
Thin Client and VDI Evolution: Igel Technology and the bright future of IT En...
Thin Client and VDI Evolution: Igel Technology and the bright future of IT En...Thin Client and VDI Evolution: Igel Technology and the bright future of IT En...
Thin Client and VDI Evolution: Igel Technology and the bright future of IT En...
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
 
Impacts of integrated safety on machine and plant concepts
Impacts of integrated safety on machine and plant conceptsImpacts of integrated safety on machine and plant concepts
Impacts of integrated safety on machine and plant concepts
 
API Security: Assume Possible Interference
API Security: Assume Possible InterferenceAPI Security: Assume Possible Interference
API Security: Assume Possible Interference
 
Svarbiausios ESET technologijos
Svarbiausios ESET technologijosSvarbiausios ESET technologijos
Svarbiausios ESET technologijos
 
App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5
 
Common NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid themCommon NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid them
 
Continues Deployment - Tech Talk week
Continues Deployment - Tech Talk weekContinues Deployment - Tech Talk week
Continues Deployment - Tech Talk week
 
Normal accidents and outpatient surgeries
Normal accidents and outpatient surgeriesNormal accidents and outpatient surgeries
Normal accidents and outpatient surgeries
 
Buddy CI/CI
Buddy CI/CIBuddy CI/CI
Buddy CI/CI
 
KraQA#39 - Jak testowac tool do testow
KraQA#39 - Jak testowac tool do testowKraQA#39 - Jak testowac tool do testow
KraQA#39 - Jak testowac tool do testow
 
Security in the Context of Business Processes: Thoughts from a System Vendor'...
Security in the Context of Business Processes: Thoughts from a System Vendor'...Security in the Context of Business Processes: Thoughts from a System Vendor'...
Security in the Context of Business Processes: Thoughts from a System Vendor'...
 
OSMC 2017 | Icinga2 in a 24/7 Broadcast Environment by Dave Kempe
OSMC 2017 | Icinga2 in a 24/7 Broadcast Environment by Dave KempeOSMC 2017 | Icinga2 in a 24/7 Broadcast Environment by Dave Kempe
OSMC 2017 | Icinga2 in a 24/7 Broadcast Environment by Dave Kempe
 
How to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsHow to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot Environments
 
Continuous delivery in Pipedrive
Continuous delivery in PipedriveContinuous delivery in Pipedrive
Continuous delivery in Pipedrive
 
SplunkSummit 2015 - ES Hands On Workshop
SplunkSummit 2015 - ES Hands On Workshop SplunkSummit 2015 - ES Hands On Workshop
SplunkSummit 2015 - ES Hands On Workshop
 
Risk-Based Testing - Designing & managing the test process (2002)
Risk-Based Testing - Designing & managing the test process (2002)Risk-Based Testing - Designing & managing the test process (2002)
Risk-Based Testing - Designing & managing the test process (2002)
 
DFMEA: Reduce Design Errors, Time and Cost
DFMEA: Reduce Design Errors, Time and CostDFMEA: Reduce Design Errors, Time and Cost
DFMEA: Reduce Design Errors, Time and Cost
 
Scaling DevOps Adoption
Scaling DevOps AdoptionScaling DevOps Adoption
Scaling DevOps Adoption
 

Último

PPT BIJNOR COUNTING Counting of Votes on ETPBs (FOR SERVICE ELECTORS
PPT BIJNOR COUNTING Counting of Votes on ETPBs (FOR SERVICE ELECTORSPPT BIJNOR COUNTING Counting of Votes on ETPBs (FOR SERVICE ELECTORS
PPT BIJNOR COUNTING Counting of Votes on ETPBs (FOR SERVICE ELECTORSgovindsharma81649
 
Call Girls Sangamwadi Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Sangamwadi Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Sangamwadi Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Sangamwadi Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
World Press Freedom Day 2024; May 3rd - Poster
World Press Freedom Day 2024; May 3rd - PosterWorld Press Freedom Day 2024; May 3rd - Poster
World Press Freedom Day 2024; May 3rd - PosterChristina Parmionova
 
Expressive clarity oral presentation.pptx
Expressive clarity oral presentation.pptxExpressive clarity oral presentation.pptx
Expressive clarity oral presentation.pptxtsionhagos36
 
Pimpri Chinchwad ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi R...
Pimpri Chinchwad ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi R...Pimpri Chinchwad ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi R...
Pimpri Chinchwad ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi R...tanu pandey
 
Top Rated Pune Call Girls Dapodi ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Dapodi ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Top Rated Pune Call Girls Dapodi ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Dapodi ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Call Girls in Nagpur High Profile
 
The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...
The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...
The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...ranjana rawat
 
Government e Marketplace GeM Presentation
Government e Marketplace GeM PresentationGovernment e Marketplace GeM Presentation
Government e Marketplace GeM Presentationgememarket11
 
2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos Webinar2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos WebinarLinda Reinstein
 
Financing strategies for adaptation. Presentation for CANCC
Financing strategies for adaptation. Presentation for CANCCFinancing strategies for adaptation. Presentation for CANCC
Financing strategies for adaptation. Presentation for CANCCNAP Global Network
 
Booking open Available Pune Call Girls Shukrawar Peth 6297143586 Call Hot In...
Booking open Available Pune Call Girls Shukrawar Peth 6297143586 Call Hot In...Booking open Available Pune Call Girls Shukrawar Peth 6297143586 Call Hot In...
Booking open Available Pune Call Girls Shukrawar Peth 6297143586 Call Hot In...tanu pandey
 
Item # 4 - 231 Encino Ave (Significance Only).pdf
Item # 4 - 231 Encino Ave (Significance Only).pdfItem # 4 - 231 Encino Ave (Significance Only).pdf
Item # 4 - 231 Encino Ave (Significance Only).pdfahcitycouncil
 
2024: The FAR, Federal Acquisition Regulations - Part 29
2024: The FAR, Federal Acquisition Regulations - Part 292024: The FAR, Federal Acquisition Regulations - Part 29
2024: The FAR, Federal Acquisition Regulations - Part 29JSchaus & Associates
 
Incident Command System xxxxxxxxxxxxxxxxxxxxxxxxx
Incident Command System xxxxxxxxxxxxxxxxxxxxxxxxxIncident Command System xxxxxxxxxxxxxxxxxxxxxxxxx
Incident Command System xxxxxxxxxxxxxxxxxxxxxxxxxPeter Miles
 
Coastal Protection Measures in Hulhumale'
Coastal Protection Measures in Hulhumale'Coastal Protection Measures in Hulhumale'
Coastal Protection Measures in Hulhumale'NAP Global Network
 
Zechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
Zechariah Boodey Farmstead Collaborative presentation - Humble BeginningsZechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
Zechariah Boodey Farmstead Collaborative presentation - Humble Beginningsinfo695895
 
An Atoll Futures Research Institute? Presentation for CANCC
An Atoll Futures Research Institute? Presentation for CANCCAn Atoll Futures Research Institute? Presentation for CANCC
An Atoll Futures Research Institute? Presentation for CANCCNAP Global Network
 
The U.S. Budget and Economic Outlook (Presentation)
The U.S. Budget and Economic Outlook (Presentation)The U.S. Budget and Economic Outlook (Presentation)
The U.S. Budget and Economic Outlook (Presentation)Congressional Budget Office
 

Último (20)

PPT BIJNOR COUNTING Counting of Votes on ETPBs (FOR SERVICE ELECTORS
PPT BIJNOR COUNTING Counting of Votes on ETPBs (FOR SERVICE ELECTORSPPT BIJNOR COUNTING Counting of Votes on ETPBs (FOR SERVICE ELECTORS
PPT BIJNOR COUNTING Counting of Votes on ETPBs (FOR SERVICE ELECTORS
 
Call Girls Sangamwadi Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Sangamwadi Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Sangamwadi Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Sangamwadi Call Me 7737669865 Budget Friendly No Advance Booking
 
World Press Freedom Day 2024; May 3rd - Poster
World Press Freedom Day 2024; May 3rd - PosterWorld Press Freedom Day 2024; May 3rd - Poster
World Press Freedom Day 2024; May 3rd - Poster
 
Expressive clarity oral presentation.pptx
Expressive clarity oral presentation.pptxExpressive clarity oral presentation.pptx
Expressive clarity oral presentation.pptx
 
Pimpri Chinchwad ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi R...
Pimpri Chinchwad ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi R...Pimpri Chinchwad ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi R...
Pimpri Chinchwad ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi R...
 
Top Rated Pune Call Girls Dapodi ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Dapodi ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Top Rated Pune Call Girls Dapodi ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Dapodi ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
 
The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...
The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...
The Most Attractive Pune Call Girls Handewadi Road 8250192130 Will You Miss T...
 
Government e Marketplace GeM Presentation
Government e Marketplace GeM PresentationGovernment e Marketplace GeM Presentation
Government e Marketplace GeM Presentation
 
2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos Webinar2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos Webinar
 
Financing strategies for adaptation. Presentation for CANCC
Financing strategies for adaptation. Presentation for CANCCFinancing strategies for adaptation. Presentation for CANCC
Financing strategies for adaptation. Presentation for CANCC
 
Booking open Available Pune Call Girls Shukrawar Peth 6297143586 Call Hot In...
Booking open Available Pune Call Girls Shukrawar Peth 6297143586 Call Hot In...Booking open Available Pune Call Girls Shukrawar Peth 6297143586 Call Hot In...
Booking open Available Pune Call Girls Shukrawar Peth 6297143586 Call Hot In...
 
Russian🍌Dazzling Hottie Get☎️ 9053900678 ☎️call girl In Chandigarh By Chandig...
Russian🍌Dazzling Hottie Get☎️ 9053900678 ☎️call girl In Chandigarh By Chandig...Russian🍌Dazzling Hottie Get☎️ 9053900678 ☎️call girl In Chandigarh By Chandig...
Russian🍌Dazzling Hottie Get☎️ 9053900678 ☎️call girl In Chandigarh By Chandig...
 
Item # 4 - 231 Encino Ave (Significance Only).pdf
Item # 4 - 231 Encino Ave (Significance Only).pdfItem # 4 - 231 Encino Ave (Significance Only).pdf
Item # 4 - 231 Encino Ave (Significance Only).pdf
 
2024: The FAR, Federal Acquisition Regulations - Part 29
2024: The FAR, Federal Acquisition Regulations - Part 292024: The FAR, Federal Acquisition Regulations - Part 29
2024: The FAR, Federal Acquisition Regulations - Part 29
 
Incident Command System xxxxxxxxxxxxxxxxxxxxxxxxx
Incident Command System xxxxxxxxxxxxxxxxxxxxxxxxxIncident Command System xxxxxxxxxxxxxxxxxxxxxxxxx
Incident Command System xxxxxxxxxxxxxxxxxxxxxxxxx
 
(NEHA) Call Girls Nagpur Call Now 8250077686 Nagpur Escorts 24x7
(NEHA) Call Girls Nagpur Call Now 8250077686 Nagpur Escorts 24x7(NEHA) Call Girls Nagpur Call Now 8250077686 Nagpur Escorts 24x7
(NEHA) Call Girls Nagpur Call Now 8250077686 Nagpur Escorts 24x7
 
Coastal Protection Measures in Hulhumale'
Coastal Protection Measures in Hulhumale'Coastal Protection Measures in Hulhumale'
Coastal Protection Measures in Hulhumale'
 
Zechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
Zechariah Boodey Farmstead Collaborative presentation - Humble BeginningsZechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
Zechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
 
An Atoll Futures Research Institute? Presentation for CANCC
An Atoll Futures Research Institute? Presentation for CANCCAn Atoll Futures Research Institute? Presentation for CANCC
An Atoll Futures Research Institute? Presentation for CANCC
 
The U.S. Budget and Economic Outlook (Presentation)
The U.S. Budget and Economic Outlook (Presentation)The U.S. Budget and Economic Outlook (Presentation)
The U.S. Budget and Economic Outlook (Presentation)
 

STIG Compliance and Remediation with Ansible

  • 1. STIG Compliance and Remediation with Ansible April 2015
  • 2. PRESENTERS DAN SHEPHERD // MINDPOINT GROUP daniels@mindpointgroup.com o IT security Consultant o Helps USG and commercial customers respond to difficult IT security challenges JUSTIN NEMMERS // ANSIBLE GOVERNMENT jnemmers@ansible.com o IT architect and (recovering) sysadmin o 15 years of USG experience o Wrote first STIG Kickstarts w/ DISA for RHEL 3 and 4
  • 3. ORGANIZATIONS MINDPOINT GROUP o IT security consultancy o Helps customers consistently meet stringent security requirements o Well-versed in Ansible ANSIBLE o Simplest way to automate IT o Fastest growing IT automation platform o Simple, agentless, powerful
  • 4. WEBCAST GOALS Learn about Ansible Get started with Ansible and the STIG role Install the STIG role Apply role and remediate findings Fully automate compliance with Ansible Tower
  • 5. Ansible Enterprise Automation Simple. Agentless. Powerful. Control. Security. Delegation. / Uses OpenSSH / No extra code to manage / Ready for cloud-scale / Uses YAML for playbooks / No special coding skills needed / Fast learning curve / App deployment / Orchestration / Configuration management / Role-Based Access Control / Delegation of credentials/keys / Audit trail for automation / Centralized job runs / Job scheduling / Automation dashboard / Push-button job execution / Portal mode for delegation / REST API for integration Ansible Open Source Ansible Tower
  • 6. ANSIBLE IS COMPLETE AUTOMATION Ansible was written to automate complex multi-tier deployments, including: o Configuration management o App deployment o Provisioning o Servers & network devices o Cloud management & VMs o Zero-downtime rolling upgrades o Ad-hoc patches & updates
  • 7. ANSIBLE: THE LANGUAGE OF ENTERPRISE IT o Ansible is the first “infrastructure-as-code” that can be read and written across IT… from sys-admins to developers to managers o Ansible is the only automation engine that can automate the entire application lifecycle & continuous delivery pipeline DEV/TES T Q/A OPERATIONS MANAGEMENT INFRASTRUCTU RE Ansible Playbook From development… to production.
  • 8. HISTORY OF BASELINES GOLD DISK o Infrequent, time consuming, and error prone o Inconsistent, relies on staff’s capability o No ongoing remediation or validation SEMI-AUTOMATION o Shell scripts, other tooling o Brittle. Changes really, really hurt o No ongoing remediation or compliance validation
  • 9. And both of these options suck. And how do you keep up with changes?
  • 10. ANSIBLE AND SECURITY BASELINES REPEAT o Same process every time REMEDIATE o Apply STIG whenever desired VALIDATE o Confirm compliance IDEMPOTENT o Run and re-run over and over
  • 11. HOW MINDPOINT GROUP o Trusted o Capable RHEL 6.x (and variants) o Very common DISA STIG o Significant pain points for USG customers o SCAP for easy validation
  • 12. STIG ROLE COVERAGE CAT 1 (HIGH): 100% CAT 2 (MEDIUM): 91% CAT 3 (LOW): 82% We don’t automatically correct every finding, as some are not always safe to run on live systems (i.e. partitioning).
  • 13. PLAYBOOK EXAMPLE Apply-stig.yml --- - name: Apply STIG to a RHEL 6.x System hosts: all sudo: yes vars: rhel6stig_cat1: true rhel6stig_cat2: true rhel6stig_cat3: true rhel6stig_fullauto: true roles: - rhel6stig
  • 14. CAT 1 ROLE EXAMPLE PLAY cat1.yml --- # CAT I Findings - name: V-38653 High The snmpd service must not use a default password replace: backup=yes dest=/etc/snmp/snmpd.conf regexp=(^com2sec.*defaults+)public replace=1{{ rhel6stig_snmp_community }} ignore_errors: yes when: snmpconf_test.stat.exists notify: restart snmpd tags: [ 'cat1' , 'V-38653' , 'snmp' ] - name: V-38491 High There must be no hosts.equiv file on the system file: state=absent dest=/etc/hosts.equiv tags: [ 'cat1' , 'V-38491' , 'hosts_equiv' ] - name: V-38491 High There must be no .rhosts files on the system file: state=absent dest=~{{ item }}/.rhosts with_items: users.stdout_lines tags: [ 'cat1' , 'V-38491' , 'rhosts' ]
  • 15. GET THE STIG ROLE $ ansible-galaxy install https://github.com/MindPointGroup/RHEL6-STIG.git,devel $ ansible-galaxy install -r requirements.yml requirements.yml - src: https://github.com/MindPointGroup/RHEL6-STIG name: rhel6-stig $ git clone https://github.com/MindPointGroup/RHEL6-STIG.git
  • 16. APPLY STIG ROLE FROM CLI Requires Ansible version >= 1.8 $ ansible-playbook -i hosts apply-stig.yml
  • 17. CLI RESULTS Skipping Conditional caused test to be skipped (OK) Changed Role made a change on the system OK No action required
  • 18. Demo of the STIG role + Ansible Tower
  • 19. MORE ROLE INFO INFORMATION AND STATUS www.ansible.com/security-stig GALAXY galaxy.ansible.com/list#/roles/2955 GITHUB github.com/ansible/ansible-lockdown github.com/MindPointGroup/RHEL6-STIG
  • 20. OUR COMMUNITY FOLLOW US OR CONTRIBUTE o github.com/ansible/ansible-lockdown SEE SOMETHING THAT NEEDS FIXING? o Let us know, and help fix it! NEED HELP? o Paying customer? support@ansible.com o MindPoint Group Services o groups.google.com/forum/#!forum/ansible- project

Notas del editor

  1. Mix of too high level for an actual Ansible user Targeted for High level VP of IT Might be too detailed for Ventures