stig compliance and remediation with ansible
TRANSCRIPT
![Page 1: STIG Compliance and Remediation with Ansible](https://reader036.vdocument.in/reader036/viewer/2022062514/55b57a01bb61ebc9788b46d2/html5/thumbnails/1.jpg)
STIG Compliance and Remediation with Ansible
April 2015
![Page 2: STIG Compliance and Remediation with Ansible](https://reader036.vdocument.in/reader036/viewer/2022062514/55b57a01bb61ebc9788b46d2/html5/thumbnails/2.jpg)
PRESENTERS
DAN SHEPHERD // MINDPOINT [email protected]
o IT security Consultanto Helps USG and commercial customers respond to
difficult IT security challenges
JUSTIN NEMMERS // ANSIBLE [email protected]
o IT architect and (recovering) sysadmino 15 years of USG experienceo Wrote first STIG Kickstarts w/ DISA for RHEL 3 and
4
![Page 3: STIG Compliance and Remediation with Ansible](https://reader036.vdocument.in/reader036/viewer/2022062514/55b57a01bb61ebc9788b46d2/html5/thumbnails/3.jpg)
ORGANIZATIONS
MINDPOINT GROUPo IT security consultancyo Helps customers consistently meet stringent
security requirementso Well-versed in Ansible
ANSIBLEo Simplest way to automate ITo Fastest growing IT automation platformo Simple, agentless, powerful
![Page 4: STIG Compliance and Remediation with Ansible](https://reader036.vdocument.in/reader036/viewer/2022062514/55b57a01bb61ebc9788b46d2/html5/thumbnails/4.jpg)
WEBCAST GOALS
Learn about Ansible
Get started with Ansible and the STIG role
Install the STIG role
Apply role and remediate findings
Fully automate compliance with Ansible Tower
![Page 5: STIG Compliance and Remediation with Ansible](https://reader036.vdocument.in/reader036/viewer/2022062514/55b57a01bb61ebc9788b46d2/html5/thumbnails/5.jpg)
Ansible Enterprise Automation
Simple. Agentless. Powerful.
Control. Security. Delegation.
/ Uses OpenSSH
/ No extra code to manage
/ Ready for cloud-scale
/ Uses YAML for playbooks
/ No special coding skills needed
/ Fast learning curve
/ App deployment
/ Orchestration
/ Configuration management
/ Role-Based Access Control
/ Delegation of credentials/keys
/ Audit trail for automation
/ Centralized job runs
/ Job scheduling
/ Automation dashboard
/ Push-button job execution
/ Portal mode for delegation
/ REST API for integration
AnsibleOpen Source
AnsibleTower
![Page 6: STIG Compliance and Remediation with Ansible](https://reader036.vdocument.in/reader036/viewer/2022062514/55b57a01bb61ebc9788b46d2/html5/thumbnails/6.jpg)
ANSIBLE IS COMPLETE AUTOMATION
Ansible was written to automate complex multi-
tier deployments, including:
o Configuration managemento App deploymento Provisioningo Servers & network deviceso Cloud management & VMso Zero-downtime rolling
upgradeso Ad-hoc patches & updates
![Page 7: STIG Compliance and Remediation with Ansible](https://reader036.vdocument.in/reader036/viewer/2022062514/55b57a01bb61ebc9788b46d2/html5/thumbnails/7.jpg)
ANSIBLE: THE LANGUAGE OF ENTERPRISE ITo Ansible is the first “infrastructure-as-code” that can be read and
written across IT… from sys-admins to developers to managers
o Ansible is the only automation engine that can automate the entire application lifecycle & continuous delivery pipeline
DEV/TEST
Q/A OPERATIONS MANAGEMENT INFRASTRUCTURE
Ansible Playbook
From development… to production.
![Page 8: STIG Compliance and Remediation with Ansible](https://reader036.vdocument.in/reader036/viewer/2022062514/55b57a01bb61ebc9788b46d2/html5/thumbnails/8.jpg)
HISTORY OF BASELINES
GOLD DISKo Infrequent, time consuming, and error proneo Inconsistent, relies on staff’s capabilityo No ongoing remediation or validation
SEMI-AUTOMATIONo Shell scripts, other toolingo Brittle. Changes really, really hurto No ongoing remediation or compliance
validation
![Page 9: STIG Compliance and Remediation with Ansible](https://reader036.vdocument.in/reader036/viewer/2022062514/55b57a01bb61ebc9788b46d2/html5/thumbnails/9.jpg)
And both of these options suck.
And how do you keep up with changes?
![Page 10: STIG Compliance and Remediation with Ansible](https://reader036.vdocument.in/reader036/viewer/2022062514/55b57a01bb61ebc9788b46d2/html5/thumbnails/10.jpg)
ANSIBLE AND SECURITY BASELINES
REPEATo Same process every timeREMEDIATEoApply STIG whenever desiredVALIDATEoConfirm complianceIDEMPOTENTo Run and re-run over and over
![Page 11: STIG Compliance and Remediation with Ansible](https://reader036.vdocument.in/reader036/viewer/2022062514/55b57a01bb61ebc9788b46d2/html5/thumbnails/11.jpg)
HOW
MINDPOINT GROUPo Trustedo CapableRHEL 6.x (and variants)o Very commonDISA STIGo Significant pain points for USG
customerso SCAP for easy validation
![Page 12: STIG Compliance and Remediation with Ansible](https://reader036.vdocument.in/reader036/viewer/2022062514/55b57a01bb61ebc9788b46d2/html5/thumbnails/12.jpg)
STIG ROLE COVERAGE
CAT 1 (HIGH): 100%CAT 2 (MEDIUM): 91%
CAT 3 (LOW): 82%
We don’t automatically correct every finding, as some are not always safe to run on live systems (i.e. partitioning).
![Page 13: STIG Compliance and Remediation with Ansible](https://reader036.vdocument.in/reader036/viewer/2022062514/55b57a01bb61ebc9788b46d2/html5/thumbnails/13.jpg)
PLAYBOOK EXAMPLE
Apply-stig.yml
---- name: Apply STIG to a RHEL 6.x System hosts: all sudo: yes vars: rhel6stig_cat1: true rhel6stig_cat2: true rhel6stig_cat3: true rhel6stig_fullauto: true
roles: - rhel6stig
![Page 14: STIG Compliance and Remediation with Ansible](https://reader036.vdocument.in/reader036/viewer/2022062514/55b57a01bb61ebc9788b46d2/html5/thumbnails/14.jpg)
CAT 1 ROLE EXAMPLE PLAYcat1.yml---# CAT I Findings
- name: V-38653 High The snmpd service must not use a default password replace: backup=yes dest=/etc/snmp/snmpd.conf regexp=(^com2sec.*default\
s+)public replace=\1{{ rhel6stig_snmp_community }} ignore_errors: yes when: snmpconf_test.stat.exists notify: restart snmpd tags: [ 'cat1' , 'V-38653' , 'snmp' ]
- name: V-38491 High There must be no hosts.equiv file on the system file: state=absent dest=/etc/hosts.equiv tags: [ 'cat1' , 'V-38491' , 'hosts_equiv' ]
- name: V-38491 High There must be no .rhosts files on the system file: state=absent dest=~{{ item }}/.rhosts with_items: users.stdout_lines tags: [ 'cat1' , 'V-38491' , 'rhosts' ]
![Page 15: STIG Compliance and Remediation with Ansible](https://reader036.vdocument.in/reader036/viewer/2022062514/55b57a01bb61ebc9788b46d2/html5/thumbnails/15.jpg)
GET THE STIG ROLE
$ ansible-galaxy install https://github.com/MindPointGroup/RHEL6-STIG.git,devel
$ ansible-galaxy install -r requirements.yml
requirements.yml- src: https://github.com/MindPointGroup/RHEL6-STIG name: rhel6-stig
$ git clone https://github.com/MindPointGroup/RHEL6-STIG.git
![Page 16: STIG Compliance and Remediation with Ansible](https://reader036.vdocument.in/reader036/viewer/2022062514/55b57a01bb61ebc9788b46d2/html5/thumbnails/16.jpg)
APPLY STIG ROLE FROM CLI
Requires Ansible version >= 1.8
$ ansible-playbook -i hosts apply-stig.yml
![Page 17: STIG Compliance and Remediation with Ansible](https://reader036.vdocument.in/reader036/viewer/2022062514/55b57a01bb61ebc9788b46d2/html5/thumbnails/17.jpg)
CLI RESULTS
Skipping Conditional caused test to be skipped (OK)
Changed Role made a change on the system
OK No action required
![Page 18: STIG Compliance and Remediation with Ansible](https://reader036.vdocument.in/reader036/viewer/2022062514/55b57a01bb61ebc9788b46d2/html5/thumbnails/18.jpg)
Demo of the STIG role + Ansible Tower
![Page 19: STIG Compliance and Remediation with Ansible](https://reader036.vdocument.in/reader036/viewer/2022062514/55b57a01bb61ebc9788b46d2/html5/thumbnails/19.jpg)
MORE ROLE INFO
INFORMATION AND STATUSwww.ansible.com/security-stigGALAXYgalaxy.ansible.com/list#/roles/2955GITHUBgithub.com/ansible/ansible-lockdowngithub.com/MindPointGroup/RHEL6-STIG
![Page 20: STIG Compliance and Remediation with Ansible](https://reader036.vdocument.in/reader036/viewer/2022062514/55b57a01bb61ebc9788b46d2/html5/thumbnails/20.jpg)
OUR COMMUNITY
FOLLOW US OR CONTRIBUTEo github.com/ansible/ansible-lockdownSEE SOMETHING THAT NEEDS FIXING?o Let us know, and help fix it!NEED HELP?o Paying customer? [email protected] MindPoint Group Serviceso groups.google.com/forum/#!forum/
ansible-project
![Page 21: STIG Compliance and Remediation with Ansible](https://reader036.vdocument.in/reader036/viewer/2022062514/55b57a01bb61ebc9788b46d2/html5/thumbnails/21.jpg)
MindPoint Groupwww.mindpointgroup.com
Ansiblewww.ansible.com/government
CONTACT US