STIG Compliance and Remediation with Ansible
Download as PPTX, PDF4 likes2,642 views
This document discusses using Ansible to automate compliance with security technical implementation guides (STIGs) on Red Hat Enterprise Linux 6 systems. It provides an overview of Ansible and how the MindPoint Group created an Ansible role to remediate STIG findings. Attendees will learn how to install the STIG role, apply it to remediate systems, and use Ansible Tower for fully automated compliance. The role addresses high, medium, and low-impact STIG requirements and can be run repeatedly to maintain compliance.
![CAT 1 ROLE EXAMPLE PLAY
cat1.yml
---
# CAT I Findings
- name: V-38653 High The snmpd service must not use a default
password
replace: backup=yes dest=/etc/snmp/snmpd.conf
regexp=(^com2sec.*defaults+)public replace=1{{ rhel6stig_snmp_community
}}
ignore_errors: yes
when: snmpconf_test.stat.exists
notify: restart snmpd
tags: [ 'cat1' , 'V-38653' , 'snmp' ]
- name: V-38491 High There must be no hosts.equiv file on the system
file: state=absent dest=/etc/hosts.equiv
tags: [ 'cat1' , 'V-38491' , 'hosts_equiv' ]
- name: V-38491 High There must be no .rhosts files on the system
file: state=absent dest=~{{ item }}/.rhosts
with_items: users.stdout_lines
tags: [ 'cat1' , 'V-38491' , 'rhosts' ]](https://image.slidesharecdn.com/ansiblempg-stigautomationwebcast-20150430-150501082100-conversion-gate01/85/STIG-Compliance-and-Remediation-with-Ansible-14-320.jpg)
Ad
More Related Content
What's hot (20)
Viewers also liked (17)
Ad
Similar to STIG Compliance and Remediation with Ansible (20)
Ad
Recently uploaded (20)
STIG Compliance and Remediation with Ansible
- 1. STIG Compliance and Remediation with Ansible April 2015
- 2. PRESENTERS DAN SHEPHERD // MINDPOINT GROUP [email protected] o IT security Consultant o Helps USG and commercial customers respond to difficult IT security challenges JUSTIN NEMMERS // ANSIBLE GOVERNMENT [email protected] o IT architect and (recovering) sysadmin o 15 years of USG experience o Wrote first STIG Kickstarts w/ DISA for RHEL 3 and 4
- 3. ORGANIZATIONS MINDPOINT GROUP o IT security consultancy o Helps customers consistently meet stringent security requirements o Well-versed in Ansible ANSIBLE o Simplest way to automate IT o Fastest growing IT automation platform o Simple, agentless, powerful
- 4. WEBCAST GOALS Learn about Ansible Get started with Ansible and the STIG role Install the STIG role Apply role and remediate findings Fully automate compliance with Ansible Tower
- 5. Ansible Enterprise Automation Simple. Agentless. Powerful. Control. Security. Delegation. / Uses OpenSSH / No extra code to manage / Ready for cloud-scale / Uses YAML for playbooks / No special coding skills needed / Fast learning curve / App deployment / Orchestration / Configuration management / Role-Based Access Control / Delegation of credentials/keys / Audit trail for automation / Centralized job runs / Job scheduling / Automation dashboard / Push-button job execution / Portal mode for delegation / REST API for integration Ansible Open Source Ansible Tower
- 6. ANSIBLE IS COMPLETE AUTOMATION Ansible was written to automate complex multi-tier deployments, including: o Configuration management o App deployment o Provisioning o Servers & network devices o Cloud management & VMs o Zero-downtime rolling upgrades o Ad-hoc patches & updates
- 7. ANSIBLE: THE LANGUAGE OF ENTERPRISE IT o Ansible is the first “infrastructure-as-code” that can be read and written across IT… from sys-admins to developers to managers o Ansible is the only automation engine that can automate the entire application lifecycle & continuous delivery pipeline DEV/TES T Q/A OPERATIONS MANAGEMENT INFRASTRUCTU RE Ansible Playbook From development… to production.
- 8. HISTORY OF BASELINES GOLD DISK o Infrequent, time consuming, and error prone o Inconsistent, relies on staff’s capability o No ongoing remediation or validation SEMI-AUTOMATION o Shell scripts, other tooling o Brittle. Changes really, really hurt o No ongoing remediation or compliance validation
- 9. And both of these options suck. And how do you keep up with changes?
- 10. ANSIBLE AND SECURITY BASELINES REPEAT o Same process every time REMEDIATE o Apply STIG whenever desired VALIDATE o Confirm compliance IDEMPOTENT o Run and re-run over and over
- 11. HOW MINDPOINT GROUP o Trusted o Capable RHEL 6.x (and variants) o Very common DISA STIG o Significant pain points for USG customers o SCAP for easy validation
- 12. STIG ROLE COVERAGE CAT 1 (HIGH): 100% CAT 2 (MEDIUM): 91% CAT 3 (LOW): 82% We don’t automatically correct every finding, as some are not always safe to run on live systems (i.e. partitioning).
- 13. PLAYBOOK EXAMPLE Apply-stig.yml --- - name: Apply STIG to a RHEL 6.x System hosts: all sudo: yes vars: rhel6stig_cat1: true rhel6stig_cat2: true rhel6stig_cat3: true rhel6stig_fullauto: true roles: - rhel6stig
- 14. CAT 1 ROLE EXAMPLE PLAY cat1.yml --- # CAT I Findings - name: V-38653 High The snmpd service must not use a default password replace: backup=yes dest=/etc/snmp/snmpd.conf regexp=(^com2sec.*defaults+)public replace=1{{ rhel6stig_snmp_community }} ignore_errors: yes when: snmpconf_test.stat.exists notify: restart snmpd tags: [ 'cat1' , 'V-38653' , 'snmp' ] - name: V-38491 High There must be no hosts.equiv file on the system file: state=absent dest=/etc/hosts.equiv tags: [ 'cat1' , 'V-38491' , 'hosts_equiv' ] - name: V-38491 High There must be no .rhosts files on the system file: state=absent dest=~{{ item }}/.rhosts with_items: users.stdout_lines tags: [ 'cat1' , 'V-38491' , 'rhosts' ]
- 15. GET THE STIG ROLE $ ansible-galaxy install https://github.com/MindPointGroup/RHEL6-STIG.git,devel $ ansible-galaxy install -r requirements.yml requirements.yml - src: https://github.com/MindPointGroup/RHEL6-STIG name: rhel6-stig $ git clone https://github.com/MindPointGroup/RHEL6-STIG.git
- 16. APPLY STIG ROLE FROM CLI Requires Ansible version >= 1.8 $ ansible-playbook -i hosts apply-stig.yml
- 17. CLI RESULTS Skipping Conditional caused test to be skipped (OK) Changed Role made a change on the system OK No action required
- 18. Demo of the STIG role + Ansible Tower
- 19. MORE ROLE INFO INFORMATION AND STATUS www.ansible.com/security-stig GALAXY galaxy.ansible.com/list#/roles/2955 GITHUB github.com/ansible/ansible-lockdown github.com/MindPointGroup/RHEL6-STIG
- 20. OUR COMMUNITY FOLLOW US OR CONTRIBUTE o github.com/ansible/ansible-lockdown SEE SOMETHING THAT NEEDS FIXING? o Let us know, and help fix it! NEED HELP? o Paying customer? [email protected] o MindPoint Group Services o groups.google.com/forum/#!forum/ansible- project
Editor's Notes
- #2: Mix of too high level for an actual Ansible user Targeted for High level VP of IT Might be too detailed for Ventures