STIG Compliance and Remediation with Ansible

April 2015

PRESENTERS

DAN SHEPHERD // MINDPOINT GROUPdaniels@mindpointgroup.com

o IT security Consultanto Helps USG and commercial customers respond to

difficult IT security challenges

JUSTIN NEMMERS // ANSIBLE GOVERNMENTjnemmers@ansible.com

o IT architect and (recovering) sysadmino 15 years of USG experienceo Wrote first STIG Kickstarts w/ DISA for RHEL 3 and

4

ORGANIZATIONS

MINDPOINT GROUPo IT security consultancyo Helps customers consistently meet stringent

security requirementso Well-versed in Ansible

ANSIBLEo Simplest way to automate ITo Fastest growing IT automation platformo Simple, agentless, powerful

WEBCAST GOALS

Learn about Ansible

Get started with Ansible and the STIG role

Install the STIG role

Apply role and remediate findings

Fully automate compliance with Ansible Tower

Ansible Enterprise Automation

Simple. Agentless. Powerful.

Control. Security. Delegation.

/ Uses OpenSSH

/ No extra code to manage

/ Ready for cloud-scale

/ Uses YAML for playbooks

/ No special coding skills needed

/ Fast learning curve

/ App deployment

/ Orchestration

/ Configuration management

/ Role-Based Access Control

/ Delegation of credentials/keys

/ Audit trail for automation

/ Centralized job runs

/ Job scheduling

/ Automation dashboard

/ Push-button job execution

/ Portal mode for delegation

/ REST API for integration

AnsibleOpen Source

AnsibleTower

ANSIBLE IS COMPLETE AUTOMATION

Ansible was written to automate complex multi-

tier deployments, including:

o Configuration managemento App deploymento Provisioningo Servers & network deviceso Cloud management & VMso Zero-downtime rolling

upgradeso Ad-hoc patches & updates

ANSIBLE: THE LANGUAGE OF ENTERPRISE ITo Ansible is the first “infrastructure-as-code” that can be read and

written across IT… from sys-admins to developers to managers

o Ansible is the only automation engine that can automate the entire application lifecycle & continuous delivery pipeline

DEV/TEST

Q/A OPERATIONS MANAGEMENT INFRASTRUCTURE

Ansible Playbook

From development… to production.

HISTORY OF BASELINES

GOLD DISKo Infrequent, time consuming, and error proneo Inconsistent, relies on staff’s capabilityo No ongoing remediation or validation

SEMI-AUTOMATIONo Shell scripts, other toolingo Brittle. Changes really, really hurto No ongoing remediation or compliance

validation

And both of these options suck.

And how do you keep up with changes?

ANSIBLE AND SECURITY BASELINES

REPEATo Same process every timeREMEDIATEoApply STIG whenever desiredVALIDATEoConfirm complianceIDEMPOTENTo Run and re-run over and over

HOW

MINDPOINT GROUPo Trustedo CapableRHEL 6.x (and variants)o Very commonDISA STIGo Significant pain points for USG

customerso SCAP for easy validation

STIG ROLE COVERAGE

CAT 1 (HIGH): 100%CAT 2 (MEDIUM): 91%

CAT 3 (LOW): 82%

We don’t automatically correct every finding, as some are not always safe to run on live systems (i.e. partitioning).

PLAYBOOK EXAMPLE

Apply-stig.yml

---- name: Apply STIG to a RHEL 6.x System hosts: all sudo: yes vars: rhel6stig_cat1: true rhel6stig_cat2: true rhel6stig_cat3: true rhel6stig_fullauto: true

roles: - rhel6stig

CAT 1 ROLE EXAMPLE PLAYcat1.yml---# CAT I Findings

- name: V-38653 High The snmpd service must not use a default password replace: backup=yes dest=/etc/snmp/snmpd.conf regexp=(^com2sec.*default\

s+)public replace=\1{{ rhel6stig_snmp_community }} ignore_errors: yes when: snmpconf_test.stat.exists notify: restart snmpd tags: [ 'cat1' , 'V-38653' , 'snmp' ]

- name: V-38491 High There must be no hosts.equiv file on the system file: state=absent dest=/etc/hosts.equiv tags: [ 'cat1' , 'V-38491' , 'hosts_equiv' ]

- name: V-38491 High There must be no .rhosts files on the system file: state=absent dest=~{{ item }}/.rhosts with_items: users.stdout_lines tags: [ 'cat1' , 'V-38491' , 'rhosts' ]

GET THE STIG ROLE

$ ansible-galaxy install https://github.com/MindPointGroup/RHEL6-STIG.git,devel

$ ansible-galaxy install -r requirements.yml

requirements.yml- src: https://github.com/MindPointGroup/RHEL6-STIG name: rhel6-stig

$ git clone https://github.com/MindPointGroup/RHEL6-STIG.git

APPLY STIG ROLE FROM CLI

Requires Ansible version >= 1.8

$ ansible-playbook -i hosts apply-stig.yml

CLI RESULTS

Skipping Conditional caused test to be skipped (OK)

Changed Role made a change on the system

OK No action required

Demo of the STIG role + Ansible Tower

MORE ROLE INFO

INFORMATION AND STATUSwww.ansible.com/security-stigGALAXYgalaxy.ansible.com/list#/roles/2955GITHUBgithub.com/ansible/ansible-lockdowngithub.com/MindPointGroup/RHEL6-STIG

OUR COMMUNITY

FOLLOW US OR CONTRIBUTEo github.com/ansible/ansible-lockdownSEE SOMETHING THAT NEEDS FIXING?o Let us know, and help fix it!NEED HELP?o Paying customer? support@ansible.como MindPoint Group Serviceso groups.google.com/forum/#!forum/

ansible-project

MindPoint Groupwww.mindpointgroup.com

Ansiblewww.ansible.com/government

CONTACT US