Unclassified Information in Non-federal Systems (NIST 800-171)

Ansible Role for Unclassified Information in Non-federal Systems (NIST 800-171)

Profile Description: According to NIST 800-171, Section 2.2, there are security guidelines to protect the confidentiality of Controlled Unclassified Information (CUI) in non-federal systems. These guidelines are organized into two parts: (i) basic security requirements; (ii) derived security requirements.

The basic requirements come from FIPS Publication 200, which sets the main security standards for federal information systems. The derived requirements add onto the basic ones and are based on NIST Special Publication 800-53 security controls. This profile sets up Red Hat Enterprise Linux 7 to follow the relevant controls from NIST 800-53 for securing CUI.

The tasks in this role are created using OpenSCAP. For more information on generating Ansible playbooks, visit the OpenSCAP project at OpenSCAP GitHub.

If you want to propose a fix or improvement for an Ansible task that isn’t working or is missing, check the ComplianceAsCode project at ComplianceAsCode GitHub.

Requirements

• Ansible version 2.9 or newer

Role Variables

To customize the role as per your needs, refer to the list of variables.

Dependencies

None

Example Role Usage

To download and install the role, run ansible-galaxy install RedHatOfficial.rhel7_cui. You can then use this playbook snippet to run the Ansible role:

- hosts: all
  roles:
     - { role: RedHatOfficial.rhel7_cui }

Next, to check the playbook on your local machine, use:

ansible-playbook -i "localhost," -c local --check playbook.yml

To actually apply the playbook (note: this may change your local machine’s configuration!):

ansible-playbook -i "localhost," -c local playbook.yml

License

BSD-3-Clause

Author Information

This Ansible remediation role was created based on the security policies from the ComplianceAsCode project. For an updated list of authors and contributors, please visit Contributors List.