ansible-lockdown.rhel8_stig

Panoramica Versioni Approfondimenti

RHEL 8 DISA STIG

Setting Up a RHEL8 System for DISA STIG Compliance

This guide helps you configure a RHEL 8 system to meet DISA STIG standards: Version 1, Release 13 published on Jan 24, 2024.

GitHub Stars Repo Stars Forks Followers Follow Us on Twitter

Discord Community

Release Branch Release Tag Release Date

Main Pipeline Status

Development Pipeline Status Development Commits

Open Issues Closed Issues Pull Requests

License

Need Help?

Lockdown Enterprise

Ansible Support

Community Support

Join our Discord Server to ask questions or chat with other Ansible-Lockdown users.

Configure a RHEL/Rocky 8 system to be DISA STIG compliant. Non-disruptive findings (CAT I, CAT II, and CAT III) will be fixed by default. For disruptive findings, set rhel8stig_disruption_high to true.

Updates

When updating from a previous version, always test and adjust settings. This version includes rewrites and ID changes based on STIG guidelines.

Auditing

You can toggle auditing on or off in the defaults/main.yml file using the variable rhel7cis_run_audit. It is set to false by default. For more information, check the wiki. The defaults file also sets up the checks to only validate enabled controls in the role.

This is a lightweight check of configuration compliance and active settings.

We utilize a small tool called goss for auditing, which requires no additional infrastructure. This audit checks not only for correct configurations but also whether settings are currently active, aiming to minimize false positives.

Documentation

Requirements

  • RHEL/Rocky/AlmaLinux/OL 8. Other versions are not supported.
  • To test other operating systems, set skip_os_check to true.
  • Ensure access to download the goss binary for auditing.

Dependencies

The following packages must be installed on the system executing Ansible:

  • python2-passlib (or passlib for python3)
  • python-lxml

These packages are needed for tasks with custom filters or modules.

Role Variables

This role is designed so users do not need to modify the task files. Customization should be done through the defaults/main.yml file or by using extra vars.

Tags

Each control uses tags that indicate the control number and relevant system parts. For example:

tags:
    - RHEL-08-010050
    - ssh
    - dod_logon_banner

You can skip or run specific controls using these tags.

Example Audit Summary

This example shows results from an audit on a vagrant image without a GUI or firewall. More tests are conducted during the audit:

ok: [rocky8_efi] =>
  msg:
  - 'Pre-remediation: Count: 804, Failed: 416, Duration: 6.488s.'
  - 'Post-remediation: Count: 804, Failed: 28, Duration: 68.687s.'
  - Detailed report in /opt

PLAY RECAP ****************************************************************************************************************
rocky8_efi                 : ok=482  changed=269  unreachable=0    failed=0    skipped=207  rescued=0    ignored=0

Branches

  • devel - Default development branch for community pull requests.
  • main - Release branch.
  • reports - Protected branch for scoring reports.
  • gh_pages - GitHub pages.
  • Other branches - Individual community member branches.

Container Testing

  • system_is_container is set to false by default. If it detects a container or ansible_connection == docker, it will switch to true. Some controls may be skipped as they do not apply. If applicable, runs a subset of controls found in vars/is_container.yml.

Note: Use only unaltered vendor images.

  • container_vars_file: is_container.yml - Controls are grouped into tags.

Community Contribution

We welcome contributions from the community. Please follow these guidelines:

  • Work on your own branch. Ensure all commits are signed off and GPG signed.
  • All community pull requests go to the devel branch.
  • Confirm commits are GPG signed and functional tests are passed before approval.
  • After thorough review, authorized members will merge changes to the main branch for release.

Pipeline Testing

Uses:

  • ansible-core 2.12
  • ansible collections pull the latest version based on requirements.
  • Runs audits using the devel branch.
  • Automated tests run on pull requests into devel.

Known Issues

Adopting STIG rule RHEL-08-040134 may cause issues with cloud init as reported in bug 1839899.

Support

This project is managed by the community. For dedicated support:

Credits

This repository originated from the work of Sam Doran.

Extras

  • A makefile is provided for testing and setup.
  • You can test pre-commit hooks with:
pre-commit run

Acknowledgments

Special thanks to the amazing community and all contributors, including:

Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell.

Informazioni sul progetto

Apply the DISA RHEL 8 STIG

role system security stig hardening benchmark compliance redhat complianceascode disa rhel8 mindpoint
Installa
ansible-galaxy install ansible-lockdown.rhel8_stig
GitHub repository
94 stelle
56 fork
12 problemi aperti
Licenza
mit
Download
1.7k
Proprietario
Ansible Lockdown
Lockdown is a security baseline automation project sponsored by Tyto Athene.