DevOps Se­ries Us­ing An­si­ble with the Se­cu­rity Tech­ni­cal Im­ple­men­ta­tion Guide (STIG)

OpenSource For You - - Contents -

STIG is an acro­nym for Se­cu­rity Tech­ni­cal Im­ple­men­ta­tion Guide, which is a cy­ber se­cu­rity pro­to­col that sets the stan­dards for the se­cu­rity of net­works, com­put­ers, servers, etc. In this 16th ar­ti­cle in the DevOps se­ries, we will learn how to build An­si­ble play­books to test and set up Cen­tOS 6 as per STIG on RHEL6, ver­sion 1, re­lease 19.

The Se­cu­rity Tech­ni­cal Im­ple­men­ta­tion Guide (STIG) has been de­vel­oped jointly by Red Hat, the Na­tional Se­cu­rity Agency (NSA) and the De­fence In­for­ma­tion Sys­tems Agency (DISA) for the US Depart­ment of De­fense (DoD). The se­cu­rity vul­ner­a­bil­i­ties are clas­si­fied into three Cat­e­gory Codes (CAT for short), based on the sever­ity.

CAT I type is an ex­ploit that “…di­rectly and im­me­di­ately re­sults in loss of con­fi­den­tial­ity, avail­abil­ity or in­tegrity.”

CAT II type vul­ner­a­blity “…has a po­ten­tial to re­sult in the loss of con­fi­den­tial­ity, avail­abil­ity or in­tegrity.”

The ex­is­tence of a CAT III type vul­ner­a­bil­ity “… de­grades mea­sures to pro­tect against loss of con­fi­den­tial­ity, avail­abil­ity or in­tegrity.”

On Oc­to­ber 16, 2009, the chief in­for­ma­tion of­fi­cer of the Depart­ment of De­fense (USA) re­leased a mem­o­ran­dum with guid­ance on us­ing free and open source soft­ware (FOSS).

The memo can be ob­tained from http://dod­cio.de­fense.gov/ Portals/0/Doc­u­ments/FOSS/2009OSS.pdf.

Set­ting things up

A Cen­tOS 6.8 vir­tual ma­chine (VM) run­ning on KVM is used for the setup. Please en­sure that the VM has ac­cess to the In­ter­net. The An­si­ble ver­sion used on the host (Parabola GNU/Linux-li­bre x86_64) is 2.5.0.

$ an­si­ble --ver­sion an­si­ble 2.5.0 con­fig file = /etc/an­si­ble/an­si­ble.cfg con­fig­ured mod­ule search path = [u’/home/guest/.an­si­ble/ plu­g­ins/mod­ules’, u’/usr/share/an­si­ble/plu­g­ins/mod­ules’]

an­si­ble python mod­ule lo­ca­tion = /usr/lib/python2.7/sitepack­ages/an­si­ble ex­e­cutable lo­ca­tion = /usr/bin/an­si­ble python ver­sion = 2.7.14 (de­fault, Jan 5 2018, 10:41:29) [GCC 7.2.1 20171224]

The an­si­ble/ folder con­tains the fol­low­ing files:

an­si­ble/in­ven­tory/kvm/in­ven­tory an­si­ble/play­books/con­fig­u­ra­tion/stig.yml an­si­ble/play­books/con­fig­u­ra­tion/fix-stig.yml

The IP ad­dress of the guest Cen­tOS 6.8 VM is added to the in­ven­tory file as shown be­low:

cen­tos an­si­ble_host=192.168.122.16 an­si­ble_­con­nec­tion=ssh an­si­ble_user=root an­si­ble_­pass­word=pass­word

Also, add an en­try for the cen­tos guest in /etc/hosts file as in­di­cated be­low:

192.168.122.16 cen­tos

The lib­selinux-python pack­age needs to be in­stalled on the Cen­tOS guest VM as fol­lows, in or­der to ver­ify SELinux con­fig­u­ra­tion us­ing An­si­ble:

# yum up­date && yum in­stall lib­selinux-python

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.