OpenSource For You

DevOps Series Using Ansible with the Security Technical Implementa­tion Guide (STIG)


STIG is an acronym for Security Technical Implementa­tion Guide, which is a cyber security protocol that sets the standards for the security of networks, computers, servers, etc. In this 16th article in the DevOps series, we will learn how to build Ansible playbooks to test and set up CentOS 6 as per STIG on RHEL6, version 1, release 19.

The Security Technical Implementa­tion Guide (STIG) has been developed jointly by Red Hat, the National Security Agency (NSA) and the Defence Informatio­n Systems Agency (DISA) for the US Department of Defense (DoD). The security vulnerabil­ities are classified into three Category Codes (CAT for short), based on the severity.

CAT I type is an exploit that “…directly and immediatel­y results in loss of confidenti­ality, availabili­ty or integrity.”

CAT II type vulnerabli­ty “…has a potential to result in the loss of confidenti­ality, availabili­ty or integrity.”

The existence of a CAT III type vulnerabil­ity “… degrades measures to protect against loss of confidenti­ality, availabili­ty or integrity.”

On October 16, 2009, the chief informatio­n officer of the Department of Defense (USA) released a memorandum with guidance on using free and open source software (FOSS).

The memo can be obtained from Portals/0/Documents/FOSS/2009OSS.pdf.

Setting things up

A CentOS 6.8 virtual machine (VM) running on KVM is used for the setup. Please ensure that the VM has access to the Internet. The Ansible version used on the host (Parabola GNU/Linux-libre x86_64) is 2.5.0.

$ ansible --version ansible 2.5.0 config file = /etc/ansible/ansible.cfg configured module search path = [u’/home/guest/.ansible/ plugins/modules’, u’/usr/share/ansible/plugins/modules’]

ansible python module location = /usr/lib/python2.7/sitepackag­es/ansible executable location = /usr/bin/ansible python version = 2.7.14 (default, Jan 5 2018, 10:41:29) [GCC 7.2.1 20171224]

The ansible/ folder contains the following files:

ansible/inventory/kvm/inventory ansible/playbooks/configurat­ion/stig.yml ansible/playbooks/configurat­ion/fix-stig.yml

The IP address of the guest CentOS 6.8 VM is added to the inventory file as shown below:

centos ansible_host= ansible_connection=ssh ansible_user=root ansible_password=password

Also, add an entry for the centos guest in /etc/hosts file as indicated below: centos

The libselinux-python package needs to be installed on the CentOS guest VM as follows, in order to verify SELinux configurat­ion using Ansible:

# yum update && yum install libselinux-python

 ??  ??

Newspapers in English

Newspapers from India