DevOps Series Using Ansible with the Security Technical Implementation Guide (STIG)
STIG is an acronym for Security Technical Implementation Guide, which is a cyber security protocol that sets the standards for the security of networks, computers, servers, etc. In this 16th article in the DevOps series, we will learn how to build Ansible playbooks to test and set up CentOS 6 as per STIG on RHEL6, version 1, release 19.
The Security Technical Implementation Guide (STIG) has been developed jointly by Red Hat, the National Security Agency (NSA) and the Defence Information Systems Agency (DISA) for the US Department of Defense (DoD). The security vulnerabilities are classified into three Category Codes (CAT for short), based on the severity.
CAT I type is an exploit that “…directly and immediately results in loss of confidentiality, availability or integrity.”
CAT II type vulnerablity “…has a potential to result in the loss of confidentiality, availability or integrity.”
The existence of a CAT III type vulnerability “… degrades measures to protect against loss of confidentiality, availability or integrity.”
On October 16, 2009, the chief information officer of the Department of Defense (USA) released a memorandum with guidance on using free and open source software (FOSS).
The memo can be obtained from http://dodcio.defense.gov/ Portals/0/Documents/FOSS/2009OSS.pdf.
Setting things up
A CentOS 6.8 virtual machine (VM) running on KVM is used for the setup. Please ensure that the VM has access to the Internet. The Ansible version used on the host (Parabola GNU/Linux-libre x86_64) is 2.5.0.
$ ansible --version ansible 2.5.0 config file = /etc/ansible/ansible.cfg configured module search path = [u’/home/guest/.ansible/ plugins/modules’, u’/usr/share/ansible/plugins/modules’]
ansible python module location = /usr/lib/python2.7/sitepackages/ansible executable location = /usr/bin/ansible python version = 2.7.14 (default, Jan 5 2018, 10:41:29) [GCC 7.2.1 20171224]
The ansible/ folder contains the following files:
ansible/inventory/kvm/inventory ansible/playbooks/configuration/stig.yml ansible/playbooks/configuration/fix-stig.yml
The IP address of the guest CentOS 6.8 VM is added to the inventory file as shown below:
centos ansible_host=192.168.122.16 ansible_connection=ssh ansible_user=root ansible_password=password
Also, add an entry for the centos guest in /etc/hosts file as indicated below:
192.168.122.16 centos
The libselinux-python package needs to be installed on the CentOS guest VM as follows, in order to verify SELinux configuration using Ansible:
# yum update && yum install libselinux-python