Ansible and Unifying all the Security Projects - new "lockdown" project in github

Hi all,

Recently there’s been some nice activity around securification (it’s a word) around systems with Ansible.

We believe this is a great thing for a couple of reasons - (A) ansible makes conditional application super easy, and (B) installing a second agent to lockdown a system seems counter-intuitive.

A couple of recent projects include stig support in RHEL’s aqueduct (and a corresponding Linux Journal article), Major Hayden’s CIS playbooks, Sam Doran’s RHEL 6 STIG role, and a few others. Brent Langston also expressed a lot of interest.

A few of us got together recently to discuss how to throw some gasoline on this fire - and started https://github.com/ansible/ansible-lockdown, with right now Brent, myself, and James having commit access - with that opening up to major contributors once they push in some good pull requests.

What we are wanting to have is two directories, one for stig/ one for cis/ and maybe some other things later.

In each, we’ll have a role to lockdown each system to a given standard, that will take a list of variables to turn certain categories on and off by feature.

These will originally be written to be multiplatform by default, even if only originally doing RHEL/CentOS, they’ll load variables via “include_vars” and understand OS specifics and assert they won’t run on OSes they don’t support (yet) etc.

Further development can be driven by pull request, and repeat trusted contributors can be given commit.

I think this has a lot of potential value as I’ve seen a lot of folks reimplement security standards again and again, (not being able to rely on one community hub for it), but also because it’s a great learning tool for users who want to rapidly lock down a system, or use --check mode to see where they might not be locked down yet.

In any event, wanted to kick this off. Brent is likely going to be organizing some of Sam’s work (guys, please weigh in) a bit and starting things off in the “stig” category, and I’m hoping that those interested in CIS can do the same in the “CIS” directory.

I don’t know if we need a new list just yet, but if we do, we’ll create one. Until then, perhaps we can just use the github issue tracker on that project.

Security oriented playbooks and ansible have a very natural affinity, so I’m super looking forward to where this goes.

This is empty now, but hopefully not for long: https://github.com/ansible/ansible-lockdown

Thanks again all!

Feel free to discuss!

–Michael

I’m currently working to drag the CIS role out of my cis-rhel-ansible repository and push it into Galaxy:

https://github.com/major/cis-rhel-ansible

This only covers RHEL/CentOS 6 at the moment but my plan is to make a new role (or adapt the existing one) to work for RHEL/CentOS 7.

Major

So my initial thoughts

(A) this should be higher profile than galaxy, hence the desire to run it as a project with common contribution

(B) it should definitely not have “rhel” in the name, but could assert that it was RHEL when it started until it supported more.

Let’s do this under the auspices of the central project, and we can look into what it might take for galaxy to be able to support multiple roles per repo (which it currently cannot)

I’m a bit hesistant to have a repo for CIS and another for STIG in the org, when they might share some common tooling and instructions in the future.

Hi all,

As a quick update to this one, we decided to keep Major’s role as a git submodule for ansible packaging, and STIG content hasn’t progressed recently - which is ok - it may later.

As such, I don’t think we need a seperate project for this one, but we may choose to fork/highlight these particular repos in the future.

I will be removing this repo at this time.

–Michael