I’m working an a role for the RHEL 6 DISA STIG for anyone that is interested. The project is hosted on GitHub. Once I get 1.0 complete, I’ll add it on Ansible Galaxy.
The main philosophy behind the role is a remediation and compliance tool: it is not an evaluation tool. It will make lots of changes to the target system, some of them possibly breaking things (welcome to the wonderful world of STIGS). I’m doing my best to structure the role in such a way that it can be used in a broad or very targeted manner. I use a lot of tags (as a side note, it would be really nice to have a –list-tags option in Ansible). It’s currently a work in progress and I welcome input and feedback.
There are certain things that are outside the power of Ansible that are in the STIG, such as performing regular backups. This role should cover a lot of ground in accomplishing STIG compliance though. Plus an Ansible role is much better than a kickstart file, SRR, or home grown shell scripts (all of which I have used in the past with varying levels of frustration)
Super excited to see this and I’d be interested in talking about organization of it sometime if you are interested.
I did some work with some previous tools to enable this sort of thing and one of the things that was hard then - and a lot easier in ansible, is the ability to make tests and conditionals easy. Such as, skip these steps if there’s no database, etc.
I’d love your input on testing whether or not a specific action is applicable. I’m using a combination of setting variables and command/shell actions with register variables to trigger or skip certain actions. My usually strategy to two tasks: the first is a shell/command that runs grep and registers the output. The task runs based on the rc of the registered variable from the previous step. Let me know if there is a better way to do this. Thanks!