Ansible and our security partner, the MindPoint Group have teamed up to provide a tested and trusted Ansible Role for the DISA STIG. With this Role, IT admins can easily:
Deploy new systems that are compliant to the DISA STIG
Audit and validate DISA STIG compliance on existing systems
Coupled with Ansible Tower, schedule routine checks across entire server inventories
Not an Ansible user yet, but challenged by the need to remain STIG compliant? Getting started with Ansible is easy. Access the STIG role through Ansible Galaxy.
Current STIG Role Features
OS Support - Supports RHEL 6 and variants today, with more Linux and Windows versions coming soon.
Vulnerability Category Detection and Correction As of 10 Jul 2015:
CAT 1 (High): 100%
CAT 2 (Medium): 91%
CAT 3 (Low): 82%
The Role does not automatically correct every finding as some are build-time (i.e. partitioning requirements) that are not safe to automatically remediate in a generic fashion.
Secure - Every committed update to the STIG project is reviewed by the Ansible and MindPoint Group teams, and results of the Role application are run through an automated testing gauntlet involving the use of OpenSCAP and STIGMA. The current status of the roles is viewable in the Ansible-lockdown README.
Community - Like all open source projects, the more users and contributors to the project, the better the result and functionality will be. Want to participate? Contact us.
Free and Open - Like Ansible Core, the STIG role is provided free-of-charge, however many customers find that the STIG role plus Ansible Tower provide unprecedented benefits and capabilities when applying and managing STIG compliance across a large set of systems. For deeper level assistance with your IT Security posture, MindPointGroup is Ansible’s recommendation.