search

GSA / security-benchmarks

GSA Security Benchmarks and Tools
21 stars 10 forks source link

create Ansible role for operating system hardening #2

Closed afeld closed 7 years ago

afeld commented 7 years ago

Breaking this conversation out from #1.

@jeremy-gillikin Before I knew you were actively working on this, @JJediny and I had been talking about having a common Ansible role we could share between the data.gov and D2D projects (to start) for hardening the operating systems. The projects use Ubuntu and RHEL 7, respectively.

We've been collecting examples of other hardedning roles in this Trello card. As you can see, there are a lot of them, so my first suggestion would be for us to evaluate what's out there, to avoid reinventing the wheel. We may, for example, be able to use an existing role (or two), and either:

One I'd like to call out in particular is https://github.com/RedHatGov/ansible-role-800-53, where they are mapping tasks to particular controls in NIST 800-53 via tags. This is interesting, in that it could allow us to come full-circle in terms of connecting automation bits back to the compliance documentation. From @jason-callaway, one of the maintainers, in the OpenControl Slack:

That role currently only supports RHEL, but I'd love to add support for other Linuxes, and Windows is theoretically possible because Ansible supports Powershell

[Proposed] acceptance criteria

I propose these as the medium/long-term goals.

Thoughts?

afeld commented 7 years ago

Maybe the title for this issue would more aptly be "have Security-blessed Ansible role(s) for operating system hardening", as we don't necessarily need to create it.

afeld commented 7 years ago

Some non-Ansible hardening examples at TTS:

(will keep adding to this list as I find out about more)

mogul commented 7 years ago

Note that cg-harden-boshrelease is on top of hardening done at the upstream stemcell level by the Cloud Foundry community. Pivotal does their own, described here: https://docs.pivotal.io/pivotalcf/1-9/security/pcf-infrastructure/stemcell-hardening.html

JJediny commented 7 years ago

Existing Ansible-based Hardening

Center for Internet Security (CIS) Benchmark Based

  1. CIS-Ubuntu-Ansible

Supports:

  1. Mindpoint Group Collab w/ Redhat

Supports:

Defense Information Systems Agency (DISA) - Security Technical Implementation Guides (STIGS)

https://github.com/openstack/openstack-ansible-security

*Supports - Soon to be unsupported

Supports:

Both - CIS & DISA STIG

https://github.com/ansible/ansible-lockdown

No/Unknown Benchmark/Baseline

https://github.com/RedHatGov/ansible-role-800-53

Supports:

https://github.com/dev-sec/ansible-os-hardening

Supports:

alain-hoang commented 7 years ago

Other Existing Efforts

Some other efforts to harden Linux outside of TTS Ansible roles

CIS Based

https://github.com/PaxDominicus/Ansible-RHEL7-CIS Supports:

https://github.com/blackbaud/ansible-role-linux-hardening Supports:

No Specific Benchmarks

https://github.com/KEAOSolutions/development_environment Supports:

https://github.com/konstruktoid/ansible-role-hardening Supports:

https://github.com/pppontusw/ansible-role-linux-security Supports:

https://github.com/linuxhq/ansible-role-selinux Supports:

https://github.com/juju4/ansible-harden Supports:

https://github.com/thedumbtechguy/ansible-role-harden Supports:

https://github.com/githubixx/ansible-role-harden-linux Supports:

https://github.com/geerlingguy/ansible-role-security Supports:

afeld commented 7 years ago

Another notable repository: a bunch of shared roles from the @CFPB: https://github.com/cfpb/aurora/tree/develop/deploy/roles

afeld commented 7 years ago

Tracking progress for RHEL in https://trello.com/c/tu6wXNYb/40-create-ansible-hardening-roles-for-rhel-7.

afeld commented 7 years ago

Closing in favor of Trello cards.