Closed afeld closed 7 years ago
Maybe the title for this issue would more aptly be "have Security-blessed Ansible role(s) for operating system hardening", as we don't necessarily need to create it.
Some non-Ansible hardening examples at TTS:
(will keep adding to this list as I find out about more)
Note that cg-harden-boshrelease
is on top of hardening done at the upstream stemcell level by the Cloud Foundry community. Pivotal does their own, described here:
https://docs.pivotal.io/pivotalcf/1-9/security/pcf-infrastructure/stemcell-hardening.html
Supports:
Supports:
https://github.com/openstack/openstack-ansible-security
*Supports - Soon to be unsupported
Supports:
https://github.com/ansible/ansible-lockdown
https://github.com/RedHatGov/ansible-role-800-53
Supports:
https://github.com/dev-sec/ansible-os-hardening
Supports:
Other Existing Efforts
Some other efforts to harden Linux outside of TTS Ansible roles
CIS Based
https://github.com/PaxDominicus/Ansible-RHEL7-CIS Supports:
https://github.com/blackbaud/ansible-role-linux-hardening Supports:
No Specific Benchmarks
https://github.com/KEAOSolutions/development_environment Supports:
https://github.com/konstruktoid/ansible-role-hardening Supports:
https://github.com/pppontusw/ansible-role-linux-security Supports:
https://github.com/linuxhq/ansible-role-selinux Supports:
https://github.com/juju4/ansible-harden Supports:
https://github.com/thedumbtechguy/ansible-role-harden Supports:
https://github.com/githubixx/ansible-role-harden-linux Supports:
https://github.com/geerlingguy/ansible-role-security Supports:
Another notable repository: a bunch of shared roles from the @CFPB: https://github.com/cfpb/aurora/tree/develop/deploy/roles
Tracking progress for RHEL in https://trello.com/c/tu6wXNYb/40-create-ansible-hardening-roles-for-rhel-7.
Closing in favor of Trello cards.
Breaking this conversation out from #1.
@jeremy-gillikin Before I knew you were actively working on this, @JJediny and I had been talking about having a common Ansible role we could share between the data.gov and D2D projects (to start) for hardening the operating systems. The projects use Ubuntu and RHEL 7, respectively.
We've been collecting examples of other hardedning roles in this Trello card. As you can see, there are a lot of them, so my first suggestion would be for us to evaluate what's out there, to avoid reinventing the wheel. We may, for example, be able to use an existing role (or two), and either:
dependencies
, and adds on whatever we want/needOne I'd like to call out in particular is https://github.com/RedHatGov/ansible-role-800-53, where they are mapping tasks to particular controls in NIST 800-53 via tags. This is interesting, in that it could allow us to come full-circle in terms of connecting automation bits back to the compliance documentation. From @jason-callaway, one of the maintainers, in the OpenControl Slack:
[Proposed] acceptance criteria
I propose these as the medium/long-term goals.
Thoughts?