[ale] Security Template (STIG) Scripts for RHEL on github

JD jdp at algoloma.com
Thu Jan 8 16:31:15 EST 2015


Ok - I'll bite.

Ansible was written by an ex-Puppet Labs engineer.  He wanted to simplify
everything from puppet and make it trivial to get started. He succeeded, IMHO.

Ansible doesn't require any server - none.  Your workstation can be the ansible
management box or you can setup a "server or 20, if you like. Want to
automatically force config updates daily, weekly, hourly?  Put the ansible
task/playbook into a crontab.  If your managed devices grow beyond 1,000, there
are more efficient connection methods possible with Ansible.

    No SSL certs to manage. Ansible uses ssh and ssh-keys (if you like) and
completely understands sudo.  There isn't anything to install on clients - any
modern distro already meets the needs for ansible after you install openssh-server.

Ansible understands settings and will put them back by default if any changes
are made. If no changes are necessary, nothing is touched.  Both are reported
... does that mean "auditable?" I think so.
Ansible has simple building blocks to make complex results.  I've built a
library of these for my systems and network. I started out using prebuilt
versions, but found those didn't do everything I felt was needed. Modifying
these tasks is trivial.

Puppet is the Microsoft of DevOps.  You'll always be employed and there will
always be issues.  That is good to stay employed, I suppose.

Of course, all of this is IMHO.  I looked at puppet for a few years, attended a
local puppet-labs conference and asked lots of questions of other attendees.
Nobody had their entire infrastructure in puppet.  Played with it for a few
weeks.  I'll never go back.  Ansible is simple, elegant, powerful.

On 01/08/2015 02:10 PM, Jerald Sheets wrote:
> Puppet would do that job more completely, I’d think, and would then maintain
> your site to that level of STIG compliance, and then provide audit trail when
> things change and Puppet puts it back.
> 
> I just did a site in Sacramento that manages the power grid for the state.
> They needed this level of provisioning, security hardening, auditing, and
> reporting and Puppet + RHEL6 + IT automation ability, and Puppet fit the
> bill.
> 
> There’s also Raytheon’s “Security Blanket” that does a lot of this too.
> 
> —jms
> 
> 
>> On Jan 8, 2015, at 9:28 AM, Raj Wurttemberg <rajaw at c64.us> wrote:
>> 
>> Can Ansible do simple checks on files?
>> 
>> Examples: - Check settings inside sshd_config - Check settings inside PAM
>> files - Make sure certain NICs have a specific MTU
>> 
>> I looked at Ansible briefly, but I thought it was more for deploying 
>> settings and packages.  I'm looking to just QA servers.
>> 
>> Kind regards, Raj
>> 
>> 
>>> -----Original Message----- From: ale-bounces at ale.org
>>> [mailto:ale-bounces at ale.org] On Behalf Of JD Sent: Thursday, January 08,
>>> 2015 5:41 AM To: Atlanta Linux Enthusiasts Subject: Re: [ale] Security
>>> Template (STIG) Scripts for RHEL on github
>>> 
>>> Ansible? Takes about 20 minutes to get started.
>>> 
>>> On 01/07/2015 09:54 PM, Raj Wurttemberg wrote:
>>>> Very interesting George!
>>>> 
>>>> We have a client with a rapidly growing RHEL infrastructure (13 servers
>>>> in June, 180 now!) and they give us build sheets. We also have to
>>>> secure and configure servers according to their STIG.... which, I'll be
>>>> honest, is very time consuming and tedious to QA.
>>>> 
>> 

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.


More information about the Ale mailing list