Automated security hardening for Linux hosts with Ansible

Automated security hardening for Linux hosts with Ansible

ansible-hardening logo

What does the role do?

The ansible-hardening Ansible role uses industry-standard security hardening guides to secure Linux hosts. Although the role is designed to work well in OpenStack environments that are deployed with OpenStack-Ansible, it can be used with almost any Linux system.

It all starts with the Security Technical Implementation Guide (STIG) from the Defense Information Systems Agency (DISA), part of the United States Department of Defense. The guide is released with a public domain license and it is commonly used to secure systems at public and private organizations around the world.

Each configuration from the STIG is analyzed to determine what impact it could have on a live production environment and how to implement it in Ansible. Tasks are added to the role that configure a host to meet the configuration requirement. Each task is documented to explain what was changed, why it was changed, and what deployers need to understand about the change.

Deployers have the option to pick and choose which configurations are applied using Ansible variables and tags. Some tasks allow deployers to provide custom configurations to tighten down or relax certain requirements.

OpenStack Summit Boston 2017 Talk

This talk covers the latest updates from the project and a live demo. Slides from the talk are available for download.

Legacy RHEL 6 STIG Content

The RHEL 7 STIG content was first added in the Ocata release using the pre-release STIG content (version 0.2). The Pike release contains the final STIG release content which also included a numbering change from the RHEL-xx-xxxxxx style to the traditional V-xxxxx style.

The original RHEL 6 STIG content was deprecated in the Ocata release and will be removed in the Queens release (early 2018). The documentation for the RHEL 6 STIG content is still available:

Releases

Deployers should use the latest stable release for all production deployments.

Pike

  • Status: Active development (anticipated release: September 2017)
  • Supported Operating Systems:
    • Ubuntu 14.04 Trusty (Deprecated)
    • Ubuntu 16.04 Xenial
    • CentOS 7
    • Red Hat Enterprise Linux 7 (partial automated test coverage)
    • openSUSE Leap 42.2 and 42.3
    • SUSE Linux Enterprise 12 (experimental)
  • Documentation:

Ocata

Newton

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.