From the moment that I fully grokked the power of idempotence, I immediately saw the potential for Ansible as the STIG compliance tool. When I worked as a sysadmin for the US Navy, I spent a good deal of my time making sure systems were hardened appropriately according to those guidelines. I used a combination of kickstart
files and shell scripts to the get the job done because I found the existing tools, SRR scripts and Gold Disk1, pretty useless.
I really like the STIGs, though implementing them is quite a challenge. Last summer, I spent a few months manually reading through the STIG2 for Red Hat 6 and creating an Ansible role. I put it on GitHub intending to get it in shape enough to publish on Ansible Galaxy. I never quite got finished with the last few CAT III findings and had to move on to other projects at work.
A few months after publishing the role and using it pretty regularly to harden my servers, I got a call from Justin Nemmers at Ansible who wanted to take my role and hire some folks at MindPoint Group to develop it even further. I was thrilled and honored! Since then, they have been very busy improving on what I started and developing some really great testing.
If you’re in the Deportment of Defense or STIG compliance is something you loathe but are required to do, please take a serious look at Ansible. I know the Justin has big plans to grow STIG compliance well beyond just Red Hat and even tackle Windows3 in the future. I’ve used a lot of tools to wrangle the STIG compliance bull, and Ansible is the best.
-
Both of these are now listed under “Sunset Products” on the DISA site. Good riddance. ↩
-
Just reading the STIGs is an insanely frustrating excercise. I cannot express enough gratitidue to the folks that created
stigviewer.com
!↩ -
Yes, Ansible works on Windows. ↩