Sam Doran

My little corner of the Internet

STIG Compliance with Ansible →

From the moment that I fully grokked the power of idempotence, I immediately saw the potential for Ansible as the STIG compliance tool. When I worked as a sysadmin for the US Navy, I spent a good deal of my time making sure systems were hardened appropriately according to those guidelines. I used a combination of kickstart files and shell scripts to the get the job done because I found the existing tools, SRR scripts and Gold Disk1, pretty useless.

I really like the STIGs, though implementing them is quite a challenge. Last summer, I spent a few months manually reading through the STIG2 for Red Hat 6 and creating an Ansible role. I put it on GitHub intending to get it in shape enough to publish on Ansible Galaxy. I never quite got finished with the last few CAT III findings and had to move on to other projects at work.

A few months after publishing the role and using it pretty regularly to harden my servers, I got a call from Justin Nemmers at Ansible who wanted to take my role and hire some folks at MindPoint Group to develop it even further. I was thrilled and honored! Since then, they have been very busy improving on what I started and developing some really great testing.

If you’re in the Deportment of Defense or STIG compliance is something you loathe but are required to do, please take a serious look at Ansible. I know the Justin has big plans to grow STIG compliance well beyond just Red Hat and even tackle Windows3 in the future. I’ve used a lot of tools to wrangle the STIG compliance bull, and Ansible is the best.

  1. Both of these are now listed under “Sunset Products” on the DISA site. Good riddance.

  2. Just reading the STIGs is an insanely frustrating excercise. I cannot express enough gratitidue to the folks that created!

  3. Yes, Ansible works on Windows.