Lockdown is not forgotten

[Jonathan Davila]

All,

Just wanted to inform the group that Ansible Lockdown is still very much alive, albeit w/o much love the past several months. With the acquisition of Ansible along with other internal 'things' there have been a perpetuity of events that have come up that have blocked progress on this front. There should be significant progress made this year with two major goals, getting RHEL6 STIG updated to Release 10 and to get RHEL6 CIS Benchmarks "Ansiblized" as well.

If there is any interest in helping out, questions, concerns, etc, feel free to reach out.

Thanks,

Jonathan Davila

[Bas Meijer]

Hi Jonathan & all,

It should be noted that the CIS Benchmarks are for RHEL7. I had the opportunity to implement the easiest actions in the repository at:

https://github.com/MindPointGroup/RHEL7-CIS

It seems to me that the CIS benchmark will be less work compated to the DISA-STIG, and I hope with the help of all that we can get this done soon.

Kind regards,

Bas Meijer

@bbaassssiiee

--
You received this message because you are subscribed to the Google Groups "Ansible Lockdown" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-lockdo...@googlegroups.com.
To post to this group, send email to ansible-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-lockdown/8bd72762-c65a-4408-88a7-8709bd90eeb2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jonathan Davila]

Glad you brought that up. I am placing RHEL 7 CIS/STIG as secondary goals for now. The reason for targeting RHEL6 for CIS is that there is a good amount of overlap between the STIG and CIS which should make it 'easier'. Though, I certainly welcome help on the RHEL7 front.  Another piece, I need to follow up with Adam Montville (of CIS) to get official blessing on this project, as CIS has a good bit of legal jargon in its TOU.

Jonathan I. Davila Principal Architect, Automation Practice, Red Hat, Inc 202.415.1878 // redhat.com // jda...@redhat.com // Washington, D.C

[Sam Doran]

I switched roles at work a few months ago and have been focused on developing other aspects of our infrastructure, so I have not been able to dedicate time to this project. BUT, I am wrapping up my last week at my current day job and plan to dedicate more time to this project at my new gig. Definitely not forgotten!

[Daniel Shepherd]

We have a few resources internally who have been working on the RHEL7 CIS as well and should have some updates for that soon. I'm also hoping to ramp back up on the RHEL6 STIG/CIS stuff as we have fallen behind.

Dan

[Conor Schaefer]

Thanks for keeping the list alive, Jonathan. If you're not already, I recommend keeping tabs on the Dev Sec folks (previous Hardening.io): http://dev-sec.io/

Most of their work is for CM solutions other than Ansible, but they have a decent baseline for hardening already. I suggest working with them as much as possible, the team is quite friendly to collaborators.

Seeing as I mostly maintain Debian systems, I'll keep an eye on Lockdown, although it seems Debian support is not planned at present.

--

[Conor Schaefer]

Naturally. I think you'll find the same priorities from the DevSec/Vulcano folks. Will still follow the project and contribute where possible—solutions like this are just as a big win for smaller orgs that can reap the benefits downstream.

On Wed, Apr 6, 2016 at 10:46 AM, Jonathan Davila <jda...@redhat.com> wrote:

Hey Conor,

Thanks for that, I'll definitely ping them. I would say Debian is planned just not a priority at the moment. The intent and desire is to eventually get baselines for all major OSes. Currently RHEL family has the highest demand (esp by Gov users) hence why it is front-lined.

Jonathan I. Davila Principal Architect, Automation Practice, Red Hat, Inc 202.415.1878 // redhat.com // jda...@redhat.com // Washington, D.C

[Jonathan Davila]

Hey Conor,

Thanks for that, I'll definitely ping them. I would say Debian is planned just not a priority at the moment. The intent and desire is to eventually get baselines for all major OSes. Currently RHEL family has the highest demand (esp by Gov users) hence why it is front-lined.

Jonathan I. Davila Principal Architect, Automation Practice, Red Hat, Inc 202.415.1878 // redhat.com // jda...@redhat.com // Washington, D.C

On Wed, Apr 6, 2016 at 1:44 PM, Conor Schaefer <conor.s...@gmail.com> wrote:

[brian.c.an...@uscis.dhs.gov]

FYI, Major.io has already done the RHEL 6 CIS benchmarks here:

https://github.com/major/cis-rhel-ansible

He had planned (via his blog) to update these for RHEL/CentOS 7, but his job at Rackspace took him another direction.

-Brian

[DS Morse]

just a little over a week ago, I forked Johnathan's work and updated a version of the ansible role that will run on a RHEL7/Cent7 host.  It may be a useful starting point.  here is the link https://galaxy.ansible.com/dsmorse/cent7-STIG/

On Wednesday, April 6, 2016 at 11:49:14 AM UTC-6, Jonathan Davila wrote:

Hey Conor,

Thanks for that, I'll definitely ping them. I would say Debian is planned just not a priority at the moment. The intent and desire is to eventually get baselines for all major OSes. Currently RHEL family has the highest demand (esp by Gov users) hence why it is front-lined.

Jonathan I. Davila Principal Architect, Automation Practice, Red Hat, Inc

202.415.1878 // redhat.com // jd..a@redhat.com // Washington, D.C