Question of current status

[Gabriel Forster]

Is this being actively developed? Looks like not much information has been made public in the last ~8 months and I'm curious if this is still the best path to pursue as there seem to be a few different "official" projects surrounding this topic.

Additionally, are there plans for RHEL 8 or HIPAA? I see this project has done some things for HIPAA as well as the DISA STIG and such. Not sure if that is on the horizon here.

Thanks!

[Smith, Matt]

I’m not a contributor on the project but I think this is accurate:

Given that rh6 is nearing Eol and rh7 is costing in mid lifespan the STIGs themselves are pretty stable. There haven’t been many changes the last few quarters and the bulk of the module needs to change very little because of that. I’d bet that they will be very busy once DISA releases STIGS for rh8


Matt Smith
AMDS ADX
Classified Linux Support

--
You received this message because you are subscribed to the Google Groups "Ansible Lockdown" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-lockdo...@googlegroups.com.
To post to this group, send email to ansible-...@googlegroups.com.
Visit this group at https://groups.google.com/group/ansible-lockdown.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-lockdown/1a4d2ac5-ac07-49e1-b4c3-ad201496ff34%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Gabriel Forster]

That makes perfect sense. Just wanted to confirm that this is, in fact, the correct project to be involved with.

Thank you!

On Friday, May 17, 2019 at 8:45:19 AM UTC-4, Smith, Matt wrote:

I’m not a contributor on the project but I think this is accurate:

Given that rh6 is nearing Eol and rh7 is costing in mid lifespan the STIGs themselves are pretty stable. There haven’t been many changes the last few quarters and the bulk of the module needs to change very little because of that. I’d bet that they will be very busy once DISA releases STIGS for rh8


Matt Smith
AMDS ADX
Classified Linux Support

From: Gabriel Forster <gabejes...@gmail.com>

Date: Friday, May 17, 2019, 8:40 AM

To: Ansible Lockdown <ansible-...@googlegroups.com>

Subject: [ansible-lockdown] Question of current status

Is this being actively developed? Looks like not much information has been made public in the last ~8 months and I'm curious if this is still the best path to pursue as there seem to be a few different "official" projects surrounding this topic.

Additionally, are there plans for RHEL 8 or HIPAA? I see this project has done some things for HIPAA as well as the DISA STIG and such. Not sure if that is on the horizon here.

Thanks!

--
You received this message because you are subscribed to the Google Groups "Ansible Lockdown" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

[Smith, Matt]

I’ve been thrilled with it. It had been a godsend for my group. We are using it at scale for provisioning and while it does naturally need a lot of testing and engineering to make it scale the devs put in a very same and useful set of variables and defaults. The controls are all tagged by either stigId or vulnid. I’d youre already using ansible it’s a no brainer. I’m looking forward to rh8 so I can hopefully get involved and contribute. 

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-lockdo...@googlegroups.com.
To post to this group, send email to ansible-...@googlegroups.com.

Visit this group at https://groups.google.com/group/ansible-lockdown.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-lockdown/67b5dae9-e1a1-4bbc-841f-9dc8b167e98d%40googlegroups.com.

[Jonathan Davila]

Matt, thank you very much for those kind words. It means a lot when we hear people are being helped by the content we've developed.

Gabriel,

RHEL8 is certainly on the roadmap for the project, it's just a matter of DISA putting out official guidance (even a draft would let us get rolling). We've even considered using the RHEL7 role as a starting point and tailoring/modifying it to work with RHEL8 in the interim.

Regarding HIPAA. I am certainly no HIPAA expert, so please correct me if I'm wrong. HIPAA is something we're open to exploring but would likely need a bit of community feedback to implement and I can explain why. Considering the guidance put out by HHS at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

We see explicitly:

The Security Rule does not require specific technology solutions. In this paper,some security measures and technical solutions are provided as examples to illustrate thestandards and implementation specifications.  These are only examples. 

And then it goes into various standards such as Access Control, Audit Controls, etc. Which, these do give good insight as to intent they do not provide the level of explicit guidance that something like the STIG or CIS Benchmarks provide. And HIPAA, unlike FedRAMP, doesn't say something like "Use CIS Benchmarks Level 1".

That being said, we could certainly create tech-specific (RHEL/Postgres/etc) Ansible content that satisfies the intent of the controls. However, my concern would be making sure that what is developed is useful and relevant to the majority of the Ansible Lockdown community.

To give an explicit example, take a look at UNIQUE USER IDENTIFICATION (R) -§ 164.312(a)(2)(i), it mandates that users receive uniquely identifying attributes (name, id, etc) on a system. Implementing this could go a few different ways, some trivial brainstorming here:

• Rely on a standardize UID mapping across an estate
• AD/LDAP auth
• SAML2 (you can do this via PAM for example)

So again, I think we're totally up for it, but it's the inherit lack of precision in HIPAA guidance with regards to technical safeguards that can make it a little tricky.

Does that makes sense?

-Jonathan

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-lockdown+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-lockdown@googlegroups.com.

[Sam Doran]

Gabriel,

This project is still very much active. Most of the activity is in the role repositories as well as #ansible-lockdown on IRC. There is an Ansible Lockdown working group and regular meetings to discuss the project.

---

Sam

[Daniel Shepherd]

Hello! Yes, it is still being actively developed. Most of the group activity takes place in the IRC channel #ansible-lockdown and on the various GitHub repos for the roles. The main repo doesn't get much activity at this time. We have community meetings every other week in IRC as well. This is probably the most up to date location for community info. https://github.com/ansible/community/wiki/Lockdown

RHEL 8 is something we recently discussed, however without a RHEL 8 STIG we would need to use the RHEL 7 STIG in the interim until its released.

[Gabriel Forster]

Thank you all! This is really great news for me. Especially now that I see the working group, which addresses many of the little questions I had in the back of my mind and most of what I was really wondering about.

I completely understand the issue with the ambiguity of HIPAA. And the STIG lockdown roles do seem to cover most things (maybe all) within the realm that that they are able to. In fact, the project I linked to seems to use a subset of them. I wonder if HIPAA needs to be nothing more than a tag on tasks where it may best fit. I dunno.

Anyway, thanks for all the hard work that has been done, I look forward to getting involved in any way I can.