DISA STIGs for operating systems have long been a glorious pain to remediate. Solutions such as Bastille and Aqueduct have fallen short or simply fallen behind and other pre-baked solutions can be costly.
I am here to announce, that this problem shall plague us no more! Read on for the glorious details…
- Identify deviations from the STIG
- Remediate most deviations*
- Self-audit STIG compliance at a whim
ALL WITHOUT AGENTS OR EXTRA SOFTWARE
As of this post, our ability to remediate stands at:
- 100% of all CAT 1 (high) vulnerabilities
- 91% of all CAT 2 (medium) vulnerabilities
- 82% of all CAT 3 (low) vulnerabilities
Our end goal is to have roles available for all STIG and CIS standards to include Windows, OSX and other systems (even application level STIGs). Once those have been tackled we will certainly pursue security roles for other IT security standards.
*When I say most, it is because there are remediations we dare not automate out of concern of potentially breaking your system. Such is the case with standards dealing with partitioning and network interfaces.
One-by-one, we went through every single STIG standard and wrote an Ansible task to identify and optionally correct any deviation. As part of what is provided to you, we included the ability to tackle ONLY certain STIG severity levels, or only specific benchmarks! Also, we’ve provided you the ability to interact with the role for confirmation prior to each remediation; of course, you can also fully automate the process as well, which will remediate everything.
No solution is complete without thorough testing for ongoing compliance validation. We provide that for you as well. As part of our development process we run the roles through a multi-pronged testing process.
- Testing the role for any syntactical issues
- Applying the STIG baseline via the role to fresh virtual machines
- Leveraging OpenSCAP as a second level of confirmation that benchmarks have been met
The testing process is completely open-source as is the current test pass/fail statuses; available through Ansible’s lockdown repository.
We’ve made this possible through a lot of hard work and a whole lot of Ansible.