Security Meets CM
As part of building my CentOS role in Ansible I been looking for best practice guides. When I found the security guides I hit the jackpot. These guides provide detailed instructions how to configure CentOS. In the old days you would use these guides to build shell scripts or (gasp!) manually configure your servers. Now, you can take these directions and translate them into your CM tool of choice. I’m using Ansible for the task.
This is already extremely useful but these guides also provide tests. Often these tests are in a set of complex XML formats. No matter, the actual command line test can be extracted and used in something easier to work with like serverspec. Here is a small sample of how they look in serverspec:
You set the configuration via kickstart and Ansible and then test it with serverspec. It’s also a security audit.
I’ve got a lot more to do since these guides are massive. I expect to have a serverspec file with hundreds of tests by the time I’m done. There are tools called SCAP that will already do this and you can find them here. I think it’s worth the trouble to translate them into servespec because then I have all of my server configuration tests in one place. Besides, as I have argued before, the the tools that do CM, security, and auditing overlap. Trying to put them into nice distinct categories hurts the evolution of the CM tools.
My experience with these guides also confirmed my choice of CentOS as my OS. The guides are for Red Hat Linux so they work just as well for CentOS. I did not see any for other flavors of Linux.
The Security Guides
After a lot of searching here are the best guides I’ve found.
- CIS CentOS 6 Security Benchmark. My favorite guide. Well written and comprehensive. This one is CentOS-specific too. From the web page check the box before
CentOS Linux Benchmarksand then click
I Acceptat the bottom.
- Red Hat 6 STIG. ‘STIG’ stands for Security Technical Implementation Guide and is a term I see a lot on the US government web sites devoted to this area. This web site shows, I think, a web view of the DISA STIG.
- Red Hat 6 Official Security Guide. Not as detailed as the others but has a lot of explanation.
- DISA Red Hat 6 STIG. This link has the raw XML so its hard to work with. See also link 2 above.
- NSA Red Hat 5 STIG. For an older version of Red Hat but still useful.
- SCAP for Red Hat 6. Another favorite of mine. Very good advice on server application configuration.
- USGCB – Red Hat Enterprise Linux 5 Desktop. The US government guide but this is for Red Hat 5 and the desktop version. Still useful. This page also has a kickstart file and Puppet scripts. These are very worthwhile looking at.
The good news is that, as far as I can tell after an initial examination, the information these provide is largely the same. Often it is the same verbatim. For example, the
/dev/shm mount rules that the serverspec snippet above tests is found in all of them.
These guides contain just the kind of best practice configurations that the CM tools should be providing. Given time I hope they will. The CM tools are great but it’s the content that matters. Perhaps when I finish mine I can contribute it to Ansible Galaxy.