I just finished making my base Ansible role fully SCAP compliant (based on the DISA STIG I think). It doesn’t appear to have broken anything but I will need to test it thoroughly before I put it into production. I can tell that this configuration is going to make working with the systems more difficult. That’s OK though. I value security over convenience. I can see also that the automated CM tools make a big difference in this area. They make systems administration much easier on hardened systems.
Some of the biggest changes with this hardening are:
- Locked down partition scheme (extensive use of
- Strict password requirements
- Increased auditing of changes that could affect security
- Added kernel parameters (not as many as I had expected though)
- Locked down SSH settings (no root login, etc.)
On a lighter note (server hardening doesn’t have many) it requires a login banner so I had the chance to add a very scary and official looking one. I hope the hackers are suitability impressed.
You can use the test suite I mentioned in a previous post to validate your compliance. It does seem to have issues. Despite being certain that I have implemented the guidelines correctly, it still marks some of tests ‘fail’. I suspect the compliance test code has some bugs. The two guidelines I expect to fail are the aide and rsyslog checks. I have replaced aide with OSSEC and may not use rsyslog as my primary logging client.
I hope to post my Ansible configuration soon. I will post it on github. I just need to figure out how to remove my local configuration details while still making it function correctly.
Update (May 2014): you can audit STIG compliance using serverspec with these tests I’ve uploaded to GitHub.