How Ansible Integration automates your STIG/CIS Compliance
If you have Ansible currently deployed in your environment, you know your IT environment management process is simplified. Ansible Inventory and Ansible Vault allows scaling out and configuring new systems automatically. This article will go over a few tips for Ansible integration with STIG/CIS automation compliance software such as ConfigOS, what to watch out for, and some recommendations based on my experience with these two platforms.
Adding to your playbook
If you are iterating on a continuous integration/delivery pipeline (CI/CD) for your application instead of scaling out, integration is critical. Adding just a few lines to your staging environment playbook prior to your stage testing will help minimize or outright remove blockers requiring tedious manual interference to ensure each build is developed with up-to-date security benchmarks. Apply compliance and remediation automation using ConfigOS Command Line Interface (CLI) and Ansible Inventory plus Vault to build and harden new systems automatically.
Ansible Integration will expand your human-readable inventory lists to specify multiple targets and make it easy to create variables pointing to relevant signatures and containers. Avoid interrupting your automated CI process by troubleshooting application-breaking security compliance measures as early in the dev-ops pipeline as possible.
Read more about Ansible Vault for secure storage on credentials. https://docs.ansible.com/ansible/latest/user_guide/vault.html
Trigger scans and remediate automatically
Use Ansible Vault and Ansible’s dynamic inventory management to trigger ConfigOS’s CLI to run scans – and remediation – on brand new images as you scale-out in response to demand. ConfigOS automatically performs scans and remediates target STIG or CIS content by integrating Ansible’s Inventory Management platform.
Become an efficient administrator
When a new STIG is released, you need to apply STIG remediation to all of your machines and test that they all still work. The best practice for an environment running an application is to use the remediation to a non-production staging environment first. Test to ensure your application and or environment does not break, apply to half or less of your production environment, repeat the test, and apply it to the rest of the production environment.
Integrating ConfigOS with Ansible Vault and Ansible Inventory gives you automated security remediation with very minimal overhead!
About the author:
Jesse Vaughn, Implementation Specialist
Jesse recently joined the SteelCloud team autumn 2020. His philosophy is that any task that can be automated should be automated when it comes to IT. Jesse has a wealth of experience working with STIGs manually. His primary role at SteelCloud is to integrate Steelcloud’s STIG automation products into other enterprise automation and configuration management software. Jesse is honored to join the customer support team; learning new things and applying his experience in new ways, and spreading his pain-free automation approach wherever he can. Jesse can be reached at: jvaughn@steelcloud.com.
Additional resources:
Link to ansible CD article: https://www.ansible.com/use-cases/continuous-delivery
Ansible dynamic inventory specifics: https://docs.ansible.com/ansible/latest/user_guide/intro_dynamic_inventory.html#intro-dynamic-inventory
Ansible vault info: https://docs.ansible.com/ansible/latest/user_guide/vault.html