openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/doc/source/controls.rst
Major Hayden 6f6c08f4c3 Enable RHEL 7 STIG tasks as default [+Docs] 
This patch enables the RHEL 7 STIG content tasks as the default.
Documentation has also been updated to reflect the change and provide
more concise information about what is available with each release.

The OpenStack-Ansible repo is still set to use the RHEL 6 STIG until
some issues with individual roles are resolved.

Implements: blueprint security-rhel7-stig
Change-Id: Ic72d97b87c0fb16646e5a31030404e1a9ad6a469
2017-01-13 19:06:07 +00:00

1.9 KiB
Raw Blame History

Security hardening controls in detail (RHEL 6 STIG)

The Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 6 contains over 200 security controls. The links below will allow you to review each control based on a certain set of criteria.

Controls are divided into groups based on certain properties:

  • Severity: Normally high, medium and low. High severity items are the ones which should be completed first, since they pose the greatest threat to the security of a system. (These severity levels are set within the STIG.)
  • Implementation status: Each control is assessed thoroughly before Ansible tasks are written. Some controls may be listed as exceptions since they can't be implemented with automation, or they could cause damage to an existing system. Other controls are listed as opt-in when they are implemented, but they require a deployer to enable them. (This categorization comes from openstack-ansible-security, not the STIG.)
  • Tag: The controls are also separated based on which parts of the system they act upon. Something that secures grub would be tagged with boot while controls for sshd would be tagged with auth. (This categorization comes from openstack-ansible-security, not the STIG.)

You can also review the STIG controls in one very large page. This can be helpful when you need to search using your web browser.

Note

The RHEL 6 STIG content is deprecated in the Ocata release and will be removed in a future release. Deployers can choose to deploy the RHEL 6 STIG content by setting the stig_version Ansible variable:

ansible-playbook -i hosts playbook.yml -e stig_version=rhel7

auto_controls-by-severity.rst auto_controls-by-status.rst auto_controls-by-tag.rst auto_controls-all.rst