Getting started¶
This role is part of the Ansible Lockdown project and can be used as a standalone role or it can be used along with other Ansible roles and playbooks.
Requirements¶
This documentation assumes that the reader has completed the steps within the Ansible installation guide.
The following additional libraries are required on the Ansible control node:
passlib
>= 1.5 (1.6.5 is available in RHEL and CentOS as python-passlib
)
jmespath
(available in RHEL and CentOS as python-jmespath
)
Installation¶
The recommended installation methods for this role are
ansible-galaxy
(recommended) or git
.
Using ansible-galaxy
¶
The easiest installation method is to use the ansible-galaxy
command that
is provided with your Ansible installation:
ansible-galaxy install git+https://github.com/mindpointgroup/rhel7-stig
The ansible-galaxy
command will install the role into
/etc/ansible/roles/rhel7-stig
and this makes it easy to use with
Ansible playbooks.
Using git
¶
Start by cloning the role into a directory of your choice:
mkdir -p ~/.ansible/roles/
git clone https://github.com/mindpointgroup/rhel7-stig ~/.ansible/roles/rhel7-stig
Ansible looks for roles in ~/.ansible/roles
by default.
If the role is cloned into a different directory, that directory must be
provided with the roles_path
option in ansible.cfg
. The following is
an example of a ansible.cfg
file that uses a custom path for roles:
[DEFAULTS]
roles_path = /etc/ansible/roles:/home/myuser/custom/roles
With this configuration, Ansible looks for roles in /etc/ansible/roles
and
~/custom/roles
.
Usage¶
This role works well with existing playbooks. The following is an example of a basic playbook that uses this role:
---
- hosts: servers
become: yes
roles:
- role: rhel7-stig
when:
- ansible_os_family == 'RedHat'
- ansible_distribution_major_version | version_compare('7', '=')
The role is fully customizable by setting the variables provided in the defaults/main.yml
.
These variables are designed so that categories/severities or individual rules can be enabled,
disabled, or can alter configuration for various STIG items in the role. For more details
on the available variables, refer to the STIG Controls
section.
Note
The role requires elevated privileges and must be run as a user with sudo
access. The example above uses the become
option, which causes Ansible to use
sudo before running tasks.
Warning
It is strongly recommended to run the role in check mode (often called a
dry run) first before making any modifications. This gives the deployer
the opportunity to review all of the proposed changes before applying the
role to the system. Use the --check
parameter with ansible-playbook
to use check mode.