Ansible Lockdown Content Update
We’ve been busy at Ansible Lockdown HQ.
Over the last few months, our team has been busy updating our own Ansible Lockdown security compliance automation. To do this, we carried out a major review of our core Lockdown Enterprise features and functions to enable users to adopt security baseline policies like CIS STIG/DISA.
Lockdown Enterprise content – what’s changed?
Perhaps the biggest change you’ll see is a small, lightweight audit function that works independently of the current Ansible code base. This audit function works within your existing workflows to provide greater insight into the compliance of a system.
Why did we create this auditing function?
We added this auditing function because of feedback we continued to get from customers and what we saw while working directly with those clients. There seemed to be a common trend of false positives and negatives within audit scanning, a problem we knew we could solve. From there, we created an audit profile of our own to overcome some limitations in restrictive scripts that can provide false positive/negative audits as outlined in our previous compliance scanning blog.
What tools did we use?
We used an opensource tool called Goss that is written in Go. This tool allows us to provide audit functionality in a small, fast, and lightweight package. The audit functions can be run before or after any changes from benchmark controls are applied. The result? The audit function produces a text-based report with multiple output options to show the state of system’s compliance at both points in time.
This auditing tool is not only checking the files for configuration but where the configuration has been applied and active. From our current tests on a new build Linux server, we have seen full Linux OS compliance (I.e. RHEL7 STIG) audit complete in under a minute, as shown below.
What other new features have been added?
In addition to the auditing feature, other key Ansible Lockdown changes include:
- Updates to latest releases of the benchmarks, both CIS and STIG for Linux, in cadence with benchmark releases.
- Adoption of more modules within the Ansible framework
- Easier layout allowing easier adoption and quicker time to fix.
- Improved speed and efficiency.
- Greater use of variables to enable more bespoke checks.
- Compliance with later versions of Ansible.
- Use of wiki documentation and GitHub pages.
- Improved documentation overall.
Where can I go to learn more?
We are continuing to work closely with the opensource community and our own Ansible Counselor clients to extend automating compliance even further. More changes will be coming in the following months, but in the meantime, you can get started by downloading Lockdown Enterprise here.