Get the Most Out of Lockdown

So, you’ve downloaded Lockdown and you’re wondering what to do next. Here is some helpful information to help you get the most out of the content to improve your compliance and system security.

Key Features

• Scoring – Allows pre and post remediation scoring (i.e. validation)
• Drift control – Allow repeated runs on your new or existing IT environment
• Customizable – Decide base upon customer need whether to run or not run certain categories of controls

• 80%-90% is reasonable expectation. Minimal impact and changes.
• 90-98% will typically require changes to infrastructure and practices.
• 98%+ Incredibly hard to attain and still have a functional system.

Applying Lockdown in Net-New Environments

• Deploy the Playbook native using Ansible command line.
• Deploy the Playbook as a schedule job within Ansible Automation Controler or AWX.
• Deploy the Playbook via Refactr platform custom pipeline.
• Deploy the Playbook via a CI/CD pipeline of your choice.
• Deploy the Playbook as Ansible Collections with multiple Roles in one.

Applying Lockdown to Existing Environments

Running and re-running the Playbook will catch misconfigurations, drift, or changed baselines.

OS Platforms

Lockdown has your operating system baseline covered. The Role content provides guidelines according to DISA and CIS for various controls that keeps your systems in complaint.

• AMAZON Linux 2
• AMAZON Linux 2023
• RHEL 9 / Rocky 9 / Alma 9
• RHEL 8 / Rocky 8 / Alma 8
• RHEL 7 / Rocky 7 / Alma 7
• Ubuntu 24 | 22 | 20 | 18
• Windows Server 2022 | 2019 | 2016
• Windows Firewall and Advanced Security

Networking

• CISCO L2 IOS Switches

Applications

• PostgeSQL 12 | 9
• Apache Tomcat 9
• Apache HTTP

Integrations

1. CI/CD

• Our Roles are written with a top-level site.yml that will trigger the Role within itself by referencing its own directories. This makes it very easy to add our Role into your CI/CD pipelines by referencing our site.yml.
• It is easy to integrate into collections or import into an Ansible Tower job template.

2. Manual

• You can easily run Lockdown Roles form the command line. To do this, you will need to have a valid inventory setup and you will need to edit the defaults/main.yml within the Role to apply your changes.
• To run this Playbook you would perform the follow:

3. Other Management Tooling

• Our Role integrates very easily with Ansible Tower to add Role-based access and allows you to schedule these baselines to run. You can create many different templates for many different scenarios based on what controls are enabled.
• For example, if you can create a template to run once a day to apply only RHEL 8 STIG Category 1 fixes, then create another template to run once a week to apply the RHEL 8 STIG Category 2 fixes.

Additional Resources

• Getting Started with Lockdown
• Customizing Lockdown
• Per-Host Lockdown Configuration