Get the Most Out of Lockdown Enterprise
So, you’ve downloaded Lockdown Enterprise and you’re wondering what to do next. Here is some helpful information to help you get the most out of the content to improve your compliance and system security.
Key Features
- Scoring – Allows pre and post remediation scoring (i.e. validation)
- Drift control – Allow multiple run on your new or existing IT environment
- Customizable – Decide base upon customer need whether to run or not run certain categories of controls
- 80%-90% is reasonable expectation. Minimal impact and changes.
- 90-98% will typically require changes to infrastructure and practices.
- 98%+ Incredibly hard to attain and still have a functional system.
Applying Lockdown in Net-New Environments
- Deploy the Playbook native using Ansible command line.
- Deploy the Playbook as a schedule job within Ansible Tower or AWX.
- Deploy the Playbook via Refactr platform custom pipeline.
- Deploy the Playbook via a CI/CD pipeline of your choice.
- Deploy the Playbook as Ansible Collections with multiple Roles in one.
Applying Lockdown to Existing Environments
Running and re-running the Playbook will catch misconfigurations, drift, or changed baselines.
Other OS Platforms
Lockdown Enterprise has your operating system baseline covered. The Role content provides guidelines according to DISA and CIS for various controls that keeps your systems in complaint.
1. Security Technical Implementation Guides (STIGs)
- Red Hat Enterprise Linux/CentOS 8
- Red Hat Enterprise Linux/CentOS 7
- Red Hat Enterprise Linux/CentOS 6
- Ubuntu LTS 18.04
- Ubuntu LTS 20.04
- Window Server 2008 R2
- Windows Server 2016
- Windows Server 2019
2. Center for Internet Security (CIS)
- Red Hat Enterprise Linux/CentOS 8
- Red Hat Enterprise Linux/CentOS 7
- Ubuntu LTS 18.04
- Ubuntu LTS 20.04
- Windows Server 2016
- Windows Server 2019
Applications
1. Security Technical Implementation Guides (STIGs)
- PostgeSQL 9
- Apache Tomcat 9
- Apache https 2.4
2. Center for Internet Security (CIS)
- Apache https 2.4
Integrations
1. CI/CD
- Our Roles are written with a top-level site.yml that will trigger the Role within itself by referencing its own directories. This makes it very easy to add our Role into your CI/CD pipelines by referencing our site.yml.
- It is easy to integrate into collections or import into an Ansible Tower job template.
2. Manual
- You can easily run Lockdown Roles form the command line. To do this, you will need to have a valid inventory setup and you will need to edit the defaults/main.yml within the Role to apply your changes.
- To run this Playbook you would perform the follow:
ansible-playbook -i inventory site.yml
3. Other Management Tooling
- Our Role integrates very easily with Ansible Tower to add Role-based access and allows you to schedule these baselines to run. You can create many different templates for many different scenarios based on what controls are enabled.
- For example, if you can create a template to run once a day to apply only RHEL8 STIG Category 1 fixes, then create another template to run once a week to apply the RHEL 8 STIG Category 2 fixes.