Getting Started with Lockdown Enterprise
We've combined our many decades of security baselining experience with our significant Ansible automation skills to create what we think is simply the best and most functional baseline automation content around.
Let's get automating (baselines)!
Before You Start
As with any Playbook that makes changes to a system, it may have undesired results on your system. Here are some steps and precautions you should take before getting started:
- Understand the impact of the changes to the system and its function.
- Align it to your environment and policies using the variables and options available to you.
- If you are using a scanner (e.g. Nessus/OpenSCAP) to report on scores, keep in mind that:
- 80%+ is reasonable expectation. Minimal impact and changes.
- 100% you would normally need to change infrastructure and practices.
You need an Ansible control node with:
- Ansible 2.9+
- Python 3.6+
- Python Modules
- pywinrm or pypsrp pip modules (for Windows)
- python2-passlib (or just passlib, if using python3)
- python-lxml (STIG only)
- python-xmltodict (STIG only OpenSCAP install)
- python-jmespath (STIG only)
- A copy of the Lockdown repo
- A test endpoint on which to apply configurations that is built to an expected standard for your environment
Making it Work For You
Variables and options
Lockdown Enterprise comes with a multitude of options that you can enable or disable as you wish. These can be highly tailored to your requirements using inventory and group variables. This can be utilized for different environment variables or system function.
This contains all the Boolean settings, that will command it to run or not. It also contains any variables you may wish to make specific to your needs.
CIS Examples (refer to README file for Playbook specifics):
Related rule checks
Type of system
Environmental or OS specific
Running the Playbook
As with any Playbook, locations may be different in your implementation.
The Playbook has many tag options to enable you to run adhoc without having to amend all the variables.
These can be listed as such:
ansible-playbook site.yml --tags="patch"