Getting Started with Lockdown

We've combined our many decades of security baselining experience with our significant Ansible automation skills to create what we think is simply the best and most functional baseline automation content around.

Let's get automating (baselines)!

Before You Start

As with any Playbook that makes changes to a system, it may have undesired results on your system. Here are some steps and precautions you should take before getting started:

Understand the impact of the changes to the system and its function.
Align it to your environment and policies using the variables and options available to you.
If you are using a scanner (e.g. Nessus/OpenSCAP) to report on scores, keep in mind that:

80%+ is reasonable expectation. Minimal impact and changes.
100% you would normally need to change infrastructure and practices.

Dependencies

You need an Ansible control node with:

Ansible 2.9+
Python 3.6+
Python Modules

pywinrm or pypsrp pip modules (for Windows)
python2-passlib (or just passlib, if using python3)
python-lxml (STIG only)
python-xmltodict (STIG only OpenSCAP install)
python-jmespath (STIG only)

A copy of the Lockdown repo
A test endpoint on which to apply configurations that is built to an expected standard for your environment

Making it Work For You

Variables and options

Lockdown comes with a multitude of options that you can enable or disable as you wish. These can be highly tailored to your requirements using inventory and group variables. This can be utilized for different environment variables or system function.

defaults/main.yml

This contains all the Boolean settings, that will command it to run or not. It also contains any variables you may wish to make specific to your needs.

CIS Examples (refer to README file for Playbook specifics):

Related rule checks

rhel8cis_rule_1_1_1_1: true

Sections

rhel8cis_section1: true

Services

rhel8cis_dhcp_server: false

Type of system

rhel8cis_system_is_container: false

Environmental or OS specific

rhel8cis_selinux_disable: true 
rhel8cis_ipv6_required: true 
rhel8cis_time_Syncronization: chrony 
rhel8_cis_time_syncronization_servers:
       0.pool.ntp.org 
       1.pool.ntp.org 

Running the Playbook

As with any Playbook, locations may be different in your implementation.
For Example

ansible-playbook -l {{ limit hosts/groups if applicable }} -I {{ path to the inventory of servers you want to use }} {{ relative path to site.yml }}

Getting Started with Lockdown

Before You Start

Dependencies

Making it Work For You

Variables and options

CIS Examples (refer to README file for Playbook specifics):

Running the Playbook

Tags

Additional Resources

Call the Experts

Need more help? Our experts are ready and waiting to answer your questions.