- From the Defense Information Systems Agency (DISA)
- The STIG is released with a public domain license and it is commonly used to secure systems at public and private organizations around the world.
Both are well known and respected benchmarks created for the industry to assist in achieving recognised compliance (e.g. PCI DSS, HIPAA, SOC2, NIST) and adopting security best practices.
What is provided?
-----------------
The content provided is open source licensed configurations to assist in achieving or auditing compliance to one of the benchmark providers listed above.
This consists of two components
- Audit
- Remediate
Both can be run alone or inconjunction with each other.
We analyze each configuration control from the applicable benchmark to determine what impact it has on a live production environment and how to
best implement a way to audit the current configuration and how to achieve those requirements using Ansible.
Tasks are added to the role that configure a host to meet the configuration requirements. Each task is documented to explain what was changed, why it was changed, and what deployers need to understand about the change.
Additionally, the items that have configurable values, i.e. number of password attempts, will generally have a corresponding variable that allows for customization of the applied value.
It is imperative for each deployer to understand the regulations and compliance requirements that their organization and specific environments are responsible for meeting in order to effeectively implement the controls in the relevant benchmark.
