An Ansible-based automation tool to remediate and enforce DISA STIG compliance on RHEL 7 systems.
Automated STIG Benchmark Compliance Remediation for RHEL 7 with Ansible
This tool is designed for system administrators and security professionals who need to automate the remediation of DISA STIG compliance issues on RHEL 7 servers. It is used after conducting compliance audits to automatically fix non-disruptive and optionally disruptive security findings, ensuring systems meet stringent security benchmarks.
This role modifies system configurations and should only be used after a compliance audit has been conducted; it is not an auditing tool itself. Check mode is not supported and may produce misleading results. The role was developed and tested on clean installs of RHEL 7, so existing systems should be reviewed carefully before applying. Since RHEL 7 is end-of-life, this tool is archived by DISA STIG and may require additional testing for newer environments.
Ensure Ansible is installed on the control machine
Clone the repository: git clone https://github.com/ansible-lockdown/RHEL7-STIG.git
Navigate to the role directory or include it in your Ansible playbook roles path
Review and customize variables, especially for disruptive remediation (`rhel7stig_disruption_high`)
Run the Ansible playbook applying the RHEL7-STIG role against your target RHEL 7 systemansible-playbook -i inventory rhel7stig.yml
Run the Ansible playbook that applies the RHEL7-STIG role to remediate compliance issues on target hosts.
Set variable `rhel7stig_disruption_high=true` in playbook or inventory
Enable remediation of disruptive findings that may impact system availability or functionality.