I'm looking for strategies to maintain STIG compliance on our RHEL systems every quarter without falling into the trap of compliance creep. We currently use prebaked config files, but I'm curious if there are more efficient methods out there. What do you all do to keep your RHEL boxes and VMs compliant?
2 Answers
Automating the process with Ansible seems like the way to go for most people. It's an effective tool to keep everything in line with STIG requirements without much manual work.
I've been using a GitHub collection specifically designed for STIG compliance. You can find it here: https://github.com/RedHatOfficial/ansible-role-rhel8-stig. Also, check out the CIS benchmarks at https://github.com/ansible-lockdown/RHEL9-CIS - they work pretty well! Just remember to adjust the settings to prevent any unwanted changes that could disrupt your system's usability.
I'll definitely take a look at the CIS benchmark. Sounds useful!