Ansible role to automate base BIG-IP hardening, and STIG/SRG configuration.
- Ansible 2.2 or greater
STIG, SRG, CVE, NIST SP 800-53r4 Controls, and General Hardening Resolved with this role:
- NIST SP 800-53r4 - Password Strength Policy — IA-5(1)
- NIST SP 800-53r4 - Usage banner — AC-8
- NIST SP 800-53r4 - Maximum Failed Login Attempts — AC-7
- NIST SP 800-53r4 / STIG NET1639 - Idle Timeouts for Management Access — AC-2(5), SC-10
- NIST SP 800-53r4 - Session Locking and Termination — AC-11, AC-12 (Advice-only block)
- NIST SP 800-53r4 / STIG NET0812 - NTP Configuration — AU-8(1,2)
- STIG NET1645 - SSHD Lockdown
- STIG NET0405 - Call Home Disable
- STIG NET1665 - Remove default SNMP communities
- STIG NET0700 - Appliance Mode
Available variables are listed below, along with default values (see defaults/main.yml
):
bigiq_hardening_server: localhost
bigiq_hardening_server_port: 443
bigiq_hardening_user: admin
bigiq_hardening_password: secret
bigiq_hardening_validate_certs: no
bigiq_hardening_transport: rest
bigiq_hardening_timeout: 120
Establishes initial connection to your BIG-IP. These values are substituted into
your provider
module parameter.
bigip_hardening_sshd_banner: enabled
Specifies whether the SSHD banner should be enabled on the BIG-IP.
bigip_hardening_sshd_banner_text
bigip_hardening_sshd_include
bigip_hadening_sshd_timeout
bigip_hardening_ntp_servers
Specifies NTP servers to define on the BIG-IP.
None.
- name: Run hardening tasks on BIG-IP
hosts: bigip
vars_files:
- vars/main.yml
roles:
- { role: f5devcentral.bigip_hardening }
Inside vars/main.yml
:
bigiq_onboard_server: bigiq01.domain.org
bigiq_onboard_password: secret
bigiq_onboard_new_root_password: New_Admin_Secret123
bigiq_onboard_old_root_password: default
bigiq_onboard_new_admin_password: New_Root_Secret123
bigiq_onboard_old_admin_password: admin
bigiq_onboard_master_passphrase: M@sterPassphrase1234
bigiq_onboard_dns_nameservers:
- 10.10.10.10
bigiq_onboard_dns_search:
- domain.org
bigiq_onboard_timezone: America/Los_Angeles
bigiq_onboard_license_key: XXXXX-XXXXX-XXXXX-XXXXX-XXXXXXX
Apache
This role was created in 2018 by Tim Rupp.
This role is based in large part off of the work done by the following individuals