TickYouOff
Sign in
Back
🔒

Red Hat Ansible Automation Controller STIG (Y26M01)

Hard 22 items · 4 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist converts the DISA STIG guidance for Red Hat Ansible Automation Controller into practical hardening and compliance tasks. It’s for system administrators, security engineers, and auditors who manage Ansible Automation Platform deployments and need a structured checklist to validate and remediate controls.

Source: https://ncp.nist.gov/checklist/1057

Progress
0 / 22
  1. Download the Red Hat Ansible Automation Controller STIG and XCCDF files from DISA — Get latest STIG/XCCDF from cyber.mil or public.cyber.mil
  2. Verify Ansible Automation Platform version 2.2 is installed — Confirm the controller version matches the STIG scope
  3. Review Red Hat installation and product documentation — Follow vendor install guides before applying STIG settings
  4. Test configurations in a representative staging environment — Mirror production architecture to validate functionality
  5. Integrate controller with central IAM (SSO/LDAP) — Use enterprise identity provider for authentication
  6. Enforce role-based access control and least privilege — Define roles and remove unnecessary admin rights
  7. Remove or disable default and unused accounts — Eliminate default credentials and orphaned users
  8. Configure TLS/HTTPS for the controller web UI
  9. Install a trusted TLS certificate from your CA — Avoid self-signed certs in production
  10. Verify certificate chain and enforce strong TLS ciphers — Prefer TLS 1.2/1.3 and strong cipher suites
  11. Harden the PostgreSQL database for the controller
  12. Require strong DB authentication and encrypt connections — Use SCRAM/SASL and SSL for DB connections
  13. Limit network access to the database host — Restrict via firewall rules and pg_hba.conf
  14. Enable encrypted database backups and secure storage — Encrypt backups and control access to them
  15. Enable and forward logs to a central logging system — Include controller, automation, and system logs
  16. Enable audit logging and set retention policies — Ensure retention meets compliance requirements
  17. Apply OS and controller product security patches — Keep host OS and Ansible components up to date
  18. Run an automated STIG compliance scan using XCCDF/SCAP — Use downloaded XCCDF to scan the controller
  19. Review scan findings and remediate non-compliant items — Record remediation actions and dates
  20. Backup controller configuration and database before changes — Snapshot configs and DB to enable rollback
  21. Document exceptions and obtain AO approval for deviations — Capture risk acceptance and justification
  22. Maintain change log and update checklist with version info — Record STIG version, update dates, and changelog
Sign in to save
📝 My Notes