Test Kitchen Converge Stage

The converge stage uses Ansible Playbooks from the Ansible Lockdown project to apply hardening configurations, specifically the RHEL8-STIG playbook, and RedHat managed containers.

EC2 and Vagrant Converge

For EC2 and Vagrant, we use 'wrapper playbooks' for the 'vanilla' and 'hardened' suites.

• The 'vanilla' playbook establishes a basic test environment.
• The 'hardened' playbook applies the 'vanilla role' and the Ansible Lockdown RHEL8-STIG role to the 'hardened' target, using Ansible Galaxy, a requirements.txt, and Ansible Roles.

Some tasks in the hardening role were disabled for automated testing, but this doesn't significantly impact our security posture. We can still meet our validation and thresholds.

For more on using these playbooks, running Ansible, or modifying the playbooks, roles, and tasks, see the Ansible Project Website.

Find these roles and 'wrapper playbooks' in the spec/ directory.

Container Converge

We use RedHat vendor images for both the vanilla and hardened containers.

• vanilla: This container uses the registry.access.redhat.com/ubi8/ubi:8.9-1028 image from RedHat's community repositories.
• hardened: This container uses the registry1.dso.mil/ironbank/redhat/ubi/ubi8 image from Red Hat's Platform One Iron Bank project.

The Iron Bank UBI8 image is regularly patched, updated, and hardened according to STIG requirements.