Test Kitchen - Converge
Test Kitchen Converge Stage
The converge
stage uses Ansible Playbooks from the Ansible Lockdown project to apply hardening configurations, specifically the RHEL8-STIG playbook, and RedHat managed containers.
EC2 and Vagrant Converge
For EC2 and Vagrant, we use 'wrapper playbooks' for the 'vanilla' and 'hardened' suites.
- The 'vanilla' playbook establishes a basic test environment.
- The 'hardened' playbook applies the 'vanilla role' and the Ansible Lockdown RHEL8-STIG role to the 'hardened' target, using Ansible Galaxy, a
requirements.txt
, and Ansible Roles.
Some tasks in the hardening role were disabled for automated testing, but this doesn't significantly impact our security posture. We can still meet our validation and thresholds.
For more on using these playbooks, running Ansible, or modifying the playbooks, roles, and tasks, see the Ansible Project Website.
Find these roles and 'wrapper playbooks' in the spec/ directory.
Container Converge
We use RedHat vendor images for both the vanilla
and hardened
containers.
vanilla
: This container uses theregistry.access.redhat.com/ubi8/ubi:8.9-1028
image from RedHat's community repositories.hardened
: This container uses theregistry1.dso.mil/ironbank/redhat/ubi/ubi8
image from Red Hat's Platform One Iron Bank project.
The Iron Bank UBI8 image is regularly patched, updated, and hardened according to STIG requirements.