Technical Defense Blog
技術防衛ブログ Infrastructure & Security

Deep dives into infrastructure, security research, and defense technology

Security October 2025

Compliance as Code: Automating RHEL Security with Ansible

15 min read
Compliance Ansible RHEL STIG Security

Red Hat's Compliance as Code approach transforms security hardening from manual checklists into automated, version-controlled Ansible playbooks. Learn how to implement DISA STIG compliance across RHEL infrastructure with simple true/false configuration switches.

What is Compliance as Code?

Compliance as Code extends the Infrastructure as Code (IaC) paradigm to security compliance. Instead of manually applying security controls from lengthy PDF documents (like DISA STIGs or CIS Benchmarks), compliance requirements are codified into automated, repeatable, and testable configurations.

Red Hat's approach leverages Ansible automation to apply security baselines consistently across entire fleets of RHEL systems, ensuring:

  • Consistency: Same security posture across all systems
  • Repeatability: Deploy compliant systems at scale
  • Version Control: Track compliance changes over time with Git
  • Auditability: Automated compliance reporting and evidence collection
  • Agility: Rapidly update configurations as requirements evolve

DISA STIG Automation with Ansible

The ansible-role-rhel9-stig repository provides a production-ready Ansible role that implements all DISA STIG controls for RHEL 9. This role transforms a 400+ page security technical implementation guide into automated configuration management.

Key Features:

  • Comprehensive Coverage: All DISA STIG V1R1 controls for RHEL 9
  • Idempotent: Safe to run multiple times without side effects
  • Customizable: Toggle individual controls via simple YAML variables
  • Reporting: Generates compliance reports post-execution
  • CI/CD Ready: Integrate into automated deployment pipelines

Implementation Architecture

Traditional Approach

  • Read 400+ page STIG PDF
  • Manually configure each control
  • Document changes in spreadsheet
  • Hope configurations don't drift
  • Manual re-checks for compliance
  • Weeks to harden a fleet

Compliance as Code

  • Edit YAML configuration file
  • Run Ansible playbook
  • Git tracks all changes
  • Automated drift detection
  • Continuous compliance validation
  • Minutes to harden a fleet

Configuration Example

The power of Compliance as Code lies in its simplicity. Here's how to customize STIG controls in the defaults/main.yml file: 

# Enable/disable specific STIG controls
rhel9stig_cat1_patch: true   # Apply Category 1 (Critical) controls
rhel9stig_cat2_patch: true   # Apply Category 2 (High) controls
rhel9stig_cat3_patch: false  # Skip Category 3 (Medium) controls

# Customize specific controls for your organization
rhel9stig_sssd_offline_cred_expiration: 1  # Days before cached credentials expire
rhel9stig_pass_min_length: 15              # Minimum password length
rhel9stig_pass_max_days: 60                # Maximum password age

# Toggle individual STIG rules
rhel9stig_rule_010010: true  # RHEL 9 must be a vendor-supported release
rhel9stig_rule_010020: true  # RHEL 9 must display Standard Mandatory DoD Notice
rhel9stig_rule_020010: true  # RHEL 9 must implement NIST FIPS-validated cryptography

# Skip rules that don't apply to your environment
rhel9stig_rule_230285: false # Skip if not using GUI
rhel9stig_rule_230310: false # Skip if wireless not present

Deployment Workflow

Integrating STIG automation into your infrastructure deployment pipeline:

  1. Define Baseline: Fork the ansible-role-rhel9-stig repository
  2. Customize Defaults: Edit defaults/main.yml to match organizational requirements
  3. Version Control: Commit configurations to private Git repository
  4. Test in Dev: Apply playbook to development VMs and validate
  5. Automate: Integrate into CI/CD pipeline for all RHEL deployments
  6. Continuous Compliance: Schedule periodic playbook runs to prevent drift
  7. Audit: Generate compliance reports for security assessments

Benefits for Defense Infrastructure

In defense and intelligence environments, Compliance as Code provides critical capabilities:

  • Rapid ATO: Accelerate Authority to Operate with automated evidence collection
  • Zero Trust: Enforce least-privilege configurations consistently
  • Incident Response: Quickly re-harden compromised systems
  • Supply Chain Security: Validate configurations in disconnected networks
  • Continuous Monitoring: Detect and remediate drift automatically

Important: Always test STIG automation in non-production environments first. Some controls may break application functionality or cause system instability. Use --check mode to preview changes before applying.

Conclusion

Red Hat's Compliance as Code approach represents a paradigm shift in how organizations manage security compliance. By codifying DISA STIGs into Ansible automation, security engineers can harden infrastructure at scale with simple configuration changes. The defaults/main.yml file becomes your organization's security policy—version-controlled, auditable, and automatically enforced.

Resources

Security October 2025

PowerSTIG: Automating Windows Security Compliance with PowerShell DSC

18 min read
Windows PowerShell DSC STIG Compliance

PowerSTIG automates DISA Security Technical Implementation Guide (STIG) compliance for Windows environments using PowerShell Desired State Configuration (DSC). This powerful framework enables automated hardening of Windows Server, SQL Server, IIS, DNS Server, and other Microsoft technologies at enterprise scale.

What is PowerSTIG?

PowerSTIG is an open-source PowerShell module developed by Microsoft that converts DISA STIGs into PowerShell DSC configurations. Instead of manually implementing hundreds of security controls from PDF documents, PowerSTIG enables declarative configuration management for Windows security baselines.

PowerSTIG supports comprehensive STIG automation across the Microsoft ecosystem:

  • Windows Server: 2012 R2, 2016, 2019, 2022
  • SQL Server: 2012, 2016, 2017, 2019, 2022
  • Internet Information Services (IIS): 8.5, 10.0
  • DNS Server: Windows Server DNS
  • Active Directory: Domain and Forest STIGs
  • Microsoft Office: Office 2016, Office 2019, Office 365
  • Internet Explorer & Edge: Browser security configurations
  • Windows Defender: Antivirus and firewall settings

PowerShell DSC Architecture

PowerShell Desired State Configuration (DSC) is the foundation of PowerSTIG's automation capabilities. DSC enables declarative configuration: you define the desired state of a system, and DSC ensures that state is achieved and maintained.

Traditional STIG Implementation

  • Read 300+ page STIG document
  • Manually configure Group Policy Objects
  • Apply registry changes via scripts
  • Document compliance in spreadsheets
  • Manual audits every 90 days
  • Configuration drift over time
  • Weeks to months for full compliance

PowerSTIG Automation

  • Define compliance in PowerShell DSC
  • Automated policy application
  • Self-documenting configurations
  • Version-controlled in Git
  • Continuous compliance monitoring
  • Automatic drift remediation
  • Hours to achieve compliance

Installation and Setup

PowerSTIG is distributed via the PowerShell Gallery and requires PowerShell 5.1 or later. Basic installation workflow: 

# Install PowerSTIG module from PowerShell Gallery
Install-Module -Name PowerSTIG -Scope AllUsers -Force

# Verify installation
Get-Module -Name PowerSTIG -ListAvailable

# Import the module
Import-Module PowerSTIG

# List available STIG configurations
Get-StigList

# Example output:
# TechnologyRole     TechnologyVersion    StigVersion
# --------------     -----------------    -----------
# WindowsServer      2019                 2.4
# SqlServer          2016Instance         2.6
# IISServer          10.0                 1.6
# DnsServer          2012R2               1.11

Basic Configuration Example

Here's a complete example of applying Windows Server 2019 STIG compliance using PowerSTIG: 

# Windows Server 2019 STIG Configuration
configuration WindowsServer2019_STIG
{
    param (
        [string[]]$ComputerName = 'localhost'
    )
    
    Import-DscResource -ModuleName PowerSTIG
    
    Node $ComputerName
    {
        WindowsServer BaseLine
        {
            OsVersion   = '2019'
            OsRole      = 'MS'        # Member Server
            StigVersion = '2.4'
            
            # Exception handling for specific rules
            Exception   = @{
                'V-205625' = @{
                    # Allow custom password policy
                    ValueData = '90'
                }
                'V-205630' = @{
                    # Skip if conflicting with application requirements
                    Skip = $true
                }
            }
            
            # Organization-specific values
            OrgSettings = @{
                'V-205735' = @{
                    # Custom legal banner text
                    ValueData = 'Authorized Use Only - DoD System'
                }
            }
        }
    }
}

# Generate the MOF configuration file
WindowsServer2019_STIG -ComputerName 'WEB-SERVER-01' -OutputPath 'C:\DSC\Configs'

# Apply the configuration
Start-DscConfiguration -Path 'C:\DSC\Configs' -Wait -Verbose -Force

# Monitor compliance status
Get-DscConfigurationStatus

SQL Server STIG Example

PowerSTIG excels at securing complex Microsoft services. Here's SQL Server 2019 STIG automation: 

# SQL Server 2019 Instance STIG Configuration
configuration SqlServer2019_STIG
{
    param (
        [string]$SqlInstance = 'MSSQLSERVER',
        [string]$SqlVersion  = '2019'
    )
    
    Import-DscResource -ModuleName PowerSTIG
    
    Node localhost
    {
        SqlServer InstanceCompliance
        {
            SqlVersion     = $SqlVersion
            SqlRole        = 'Instance'
            ServerInstance = $SqlInstance
            StigVersion    = '2.6'
            
            # SQL-specific exceptions
            Exception = @{
                'V-214015' = @{
                    # Allow mixed mode authentication for legacy apps
                    Identity = 'APPLICATION_USER'
                }
            }
            
            # Organization settings
            OrgSettings = @{
                'V-213989' = @{
                    # Custom audit log size
                    ValueData = '10240'  # MB
                }
            }
        }
    }
}

# Apply SQL Server STIG
SqlServer2019_STIG -OutputPath 'C:\DSC\SQL' 
Start-DscConfiguration -Path 'C:\DSC\SQL' -Wait -Verbose

Enterprise Deployment Workflow

In production environments, PowerSTIG integrates with enterprise configuration management:

  1. Centralized Configuration: Store DSC configurations in Git repository
  2. Pull Server Architecture: Deploy DSC Pull Server for distributed management
  3. Automated Enrollment: New servers automatically register with Pull Server
  4. Continuous Compliance: DSC Local Configuration Manager checks compliance every 15 minutes
  5. Drift Remediation: Non-compliant configurations automatically corrected
  6. Reporting: Centralized compliance dashboards with Azure Monitor or SCOM
  7. Exception Management: Organization-specific exceptions version-controlled

Advanced Features

PowerSTIG provides enterprise-grade capabilities for complex Windows environments:

  • Composite Configurations: Apply multiple STIGs simultaneously (e.g., Windows + IIS + SQL)
  • Role-Based Configs: Different baselines for domain controllers vs member servers
  • Partial Configurations: Split large configs across multiple MOF files for scalability
  • Credential Encryption: Secure sensitive data with certificates
  • Compliance Reporting: Generate audit reports in JSON, XML, or HTML
  • Integration with Azure Automation: Cloud-based DSC for hybrid environments

Real-World Use Cases

Scenario 1: DoD Cloud Migration

  • Automated STIG compliance for 500+ Windows Server VMs in Azure Government
  • Reduced ATO preparation from 6 months to 3 weeks
  • Continuous monitoring with Azure Security Center integration

Scenario 2: Financial Services SQL Hardening

  • Applied SQL Server 2019 STIGs across 200 database instances
  • Automated compliance audits for PCI-DSS requirements
  • Drift detection caught unauthorized configuration changes within minutes

Scenario 3: Healthcare IIS Web Farm

  • Standardized IIS 10.0 STIG configurations across 50 web servers
  • HIPAA compliance automation with custom organization values
  • Zero-touch deployment with Azure DevOps pipelines

Integration with Azure Automation

PowerSTIG integrates seamlessly with Azure Automation State Configuration for cloud-native compliance: 

# Upload PowerSTIG configuration to Azure Automation
Import-AzAutomationDscConfiguration `
    -SourcePath 'C:\DSC\WindowsServer2019_STIG.ps1' `
    -ResourceGroupName 'rg-compliance' `
    -AutomationAccountName 'aa-stig-automation' `
    -Published

# Compile configuration in Azure
Start-AzAutomationDscCompilationJob `
    -ConfigurationName 'WindowsServer2019_STIG' `
    -ResourceGroupName 'rg-compliance' `
    -AutomationAccountName 'aa-stig-automation'

# Register VM with Azure Automation DSC
Register-AzAutomationDscNode `
    -ResourceGroupName 'rg-compliance' `
    -AutomationAccountName 'aa-stig-automation' `
    -AzureVMName 'web-server-01' `
    -NodeConfigurationName 'WindowsServer2019_STIG.localhost'

Important: PowerSTIG configurations can cause application compatibility issues. Always test in development environments first. Use the -WhatIf parameter to preview changes, and implement exception handling for application-specific requirements. Some STIG controls may require application code changes or infrastructure redesign.

Best Practices for PowerSTIG Deployment

  • Start with Member Servers: Test on non-critical systems before domain controllers
  • Use Version Control: Store all DSC configurations and exceptions in Git
  • Implement Progressive Rollout: Apply STIGs to 10% of fleet, validate, then expand
  • Monitor Application Impact: Track application errors before/after STIG application
  • Document Exceptions: Maintain business justification for all STIG rule skips
  • Automate Reporting: Schedule weekly compliance reports for stakeholders
  • Plan for Reboots: Many STIG controls require system restarts

Conclusion

PowerSTIG revolutionizes Windows security compliance by transforming manual STIG implementation into automated, repeatable configurations. Using PowerShell DSC's declarative approach, security engineers can harden entire Windows fleets in hours instead of months. The combination of version control, continuous monitoring, and automatic remediation creates a robust compliance framework suitable for the most demanding defense and enterprise environments.

For organizations running Microsoft infrastructure, PowerSTIG is essential for achieving and maintaining DISA STIG compliance at scale. When paired with Azure Automation or on-premises DSC Pull Servers, it provides enterprise-grade configuration management that meets the rigorous security requirements of DoD, federal agencies, and regulated industries.

Resources

Security October 2025

OAuth 2.0 vs OpenID Connect: Understanding Modern Authentication

12 min read
OAuth2 OIDC Security Authentication

A comprehensive analysis of OAuth 2.0 and OpenID Connect (OIDC), exploring their differences, use cases, and security implications in modern enterprise environments.

Understanding the Fundamentals

OAuth 2.0 is an authorization framework designed to grant third-party applications limited access to resources without exposing user credentials. OIDC, built on top of OAuth 2.0, adds an authentication layer that provides identity verification.

Key Differences

OAuth 2.0

  • Purpose: Authorization (access delegation)
  • Output: Access tokens for API access
  • Use Case: "App X wants to access your Google Drive"
  • Token Type: Opaque access tokens

OpenID Connect

  • Purpose: Authentication (identity verification)
  • Output: ID tokens + access tokens
  • Use Case: "Sign in with Google"
  • Token Type: JWT ID tokens with user claims

Security Considerations

When implementing OAuth 2.0 or OIDC, several security best practices must be followed:

  • Use PKCE (Proof Key for Code Exchange) for public clients to prevent authorization code interception
  • Validate redirect URIs strictly to prevent open redirect vulnerabilities
  • Implement state parameters to prevent CSRF attacks
  • Use short-lived access tokens with refresh token rotation
  • Validate JWT signatures and claims (iss, aud, exp) rigorously

Enterprise Implementation with Keycloak

In my homelab environment, I've deployed Keycloak as the identity provider for centralizing authentication across JupyterHub, Rancher, and Elasticsearch. This setup demonstrates:

  • Centralized user management and SSO
  • Role-based access control (RBAC) integration
  • Multi-factor authentication (MFA) enforcement
  • Token refresh and session management

Common Pitfalls

Don't use OAuth 2.0 for authentication alone. OAuth access tokens are not designed to convey user identity. Always use OIDC ID tokens for authentication and OAuth access tokens for API authorization.

Conclusion

Understanding the distinction between OAuth 2.0 and OIDC is crucial for implementing secure authentication and authorization systems. OAuth 2.0 handles what you can access, while OIDC handles who you are. Modern applications typically use both: OIDC for login and OAuth 2.0 for API access.

Infrastructure Coming Soon

Building a Production K3s Cluster: From Bare Metal to GitOps

Est. 20 min read
Kubernetes K3s GitOps Homelab

A comprehensive guide to deploying a production-grade K3s cluster on bare metal, including automated certificate management, persistent storage with NFS, Rancher installation, and GitOps workflows with Ansible automation.

In Progress
Machine Learning Coming Soon

NVIDIA Jetson Orin Nano: Edge AI for Real-Time Computer Vision

Est. 15 min read
Edge AI NVIDIA Computer Vision TensorRT

Exploring the NVIDIA Jetson Orin Nano's capabilities for edge AI workloads, including TensorRT optimization, real-time object detection, and integration with Kubernetes for distributed inference.

Hardware Pending
Data Science Coming Soon

Health Data Analytics: Mining Apple Health with Elasticsearch

Est. 18 min read
Data Science Python Elasticsearch Health Analytics

Building a comprehensive health data analytics pipeline using Apple Health export, Python data transformation, and Elasticsearch time-series analysis with Kibana visualizations.

In Progress