AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Automate CIS Benchmark Hardening for RHEL 9 with Ansible

By Luca Berton · Published 2024-01-01 · Category: installation

Discover how to automate CIS Benchmark hardening for RHEL 9 systems using Ansible. Simplify security compliance with the \"ansible-lockdown\" project.

Automate CIS Benchmark Hardening for RHEL 9 with Ansible

Introduction

As organizations increasingly prioritize cybersecurity and compliance, the need for robust security measures has become paramount. The Center for Internet Security (CIS) Benchmarks provides guidelines and best practices for securing various operating systems. Adhering to these benchmarks for Red Hat Enterprise Linux (RHEL) 9 can be time-consuming and complex. However, this process becomes streamlined and efficient with the power of automation through Ansible. This article explores how using Ansible's automation capabilities with the "ansible-lockdown" project can help organizations automatically implement CIS Benchmark hardening for RHEL 9 systems, ensuring a more secure and compliant environment. • Ansible Lockdown GitHubLockdown Enterprise Organization

See also: Strengthening Security: Automating CIS Benchmark Hardening for RHEL 9 with Ansible

What is the CIS Benchmark?

The CIS Benchmarks are consensus-based configuration guidelines developed by experts to help organizations safeguard their systems against security threats. These benchmarks cover a wide range of platforms and applications, offering specific recommendations on security settings, configurations, and policies. By adhering to the CIS Benchmark, organizations can reduce the risk of cyberattacks and enhance their overall security posture.

Introducing Ansible

Ansible is an open-source automation tool that simplifies IT infrastructure deployment, configuration, and management. It employs declarative language to describe the desired state of a system, allowing users to automate repetitive tasks, thereby saving time and reducing human errors. The "ansible-lockdown" Project The "ansible-lockdown" project is a community-driven initiative aimed at automating the implementation of security hardening guidelines, particularly the CIS Benchmarks, on various systems. This project provides Ansible roles that enable users to easily apply the recommended security configurations to their systems.

See also: Ansible code in RHSB-2021-009 Log4Shell - Remote Code Execution - log4j (CVE-2021-44228)

Links

Ansible Lockdown GitHubLockdown Enterprise OrganizationCIS BenchmarksAnsible LockdownRHEL9-CIS roleMindPoint GroupGoss - Quick and Easy server validation

Automating CIS Benchmark Hardening for RHEL 9

Preparing the Environment

Before starting the automation process, ensure you have Ansible installed on your control node and the necessary permissions to execute playbooks on the target RHEL 9 systems. Additionally, download the "ansible-lockdown" roles from the project's GitHub repository or use the role manager of your choice to install them.

ansible-galaxy role install git+https://github.com/ansible-lockdown/RHEL9-CIS.git
Understanding the CIS Benchmark Rules

Each CIS Benchmark consists of a set of rules that define specific security configurations. These rules are organized into different sections based on their relevance. Reviewing and understanding the CIS Benchmark guidelines for RHEL 9 before proceeding with the automation process is essential. Developing the Ansible Playbook

Create an Ansible playbook with the necessary "ansible-lockdown" roles to apply the CIS Benchmark rules. The playbook should define the target hosts, roles to be executed, and any required variables. For example, your audit.yml playbook might look like this:

---
- name: RHEL9 CIS Audit
  hosts: all
  become: true
  roles:
    - name: "RHEL9-CIS"
      vars:
        setup_audit: true
        run_audit: true

This example, the "RHEL9-CIS role is used to apply the setup_audit and run_audit variables.

For ARM64 use this:

---
- name: RHEL9 CIS Audit
  hosts: all
  become: true
  roles:
    - name: "RHEL9-CIS"
      vars:
        setup_audit: true
        run_audit: true
        goss_url: https://github.com/goss-org/goss/releases/download/v0.3.23/goss-linux-arm64
        goss_version:
          release: v0.3.23
          checksum: 'sha256:7b0794fa590857e7d64ef436e1a100ca26f6039f269a6138009aa837d27d7f9e'

My inventory file:

rhel.example.com

[all:vars]
ansible_connection=ssh
ansible_user=luca
Executing the Playbook

Run the Ansible playbook against the target RHEL 9 hosts: ansible-playbook -i inventory audit.yml Ansible will connect to the target systems and automatically apply the CIS Benchmark hardening rules based on the roles and variables specified in the playbook. Post-Deployment Verification

After the playbook execution, it is crucial to perform thorough testing and verification to ensure that the hardening measures have been successfully applied without any adverse effects on the system's functionality.

`bash ssh luca@rhel.example.com cat /opt/-RHEL9-CIS_post_scan.json 


output
bash [...] { "duration": 19501, "err": null, "expected": [ "/^7(0|5)0\\s/" ], "found": [ "/^7(0|5)0\\s/" ], "human": "", "meta": { "CIS_ID": [ "6.2.12" ], "CISv8": 3.3, "CISv8_IG1": true, "CISv8_IG2": true, "CISv8_IG3": true, "server": 1, "workstation": 1 }, "property": "stdout", "resource-id": "home_dirs_restrict", "resource-type": "Command", "result": 0, "skipped": false, "successful": true, "summary-line": "Command: home_dirs_restrict: stdout: matches expectation: [/^7(0|5)0\\s/]", "test-type": 2, "title": "6.2.12 | Ensure local interactive user home directories are mode 750 or more restrictive" } ], "summary": { "failed-count": 78, "skipped-count": 6, "summary-line": "Count: 615, Failed: 78, Skipped: 6, Duration: 31.756s", "test-count": 615, "total-duration": 31755642383 } } ``

See also: Configuring Kernel Parameters in RedHat-like Linux Systems with Ansible System Role

Conclusion

In a constantly evolving threat landscape, ensuring the security and compliance of RHEL 9 systems is a critical task for organizations. The CIS Benchmarks provide valuable guidelines, but manual implementation can be challenging and time-consuming. By leveraging the power of Ansible and the "ansible-lockdown" project, organizations can automate applying CIS Benchmark hardening for RHEL 9. This saves time and effort and ensures a more consistent and secure environment, better protecting against potential cyber threats. Organizations can significantly enhance their security posture and foster a robust cybersecurity culture by staying proactive and adhering to security best practices. • Ansible Lockdown GitHubLockdown Enterprise Organization

Related Articles

publishing collections to Ansible Galaxybecome directives in Ansiblethe Ansible inventory deep-divecreating an Ansible role from scratch

Category: installation

Watch the video: Automate CIS Benchmark Hardening for RHEL 9 with Ansible — Video Tutorial

Browse all Ansible tutorials · AnsiblePilot Home