Ansible Pilot

Automating Audit CIS Benchmark Hardening for Red Hat Enterprise Linux 9 with Ansible

Strengthening Cybersecurity and Compliance with Ansible Automation CIS Benchmark Hardening for Red Hat Enterprise Linux 9.

July 28, 2023
Access the Complete Video Course and Learn Quick Ansible by 200+ Practical Lessons


As organizations increasingly prioritize cybersecurity and compliance, the need for robust security measures has become paramount. The Center for Internet Security (CIS) Benchmarks provides guidelines and best practices for securing various operating systems. Adhering to these benchmarks for Red Hat Enterprise Linux (RHEL) 9 can be time-consuming and complex. However, this process becomes streamlined and efficient with the power of automation through Ansible. This article explores how using Ansible’s automation capabilities with the “ansible-lockdown” project can help organizations automatically implement CIS Benchmark hardening for RHEL 9 systems, ensuring a more secure and compliant environment.

What is the CIS Benchmark?

The CIS Benchmarks are consensus-based configuration guidelines developed by experts to help organizations safeguard their systems against security threats. These benchmarks cover a wide range of platforms and applications, offering specific recommendations on security settings, configurations, and policies. By adhering to the CIS Benchmark, organizations can reduce the risk of cyberattacks and enhance their overall security posture.

Introducing Ansible

Ansible is an open-source automation tool that simplifies IT infrastructure deployment, configuration, and management. It employs declarative language to describe the desired state of a system, allowing users to automate repetitive tasks, thereby saving time and reducing human errors. The “ansible-lockdown” Project The “ansible-lockdown” project is a community-driven initiative aimed at automating the implementation of security hardening guidelines, particularly the CIS Benchmarks, on various systems. This project provides Ansible roles that enable users to easily apply the recommended security configurations to their systems.

The Best Resources For Ansible


Video Course

Printed Book


Automating CIS Benchmark Hardening for RHEL 9

  1. Preparing the Environment

Before starting the automation process, ensure you have Ansible installed on your control node and the necessary permissions to execute playbooks on the target RHEL 9 systems. Additionally, download the “ansible-lockdown” roles from the project’s GitHub repository or use the role manager of your choice to install them.

ansible-galaxy role install git+
  1. Understanding the CIS Benchmark Rules

Each CIS Benchmark consists of a set of rules that define specific security configurations. These rules are organized into different sections based on their relevance. Reviewing and understanding the CIS Benchmark guidelines for RHEL 9 before proceeding with the automation process is essential.

  1. Developing the Ansible Playbook

Create an Ansible playbook with the necessary “ansible-lockdown” roles to apply the CIS Benchmark rules. The playbook should define the target hosts, roles to be executed, and any required variables. For example, your audit.yml playbook might look like this:

- name: RHEL9 CIS Audit
  hosts: all
  become: true
    - name: "RHEL9-CIS"
        setup_audit: true
        run_audit: true

This example, the “RHEL9-CIS role is used to apply the setup_audit and run_audit variables.

For ARM64 use this:

- name: RHEL9 CIS Audit
  hosts: all
  become: true
    - name: "RHEL9-CIS"
        setup_audit: true
        run_audit: true
          release: v0.3.23
          checksum: 'sha256:7b0794fa590857e7d64ef436e1a100ca26f6039f269a6138009aa837d27d7f9e'

My inventory file:

  1. Executing the Playbook

Run the Ansible playbook against the target RHEL 9 hosts: ansible-playbook -i inventory audit.yml Ansible will connect to the target systems and automatically apply the CIS Benchmark hardening rules based on the roles and variables specified in the playbook.

  1. Post-Deployment Verification

After the playbook execution, it is crucial to perform thorough testing and verification to ensure that the hardening measures have been successfully applied without any adverse effects on the system’s functionality.

``bash ssh [email protected] cat /opt/-RHEL9-CIS_post_scan.json


            "duration": 19501,
            "err": null,
            "expected": [
            "found": [
            "human": "",
            "meta": {
                "CIS_ID": [
                "CISv8": 3.3,
                "CISv8_IG1": true,
                "CISv8_IG2": true,
                "CISv8_IG3": true,
                "server": 1,
                "workstation": 1
            "property": "stdout",
            "resource-id": "home_dirs_restrict",
            "resource-type": "Command",
            "result": 0,
            "skipped": false,
            "successful": true,
            "summary-line": "Command: home_dirs_restrict: stdout: matches expectation: [/^7(0|5)0\\s/]",
            "test-type": 2,
            "title": "6.2.12 | Ensure local interactive user home directories are mode 750 or more restrictive"
    "summary": {
        "failed-count": 78,
        "skipped-count": 6,
        "summary-line": "Count: 615, Failed: 78, Skipped: 6, Duration: 31.756s",
        "test-count": 615,
        "total-duration": 31755642383


In a constantly evolving threat landscape, ensuring the security and compliance of RHEL 9 systems is a critical task for organizations. The CIS Benchmarks provide valuable guidelines, but manual implementation can be challenging and time-consuming. By leveraging the power of Ansible and the “ansible-lockdown” project, organizations can automate applying CIS Benchmark hardening for RHEL 9. This saves time and effort and ensures a more consistent and secure environment, better protecting against potential cyber threats. Organizations can significantly enhance their security posture and foster a robust cybersecurity culture by staying proactive and adhering to security best practices.

Subscribe to the YouTube channel, Medium, and Website, X (formerly Twitter) to not miss the next episode of the Ansible Pilot.


Learn the Ansible automation technology with some real-life examples in my

My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps

BUY the Complete PDF BOOK to easily Copy and Paste the 250+ Ansible code

Want to keep this project going? Please donate

Access the Complete Video Course and Learn Quick Ansible by 200+ Practical Lessons
Follow me

Subscribe not to miss any new releases