Automating Audit CIS Benchmark Hardening for Red Hat Enterprise Linux 9 with Ansible
Strengthening Cybersecurity and Compliance with Ansible Automation CIS Benchmark Hardening for Red Hat Enterprise Linux 9.
Introduction
As organizations increasingly prioritize cybersecurity and compliance, the need for robust security measures has become paramount. The Center for Internet Security (CIS) Benchmarks provides guidelines and best practices for securing various operating systems. Adhering to these benchmarks for Red Hat Enterprise Linux (RHEL) 9 can be time-consuming and complex. However, this process becomes streamlined and efficient with the power of automation through Ansible. This article explores how using Ansible’s automation capabilities with the “ansible-lockdown” project can help organizations automatically implement CIS Benchmark hardening for RHEL 9 systems, ensuring a more secure and compliant environment.
What is the CIS Benchmark?
The CIS Benchmarks are consensus-based configuration guidelines developed by experts to help organizations safeguard their systems against security threats. These benchmarks cover a wide range of platforms and applications, offering specific recommendations on security settings, configurations, and policies. By adhering to the CIS Benchmark, organizations can reduce the risk of cyberattacks and enhance their overall security posture.
Introducing Ansible
Ansible is an open-source automation tool that simplifies IT infrastructure deployment, configuration, and management. It employs declarative language to describe the desired state of a system, allowing users to automate repetitive tasks, thereby saving time and reducing human errors. The “ansible-lockdown” Project The “ansible-lockdown” project is a community-driven initiative aimed at automating the implementation of security hardening guidelines, particularly the CIS Benchmarks, on various systems. This project provides Ansible roles that enable users to easily apply the recommended security configurations to their systems.
Links
The Best Resources For Ansible
Certifications
The Linux Foundation Linux Performance Tuning - Build a broad toolkit to optimize Linux performance from the kernel up
Coursera Pro - Unlimited access to 7,000+ world-class courses, hands-on projects, and job-ready certificate programs—all included in your subscription
Video Course
Printed Book
Ansible For VMware by Examples
Ansible for Kubernetes by Example
Hands-on Ansible Automation
Red Hat Ansible Automation Platform
eBooks
Ansible by Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps
Ansible Cookbook: A Comprehensive Guide to Unleashing the Power of Ansible via Best Practices, Troubleshooting, and Linting Rules with Luca Berton
Terraform By Example: A Practical Approach for Beginners to Learn Cloud Infrastructure with Terraform
Ansible For Windows By Examples: 50+ Automation Examples For Windows System Administrator And DevOps
Ansible For Linux by Examples: 100+ Automation Examples For Linux System Administrator and DevOps
Ansible Linux Filesystem By Examples: 40+ Automation Examples on Linux File and Directory Operation for Modern IT Infrastructure
Ansible For Security by Examples: 100+ Automation Examples to Automate Security and Verify Compliance for IT Modern Infrastructure
Ansible Tips and Tricks: 10+ Ansible Examples to Save Time and Automate More Tasks
Ansible Linux Users & Groups By Examples: 20+ Automation Examples on Linux Users and Groups Operation for Modern IT Infrastructure
Ansible For PostgreSQL by Examples: 10+ Examples To Automate Your PostgreSQL database
Ansible For Amazon Web Services AWS By Examples: 10+ Examples To Automate Your AWS Modern Infrastructure
Ansible Automation Platform By Example: A step-by-step guide for the most common user scenarios
Automating CIS Benchmark Hardening for RHEL 9
- Preparing the Environment
Before starting the automation process, ensure you have Ansible installed on your control node and the necessary permissions to execute playbooks on the target RHEL 9 systems. Additionally, download the “ansible-lockdown” roles from the project’s GitHub repository or use the role manager of your choice to install them.
ansible-galaxy role install git+https://github.com/ansible-lockdown/RHEL9-CIS.git
- Understanding the CIS Benchmark Rules
Each CIS Benchmark consists of a set of rules that define specific security configurations. These rules are organized into different sections based on their relevance. Reviewing and understanding the CIS Benchmark guidelines for RHEL 9 before proceeding with the automation process is essential.
- Developing the Ansible Playbook
Create an Ansible playbook with the necessary “ansible-lockdown” roles to apply the CIS Benchmark rules. The playbook should define the target hosts, roles to be executed, and any required variables.
For example, your audit.yml playbook might look like this:
---
- name: RHEL9 CIS Audit
hosts: all
become: true
roles:
- name: "RHEL9-CIS"
vars:
setup_audit: true
run_audit: true
This example, the “RHEL9-CIS role is used to apply the setup_audit and run_audit variables.
For ARM64 use this:
---
- name: RHEL9 CIS Audit
hosts: all
become: true
roles:
- name: "RHEL9-CIS"
vars:
setup_audit: true
run_audit: true
goss_url: https://github.com/goss-org/goss/releases/download/v0.3.23/goss-linux-arm64
goss_version:
release: v0.3.23
checksum: 'sha256:7b0794fa590857e7d64ef436e1a100ca26f6039f269a6138009aa837d27d7f9e'
My inventory file:
rhel.example.com
[all:vars]
ansible_connection=ssh
ansible_user=luca
- Executing the Playbook
Run the Ansible playbook against the target RHEL 9 hosts: ansible-playbook -i inventory audit.yml Ansible will connect to the target systems and automatically apply the CIS Benchmark hardening rules based on the roles and variables specified in the playbook.
- Post-Deployment Verification
After the playbook execution, it is crucial to perform thorough testing and verification to ensure that the hardening measures have been successfully applied without any adverse effects on the system’s functionality.
``bash ssh [email protected] cat /opt/-RHEL9-CIS_post_scan.json
output
```bash
[...]
{
"duration": 19501,
"err": null,
"expected": [
"/^7(0|5)0\\s/"
],
"found": [
"/^7(0|5)0\\s/"
],
"human": "",
"meta": {
"CIS_ID": [
"6.2.12"
],
"CISv8": 3.3,
"CISv8_IG1": true,
"CISv8_IG2": true,
"CISv8_IG3": true,
"server": 1,
"workstation": 1
},
"property": "stdout",
"resource-id": "home_dirs_restrict",
"resource-type": "Command",
"result": 0,
"skipped": false,
"successful": true,
"summary-line": "Command: home_dirs_restrict: stdout: matches expectation: [/^7(0|5)0\\s/]",
"test-type": 2,
"title": "6.2.12 | Ensure local interactive user home directories are mode 750 or more restrictive"
}
],
"summary": {
"failed-count": 78,
"skipped-count": 6,
"summary-line": "Count: 615, Failed: 78, Skipped: 6, Duration: 31.756s",
"test-count": 615,
"total-duration": 31755642383
}
}
Recap
In a constantly evolving threat landscape, ensuring the security and compliance of RHEL 9 systems is a critical task for organizations. The CIS Benchmarks provide valuable guidelines, but manual implementation can be challenging and time-consuming. By leveraging the power of Ansible and the “ansible-lockdown” project, organizations can automate applying CIS Benchmark hardening for RHEL 9. This saves time and effort and ensures a more consistent and secure environment, better protecting against potential cyber threats. Organizations can significantly enhance their security posture and foster a robust cybersecurity culture by staying proactive and adhering to security best practices.
Subscribe to the YouTube channel, Medium, and Website, X (formerly Twitter) to not miss the next episode of the Ansible Pilot.Academy
Learn the Ansible automation technology with some real-life examples in my
My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps
Donate
Want to keep this project going? Please donate
