Streamline Vulnerability Scanning with Ansible and Terrapin Scanner

Introduction

In the rapidly evolving landscape of cybersecurity, regular vulnerability assessments are essential to identify and mitigate potential security risks. The Terrapin Vulnerability Scanner, developed by the RUB-NDS research group, offers a powerful tool for scanning and evaluating the security posture of systems. In this article, we explore how Ansible, a popular automation tool, can be leveraged to streamline the process of deploying and executing the Terrapin Scanner.

See also: Ansible and the EU Cyber Resilience Act (CRA): What It Means for Users

Understanding the Ansible Playbook

The provided Ansible playbook is a set of instructions written in YAML format, defining a sequence of tasks to be executed on remote hosts. Let’s break down the key components of the playbook:

---
- name: Terrapin Vulnerability Scanner
  hosts: all
  gather_facts: false
  vars:
    scanner: "Terrapin_Scanner_MacOS_arm64_darwin"
    target: "rhel.example.com"
    version: "1.1.0"
    myurl: "https://github.com/RUB-NDS/Terrapin-Scanner/releases/download/v{{ version }}/{{ scanner }}"
    mydest: "./"
    cli_params: "-json -connect {{ target }}"
  tasks:
    - name: Download the scanner
      ansible.builtin.get_url:
        url: "{{ myurl }}"
        dest: "{{ mydest }}"
        mode: '0644'
- name: Set scanner execution permission
      ansible.builtin.file:
        dest: "{{ mydest }}/{{ scanner }}"
        mode: 'a+x'
- name: Execute the scanner
      ansible.builtin.command: "{{ mydest }}/{{ scanner }} {{ cli_params }}"
      register: command_output
- name: Print message on the screen
      ansible.builtin.debug:
        var: command_output

Explanation of the Playbook

• hosts: all: Specifies that the tasks will be executed on all hosts. • gather_facts: false: Disables the gathering of facts about the target hosts. Facts include information about the system, such as IP address, OS version, etc. • vars: Defines variables used throughout the playbook, such as the scanner name, target host, version, download URL, destination directory, and command-line parameters. • tasks: Describes a series of tasks to be executed in order. • Download the scanner: Uses the get_url Ansible module to download the Terrapin Scanner from the specified URL and save it to the destination directory. • Set scanner execution permission: Uses the file Ansible module to set the execution permission for the downloaded scanner. • Execute the scanner: Runs the Terrapin Scanner with the specified command-line parameters. • Print message on the screen: Displays the output of the scanner execution for further analysis.

See also: Ansible-Lint: Complete Guide to Linting Playbooks & Roles

Execution

• localhost inventory

localhost ansible_connection=local

• Playbook Execution

ansible-playbook -i inventory terrapin.yml

• Output for a vulnerable OpenSSH connection

PLAY [Terrapin Vulnerability Scanner] ***************************************************
TASK [Download the scanner] *************************************************************
changed: [localhost]
TASK [Set scanner execution permission] *************************************************
changed: [localhost]
TASK [Execute the scanner] **************************************************************
changed: [localhost]
TASK [Print message on the screen] ******************************************************
ok: [localhost] => {
    "command_output": {
        "changed": true,
        "cmd": [
            ".//Terrapin_Scanner_MacOS_arm64_darwin",
            "-json",
            "-connect",
            "rhel.example.com"
        ],
        "delta": "0:00:00.574565",
        "end": "2024-01-04 13:01:22.774207",
        "failed": false,
        "msg": "",
        "rc": 0,
        "start": "2024-01-04 13:01:22.199642",
        "stderr": "",
        "stderr_lines": [],
        "stdout": "{\n    \"Banner\": \"SSH-2.0-OpenSSH_8.7\",\n    \"SupportsChaCha20\": true,\n    \"SupportsCbcEtm\": false,\n    \"SupportsStrictKex\": false,\n    \"Vulnerable\": true\n}",
        "stdout_lines": [
            "{",
            "    \"Banner\": \"SSH-2.0-OpenSSH_8.7\",",
            "    \"SupportsChaCha20\": true,",
            "    \"SupportsCbcEtm\": false,",
            "    \"SupportsStrictKex\": false,",
            "    \"Vulnerable\": true",
            "}"
        ]
    }
}
PLAY RECAP ******************************************************************************
localhost                  : ok=4    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Conclusion

Automating vulnerability assessments with tools like Terrapin Scanner and Ansible can significantly enhance the efficiency and consistency of security practices. This Ansible playbook serves as a template for deploying Terrapin Scanner, making it easier for security professionals to integrate vulnerability scanning into their regular workflows. As cyber threats continue to evolve, proactive measures, such as automated vulnerability assessments, play a crucial role in maintaining a robust cybersecurity posture.

See also: RHSB-2024–001 Leaky Vessels — runc — (CVE-2024–21626)

Related Articles

• dynamic config with Ansible template • how Ansible inventory works • creating directories via ansible.builtin.file