Introduction
As organizations increasingly prioritize cybersecurity and compliance, the need for robust security measures has become paramount. The Center for Internet Security (CIS) Benchmarks provides guidelines and best practices for securing various operating systems. Adhering to these benchmarks for Red Hat Enterprise Linux (RHEL) 9 can be time-consuming and complex. However, this process becomes streamlined and efficient with the power of automation through Ansible. This article explores how using Ansible’s automation capabilities with the “ansible-lockdown” project can help organizations automatically implement CIS Benchmark hardening for RHEL 9 systems, ensuring a more secure and compliant environment.
What is the CIS Benchmark?
The CIS Benchmarks are consensus-based configuration guidelines developed by experts to help organizations safeguard their systems against security threats. These benchmarks cover a wide range of platforms and applications, offering specific recommendations on security settings, configurations, and policies. By adhering to the CIS Benchmark, organizations can reduce the risk of cyberattacks and enhance their overall security posture.
Introducing Ansible
Ansible is an open-source automation tool that simplifies IT infrastructure deployment, configuration, and management. It employs declarative language to describe the desired state of a system, allowing users to automate repetitive tasks, thereby saving time and reducing human errors. The “ansible-lockdown” Project The “ansible-lockdown” project is a community-driven initiative aimed at automating the implementation of security hardening guidelines, particularly the CIS Benchmarks, on various systems. This project provides Ansible roles that enable users to easily apply the recommended security configurations to their systems.
Links
Automating CIS Benchmark Hardening for RHEL 9
- Preparing the Environment
Before starting the automation process, ensure you have Ansible installed on your control node and the necessary permissions to execute playbooks on the target RHEL 9 systems. Additionally, download the “ansible-lockdown” roles from the project’s GitHub repository or use the role manager of your choice to install them.
ansible-galaxy role install git+https://github.com/ansible-lockdown/RHEL9-CIS.git
- Understanding the CIS Benchmark Rules
Each CIS Benchmark consists of a set of rules that define specific security configurations. These rules are organized into different sections based on their relevance. Reviewing and understanding the CIS Benchmark guidelines for RHEL 9 before proceeding with the automation process is essential.
- Developing the Ansible Playbook
Create an Ansible playbook with the necessary “ansible-lockdown” roles to apply the CIS Benchmark rules. The playbook should define the target hosts, roles to be executed, and any required variables.
For example, your audit.yml playbook might look like this:
---
- name: RHEL9 CIS Audit
hosts: all
become: true
roles:
- name: "RHEL9-CIS"
vars:
setup_audit: true
run_audit: true
This example, the “RHEL9-CIS role is used to apply the setup_audit and run_audit variables.
For ARM64 use this:
---
- name: RHEL9 CIS Audit
hosts: all
become: true
roles:
- name: "RHEL9-CIS"
vars:
setup_audit: true
run_audit: true
goss_url: https://github.com/goss-org/goss/releases/download/v0.3.23/goss-linux-arm64
goss_version:
release: v0.3.23
checksum: 'sha256:7b0794fa590857e7d64ef436e1a100ca26f6039f269a6138009aa837d27d7f9e'
My inventory file:
rhel.example.com
[all:vars]
ansible_connection=ssh
ansible_user=luca
- Executing the Playbook
Run the Ansible playbook against the target RHEL 9 hosts: ansible-playbook -i inventory audit.yml Ansible will connect to the target systems and automatically apply the CIS Benchmark hardening rules based on the roles and variables specified in the playbook.
- Post-Deployment Verification
After the playbook execution, it is crucial to perform thorough testing and verification to ensure that the hardening measures have been successfully applied without any adverse effects on the system’s functionality.
``bash ssh [email protected] cat /opt/-RHEL9-CIS_post_scan.json
output
```bash
[...]
{
"duration": 19501,
"err": null,
"expected": [
"/^7(0|5)0\\s/"
],
"found": [
"/^7(0|5)0\\s/"
],
"human": "",
"meta": {
"CIS_ID": [
"6.2.12"
],
"CISv8": 3.3,
"CISv8_IG1": true,
"CISv8_IG2": true,
"CISv8_IG3": true,
"server": 1,
"workstation": 1
},
"property": "stdout",
"resource-id": "home_dirs_restrict",
"resource-type": "Command",
"result": 0,
"skipped": false,
"successful": true,
"summary-line": "Command: home_dirs_restrict: stdout: matches expectation: [/^7(0|5)0\\s/]",
"test-type": 2,
"title": "6.2.12 | Ensure local interactive user home directories are mode 750 or more restrictive"
}
],
"summary": {
"failed-count": 78,
"skipped-count": 6,
"summary-line": "Count: 615, Failed: 78, Skipped: 6, Duration: 31.756s",
"test-count": 615,
"total-duration": 31755642383
}
}
Conclusion
In a constantly evolving threat landscape, ensuring the security and compliance of RHEL 9 systems is a critical task for organizations. The CIS Benchmarks provide valuable guidelines, but manual implementation can be challenging and time-consuming. By leveraging the power of Ansible and the “ansible-lockdown” project, organizations can automate applying CIS Benchmark hardening for RHEL 9. This saves time and effort and ensures a more consistent and secure environment, better protecting against potential cyber threats. Organizations can significantly enhance their security posture and foster a robust cybersecurity culture by staying proactive and adhering to security best practices.
Subscribe to the YouTube channel, Medium, and Website, X (formerly Twitter) to not miss the next episode of the Ansible Pilot.Academy
Learn the Ansible automation technology with some real-life examples in my
Udemy 300+ Lessons Video Course.
My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps
Donate
Want to keep this project going? Please donate