CIS Benchmark

In today’s cybersecurity landscape, hardening your systems is crucial to protect against evolving threats. Compliance with industry standards, such as the Center for Internet Security (CIS) benchmarks, helps organizations establish a secure foundation for their IT infrastructure. Red Hat Enterprise Linux (RHEL) 9 is a widely adopted operating system known for its stability and security features. By combining the power of RHEL 9 with Ansible automation, you can automate the implementation of CIS Benchmark guidelines, ensuring a robust and hardened system. This article will explore how to automate the hardening process using Ansible and the CIS Benchmark for RHEL 9.

Automating the implementation of CIS benchmarks with Ansible provides several key benefits:

  1. Standardization and Consistency: Implementing CIS benchmarks manually across multiple systems can be a complex and time-consuming task. Organizations can ensure standardized security configurations across their infrastructure by automating this process with Ansible. Ansible’s declarative language allows for consistently applying security controls, minimizing human errors, and ensuring adherence to the CIS benchmark guidelines.

  2. Time and Resource Efficiency: Manually implementing CIS benchmarks on each system can be a labor-intensive process. Ansible automation significantly reduces the time and effort required to apply security configurations. With a single playbook, organizations can automate the hardening process across numerous systems simultaneously, saving valuable time and freeing up resources for other critical tasks.

  3. Scalability and Manageability: Ansible’s ability to scale automation tasks makes it ideal for applying CIS benchmarks across large and distributed environments. Whether managing a handful of systems or hundreds of servers, Ansible allows for efficient and centralized management of security configurations. Updates and changes to the benchmark can be easily implemented across the infrastructure, ensuring ongoing compliance.

  4. Consistent Auditability and Compliance: Compliance with CIS benchmarks often requires periodic audits and assessments. Ansible provides built-in capabilities to track and document changes made during the automation process, ensuring a clear audit trail. Organizations can generate reports Playbooknstrating compliance with the CIS benchmarks, simplifying the compliance and audit processes.

  5. Rapid Response to Security Threats: Automating CIS benchmark configurations with Ansible enables organizations to respond to emerging security threats quickly. Ansible playbooks can be updated and re-executed in real-time to enforce new security controls or remediate vulnerabilities identified in the CIS benchmark. This agility ensures systems remain protected and aligned with the latest security best practices.

  6. Continuous Monitoring and Enforcement: Ansible allows for continuous monitoring and enforcement of CIS benchmark configurations. Playbooks can be scheduled to run periodically or triggered by events, ensuring that systems remain hardened. If any deviations from the benchmark are detected, Ansible can automatically remediate the issues, restoring systems to a secure state.

In summary, automating CIS benchmark implementation with Ansible streamlines the process, saves time and resources, ensures consistency and compliance, and enhances the organization’s ability to respond to security threats. By leveraging Ansible’s automation capabilities, organizations can strengthen their security posture, improve operational efficiency, and maintain ongoing adherence to industry-recognized security standards.

Join 50+ hours of courses in our exclusive community

Demo

How to comply with CIS Benchmark using Ansible Lockdown roles.

Step 1: Familiarize Yourself with the CIS Benchmark: Start by obtaining the latest CIS Benchmark for RHEL 9. The CIS Benchmark provides comprehensive guidelines and recommendations for securing your RHEL 9 systems. Review the Benchmark document to gain a deep understanding of the hardening steps required.

Step 2: Install and Configure Ansible: Ensure that Ansible is installed on your system. Ansible is an open-source automation tool that simplifies the process of configuration management and orchestration. Install Ansible on a control machine that will execute the hardening tasks on the target RHEL 9 systems.

Step 3: Downdload the Ansible Lockdown Roles: Using your knowledge of the CIS Benchmark, the Ansible Lockdown created a series of Ansible roles that incorporates the necessary tasks for hardening RHEL 9. Each role should correspond to a specific CIS Benchmark recommendation. Ansible’s declarative language allows us to declare the desired state of our system, making it easier to enforce security configurations consistently across multiple machines.

$ ansible-galaxy install git+https://github.com/ansible-lockdown/RHEL9-CIS.git

execution:

Starting galaxy role install process
- extracting RHEL9-CIS to /Users/lberton/.ansible/roles/RHEL9-CIS
- RHEL9-CIS was installed successfully

Step 4: Create an Ansible Playbook that uses the “RHEL9-CIS” role: To enhance the flexibility and reusability of your playbook, define variables and use Jinja2 templates where appropriate. The Ansible role already includes an example site.yml playbook that we can use to execute the code:

---
- hosts: all
  become: true
  roles:
      - role: "RHEL9-CIS"

Step 5: Create our Ansible inventory: Our Ansible inventory defines the list of target hosts and how to connect to them. For example, I would like to target the execution against rhel.example.com connecting with SSH username luca:

rhel.example.com

[all:vars]
ansible_connection=ssh
ansible_user=luca

Step 5: Execute our Ansible playbook:

Within our Ansible playbook, we execute the Ansible RHEL9-CIS role that implements tasks that align with the CIS Benchmark recommendations. Examples of tasks may include restricting root access, configuring network parameters, enabling auditing, and securing system services. Ansible provides a rich set of modules that simplify the execution of these tasks, allowing you to enforce security configurations efficiently.

ansible-playbook -i inventory site.yml

the output of the execution:

[...]
TASK [RHEL9-CIS : Show Audit Summary] ********************************************************
skipping: [rhel.example.com]

TASK [RHEL9-CIS : If Warnings found Output count and control IDs affected] *******************
ok: [rhel.example.com] => {
    "msg": "You have 16 Warning(s) that require investigating that are related to the following benchmark ID(s)  [1.1.2.1] [1.1.3.1] [1.1.4.1] [1.1.5.1] [1.1.6.1] [1.1.7.1] [1.1.8.1] [1.2.3] [1.6.1.6] [2.4] [4.3] [6.1.10] [6.1.11] [6.1.13] [6.1.14] [6.1.15]"
}

PLAY RECAP ***********************************************************************************
rhel.example.com           : ok=343  changed=4    unreachable=0    failed=0    skipped=173  rescued=0    ignored=0 

Step 6: Test and Verify: Thoroughly testing our playbook, we receive the list of Warning that we need to focus on verifying our system. It is always necessary to test our code in a test environment before deploying it in production. Use Ansible’s dry-run mode to preview changes without making actual modifications to your systems. Additionally, develop a verification process to ensure that the desired hardening configurations have been successfully applied to your RHEL 9 systems.

Step 7: Schedule and Monitor: Schedule the execution of your Ansible playbook periodically to enforce continuous hardening and compliance with the CIS Benchmark. Implement monitoring mechanisms to alert you in case of any deviations from the desired security configurations. Ansible provides various reporting and logging options to facilitate this monitoring process.

Conclusion

Automating the hardening process for RHEL 9 using Ansible and the CIS Benchmark allows organizations to establish a robust security posture efficiently. By following the steps outlined in this article, you can leverage the power of Ansible’s automation capabilities to enforce security configurations consistently across your RHEL 9 systems. Remember to keep your playbook up to date with the latest CIS Benchmark recommendations to stay ahead of emerging security threats. Implementing CIS Benchmark hardening with Ansible not only strengthens the security of your RHEL 9 infrastructure but also saves valuable time and resources by automating repetitive manual tasks.

Subscribe to the YouTube channel, Medium, and Website, X (formerly Twitter) to not miss the next episode of the Ansible Pilot.

Academy

Learn the Ansible automation technology with some real-life examples in my Udemy 300+ Lessons Video Course.

BUY the Complete Udemy 300+ Lessons Video Course

My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps

BUY the Complete PDF BOOK to easily Copy and Paste the 250+ Ansible code

Want to keep this project going? Please donate

Patreon Buy me a Pizza