Automating OS Hardening

šŸŽµWith a little help from my friendsšŸŽµ
CIS Benchmarks šŸŽ« and Ansible āš™

A talk by Jon “The Nice Guy” Spriggs

Well, just who are you then?

https://jon.sprig.gs/blog/post/slideshow/automating-os-hardening

  • Jon “The Nice Guy” Spriggs
    • Automation & Orchestration + Cloud Security Specialist, Distinguished Engineer
    • Podcaster, Blogger, Twitch/Youtube creator, Conference speaker

Well, just who are you then?

https://jon.sprig.gs/blog/post/slideshow/automating-os-hardening

  • Jon “The Nice Guy” Spriggs
    • Automation & Orchestration + Cloud Security Specialist, Distinguished Engineer
    • Technical Account Manager
    • Podcaster, Blogger, Twitch/Youtube creator, Conference speaker

Topics

https://jon.sprig.gs/blog/post/slideshow/automating-os-hardening

  • CIS Benchmark
  • Ansible

CIS Benchmarks

CIS Benchmarks – Ubuntu 20.04

CIS Benchmarks – Ubuntu 20.04

CIS Benchmarks – Ubuntu 20.04

CIS Benchmarks – Ubuntu 20.04

CIS Benchmarks – Ubuntu 20.04

CIS Benchmarks – Ubuntu 20.04

CIS Benchmarks – Ubuntu 20.04 – A Check!

Ansible

https://jon.sprig.gs/blog/post/slideshow/automating-os-hardening

A simple Ansible playbook

https://jon.sprig.gs/blog/post/slideshow/automating-os-hardening

Execution

ansible-playbook \
  playbook.yml \
  -i inventory

playbook.yml

---
- name: Confirm Comms
  hosts: all_linux_servers
  tasks:
  - name: Confirm we can connect
    ping:
    register: comms_check

  - name: Debug results
    debug:
      var: comms_check
    when: comms_check is not failed

inventory

localhost ansible_connection=local

[all_servers:children]
all_linux_servers
all_windows_servers

[all_linux_servers]
localhost
web_lb     ansible_host=deadbeef.example.org
web_be[1:3].example.org

[all_windows_servers]
ad01                 ansible_host=192.0.2.10
ad02                 ansible_host=198.51.100.10
rds[a:f].example.org

[all_windows_servers:vars]
ansible_connection=winrm
ansible_user=ansible_service_account
# ansible_password in 
#   group_vars/all_windows_servers/vault

Running the Playbook

https://jon.sprig.gs/blog/post/slideshow/automating-os-hardening

Using templating

https://jon.sprig.gs/blog/post/slideshow/automating-os-hardening

Used in YAML files

---
var: "{{ somevar | default('a default value') }}"
conditional_var: |-
  {%- if somevar | length > 1 -%}
    long string
  {%- elif somevar | length == 1 -%}
    letter
  {%- else -%}
    empty
  {%- endif -%}
ternary_var: "{{ a_bool | ternary('true', 'false') }}"

Used in template files


#!/bin/bash
key="default value"
{% if template_list | default([]) | length > 0 -%}
{% for template_item in template_dict | dict2items %}
{{ template_item.key }}="{{ template_item.value }}"
{% endfor %}
{%- endif %}
echo "${key}"

Used in tasks

---
- name: Some Task
  debug:
    msg: "{{ item }}"
  when: item | length > 0
  # Note that this is treated like a 
  #   {% %} block

Ansible and CIS Together

https://jon.sprig.gs/blog/post/slideshow/automating-os-hardening

Simple example:

setup.yml

---
- name: Run Setup
  hosts: all
  tasks:
  - name: Run CISHardenOS
    include_role: 
      name: jontheniceguy.CISHardenOS

roles/
jontheniceguy.CISHardenOS/
defaults/main.yml

---
execute_cishardenos_1_1_1_1: true

roles/
jontheniceguy.CISHardenOS/
tasks/main.yml

---
- name: 1.1.1.1 Disable cramfs kernel module
  copy:
    dest: /etc/modprobe.d/cramfs.conf
    content: install cramfs /bin/true
    owner: root
    group: root
    mode: "0644"
  when: execute_cishardenos_1_1_1_1
- name: 1.1.1.1 Remove cramfs kernel module
  community.general.modprobe:
    name: cramfs
    state: absent
  when: execute_cishardenos_1_1_1_1

Common file structures

https://jon.sprig.gs/blog/post/slideshow/automating-os-hardening

/
|- a_play_book.yml
|- another_playbook.yml
|- inventory
|- host_vars/
|           |- a_host.yml
|           |- complex_host/
|                          |- vars-1.yml
|                          |- vars-2.yml
|- group_vars/
|            |- a_group.yml
|            |- complex_group/
|                            |- vars-1.yml
|                            |- nested/
|                                     |- more-vars.yml
|- roles/
        |- a_guy.somerole/tasks/main.yml
        |- another.role/
                       |- defaults/main.yml
                       |- tasks/main.yml
                       |- vars/main.yml

Ansible Roles

https://jon.sprig.gs/blog/post/slideshow/automating-os-hardening

Thanks for listening

https://jon.sprig.gs/blog/post/slideshow/automating-os-hardening

Want to get involved?

Github: Ansible-System-Hardening-and-Auditing

Thanks for listening!

Automating OS Hardening by
Jon “The Nice Guy” Spriggs
https://jon.sprig.gs | @JonTheNiceGuy

https://jon.sprig.gs/blog/post/slideshow/automating-os-hardening