Automating OS Hardening

🎵With a little help from my friends🎵
CIS Benchmarks 🎫 and Ansible ⚙

A talk by Jon “The Nice Guy” Spriggs

Well, just who are you then?

https://jon.sprig.gs/blog/post/slideshow/automating-os-hardening

Jon “The Nice Guy” Spriggs
- Automation & Orchestration + Cloud Security Specialist, Distinguished Engineer
- …
- Podcaster, Blogger, Twitch/Youtube creator, Conference speaker

Well, just who are you then?

https://jon.sprig.gs/blog/post/slideshow/automating-os-hardening

Jon “The Nice Guy” Spriggs
- Automation & Orchestration + Cloud Security Specialist, Distinguished Engineer
- Technical Account Manager
- Podcaster, Blogger, Twitch/Youtube creator, Conference speaker

Topics

https://jon.sprig.gs/blog/post/slideshow/automating-os-hardening

CIS Benchmark
Ansible

CIS Benchmarks

CIS Benchmarks – Ubuntu 20.04

CIS Benchmarks – Ubuntu 20.04 – A Check!

Ansible

https://jon.sprig.gs/blog/post/slideshow/automating-os-hardening

A simple Ansible playbook

https://jon.sprig.gs/blog/post/slideshow/automating-os-hardening

Execution

ansible-playbook \
  playbook.yml \
  -i inventory

playbook.yml

---
- name: Confirm Comms
  hosts: all_linux_servers
  tasks:
  - name: Confirm we can connect
    ping:
    register: comms_check

  - name: Debug results
    debug:
      var: comms_check
    when: comms_check is not failed

inventory

localhost ansible_connection=local

[all_servers:children]
all_linux_servers
all_windows_servers

[all_linux_servers]
localhost
web_lb     ansible_host=deadbeef.example.org
web_be[1:3].example.org

[all_windows_servers]
ad01                 ansible_host=192.0.2.10
ad02                 ansible_host=198.51.100.10
rds[a:f].example.org

[all_windows_servers:vars]
ansible_connection=winrm
ansible_user=ansible_service_account
# ansible_password in 
#   group_vars/all_windows_servers/vault

Well, here’s a simple representation of that previous slide.
[ CLICK ]
On our unix-like shell, we execute the command ansible-playbook,
[ CLICK ]
telling it which playbook to read
[ CLICK ]
and which inventory file to read.
[ CLICK ][ CLICK ]
The playbook has a single “Play” which is named
[ CLICK ]
lists which hosts it will target
[ CLICK ]
and the tasks it wants to be performed.
[ CLICK ]
This first task is a connection check, using the module “ping”, which is not the ICMP or UDP ping, but more like the IRC Ping/Pong challenge/response. It is named, and registers the response in the “comms_check” variable.
[ CLICK ]
Next we output our response, using the debug module, which we pass an argument of the variable comms_check. We also say we only want this command to run if it didn’t fail.
[ CLICK ][ CLICK ]
In our inventory file, we first list the localhost. If we run Ansible without any inventory, you get the localhost automatically, but as soon as you add an inventory, you need to manually specify it. Here we see that the host has a variable assigned against it at the outset – ansible connection equals local. By default, ansible talks SSH, so any time we’re not using SSH, we need to tell Ansible that. We’ll see another example in a bit.
[ CLICK ]
Next we’ll jump down to the group All Linux Servers.
[ CLICK ]
We’ve included the localhost in the group, as it’s running WSL.
[ CLICK ]
I’ve also added the web load balancer, and, because that doesn’t resolve to a specific host in either the DNS server, nor in our ssh config file, I’ve specified the real hostname it’ll connect to. This means you can give long complex hostnames short aliases, or give meaningless hostnames or IP addresses descriptive names for your logging purposes.
[ CLICK ]

And lastly in this block, I’ve added a DNS-Resolvable range of three backend servers. Now, naturally, those won’t resolve, as you’ll see in a bit!
[ CLICK ]
I’ve added some Windows Servers, even though they’re not referenced in the playbook, because maybe there’s another playbook which targets all of these boxes, or perhaps we didn’t get to those tasks yet. Either way,
[ CLICK ]
We have two IP addressed hosts – AD 1 and 2. Like with the load balancer, these don’t have DNS names, instead they have an IP address.
[ CLICK ]
And next we have 7 DNS resolvable RDS servers. Excellent.
[ CLICK ]
These windows servers all have some common connection variables
[ CLICK ]
like they use WinRM
[ CLICK ]
And have a common service account to log into them.
[ CLICK ]
If I was being entirely insecure, I’d dump a plaintext service account password into this inventory, but I’m not completely foolish! No, I’ve stored that password in an encrypted file in the “group vars” directory for this group of servers. Ansible has it’s own name for this encryption system, called Vault. It uses standard encryption primatives, so it’s not completely unreasonable.
Actually, this is one of the few serious benefits of Ansible Tower and AWX, which is that AWX can segregate the action of storing access credentials away from the users who are executing ansible playbooks, so they’re in one central location, and you can harden and protect that host accordingly.
Anyway, let’s move on!
[ CLICK ]
The last thing in this inventory is that we have a final group, called “all servers” which has two child-groups associated to it – all linux and all windows servers. In theory, we could target both platforms with a standard set of configuration steps… but we don’t here.
So, what does this actually look like when it runs?

Running the Playbook

https://jon.sprig.gs/blog/post/slideshow/automating-os-hardening

Using templating

https://jon.sprig.gs/blog/post/slideshow/automating-os-hardening

Used in YAML files

---
var: "{{ somevar | default('a default value') }}"
conditional_var: |-
  {%- if somevar | length > 1 -%}
    long string
  {%- elif somevar | length == 1 -%}
    letter
  {%- else -%}
    empty
  {%- endif -%}
ternary_var: "{{ a_bool | ternary('true', 'false') }}"

Used in template files


#!/bin/bash
key="default value"
{% if template_list | default([]) | length > 0 -%}
{% for template_item in template_dict | dict2items %}
{{ template_item.key }}="{{ template_item.value }}"
{% endfor %}
{%- endif %}
echo "${key}"

Used in tasks

---
- name: Some Task
  debug:
    msg: "{{ item }}"
  when: item | length > 0
  # Note that this is treated like a 
  #   {% %} block

Ansible and CIS Together

https://jon.sprig.gs/blog/post/slideshow/automating-os-hardening

Simple example:

setup.yml

---
- name: Run Setup
  hosts: all
  tasks:
  - name: Run CISHardenOS
    include_role: 
      name: jontheniceguy.CISHardenOS

roles/
jontheniceguy.CISHardenOS/
defaults/main.yml

---
execute_cishardenos_1_1_1_1: true

roles/
jontheniceguy.CISHardenOS/
tasks/main.yml

---
- name: 1.1.1.1 Disable cramfs kernel module
  copy:
    dest: /etc/modprobe.d/cramfs.conf
    content: install cramfs /bin/true
    owner: root
    group: root
    mode: "0644"
  when: execute_cishardenos_1_1_1_1
- name: 1.1.1.1 Remove cramfs kernel module
  community.general.modprobe:
    name: cramfs
    state: absent
  when: execute_cishardenos_1_1_1_1

Common file structures

https://jon.sprig.gs/blog/post/slideshow/automating-os-hardening

/
|- a_play_book.yml
|- another_playbook.yml
|- inventory
|- host_vars/
|           |- a_host.yml
|           |- complex_host/
|                          |- vars-1.yml
|                          |- vars-2.yml
|- group_vars/
|            |- a_group.yml
|            |- complex_group/
|                            |- vars-1.yml
|                            |- nested/
|                                     |- more-vars.yml
|- roles/
        |- a_guy.somerole/tasks/main.yml
        |- another.role/
                       |- defaults/main.yml
                       |- tasks/main.yml
                       |- vars/main.yml

Ansible Roles

https://jon.sprig.gs/blog/post/slideshow/automating-os-hardening

Thanks for listening

https://jon.sprig.gs/blog/post/slideshow/automating-os-hardening

Want to get involved?

Github: Ansible-System-Hardening-and-Auditing

Thanks for listening!