Audit RHEL/CentOS 6 security benchmarks with ansible

Ansible logoSecuring critical systems isn’t easy and that’s why security benchmarks exist. Many groups and communities distribute recommendations for securing servers, including NIST, the US Department of Defense (DoD), and the Center for Internet Security (CIS).

Although NIST and DoD are catching up quickly with newer OS releases, I’ve found that the CIS benchmarks are updated very regularly. CIS distributes auditing tools (with paid memberships) that require Java and they’re cumbersome to use, especially on servers where Java isn’t normally installed.

A better way to audit security benchmarks

I set out to create an Ansible playbook that would allow users to audit and (carefully!) remediate servers. The result is on GitHub. Before we go any further, I’d just like to state that I’m not affiliated with CIS in any way and this repository hasn’t been endorsed by CIS. Use it at your own risk.

Getting the playbook onto a machine is easy:

git clone https://github.com/major/cis-rhel-ansible.git

PLEASE review the README and NOTES files in the GitHub repository prior to running the playbook.

What-Did-You-Do-Chris-Farley-Gif

Seriously. I mean it. This playbook could knock production environments offline.

The tasks are split into sections (just like the CIS benchmarks themselves) and each section is split into Level 1 and 2 requirements.

Benchmark levels

Level 1 requirements provide good security improvements without a tremendous amount of intrusion into production workloads. With that said, they can still cause issues.

Level 2 requirements provide stronger security improvements but they can adversely affect production server environments. This is where you find things like SELinux, AIDE (including disabling prelinking), and some kernel tweaks for IPv6.

How to use it

I strongly recommend some dry runs with Ansible’s check mode before trying to modify a production system. Also, you can run the playbook against a freshly-installed system and then deploy your applications on top of it. Find out what breaks and disable certain benchmarks that get in the way.

The entire playbook takes less than a minute to run locally on a Rackspace Performance Cloud Server. Your results may vary over remote ssh connections, but I was seeing the playbooks complete over ssh within three to four minutes.

You can also review the variables file to find all the knobs you need to get more aggressive in your audits. If you spot something potentially destructive that needs a variable added, let me know (or submit a pull request).

It’s open source

The entire repository is licensed under Apache License 2.0, so please feel free to submit issues, pull requests, or patches.

Comments

  1. says

    Hey Martin, I’m aware of OpenSCAP and it’s a great tool. However, one of my main goals for this project was to make something that could be integrated into existing deployments that are already using Ansible. I’ll send you an email so we can talk more about it. :)

  2. says

    Either a submodule in your current repo, or I usually add an instruction in the readme for the user to run “ansible-galaxy install [rolename]” prior to running the playbook (that will install the role in the default location on the user’s system… for me, I manage roles in a few different places, and prefer not to include them in playbooks unless I’m managing a system for someone else, and I don’t have time to track the latest versions of all the roles I’m using.

  3. Steven Wells says

    This is a great setup. I’ve been incredibly impressed with Ansible as of late.
    A fantastic job.

  4. says

    Got several questions for you, major :)

    1. If i try to run section6 (level1), I can’t login using root access from another putty screen, nor using sudo (using another username that already inserted in visudo and allowed in sshd). Is that something wrong or just my misunderstanding on this script?

    2. I found that this script not working properly in OpenVZ container, some provider disabled audit in the container (so the benchmark fails at that auditd stuff). What can i do to fix it or could you please make the updates?

    This script is awsome… so freakin’ awsome…. congrats :)

Leave a Reply

Your email address will not be published. Required fields are marked *