Automating OS Hardening with Ansible and CIS Benchmarks

hi i'm john spriggs and i'm giving a talk today called automating os hardening with little help from my friends cis benchmarks and ansible so as is fairly customary in talks like this i should introduce myself i'm john spriggs sometimes called john the nice guy i'm an automation and orchestration specialist uh focusing mostly on cloud security i'm also a distinguished engineer of the company who employs me well actually that was last week as of this week or next monday rather i'll be a technical account manager for a very very large company don't know what that all entails here but anyway i also podcast blog do twitch and youtube streams and well stuff like what we're about to go through

just a little bit less polished and i like to talk my wife said i should just leave it there but well i should follow that up by saying i like to talk at conferences so this is exactly the sort of stuff that i like to talk about and what am i going to be talking about well this is a talk for the blue teamers out there i'm talking about hardening your operating systems and server applications with a framework called the cis benchmark i'm also talking about automation tool called ansible now this may already be in use in many of your organizations or if not answerable then something similar the main alternatives that i know about are

puppet chef and salt but i really know ansible so that's what i'm going to be talking about so let's get on with this show here is a mildly tweaked version of the cis benchmark website this lists all of the benchmarks they offer covering operating systems like amazon linux debian ubuntu red hat enterprise linux and windows they also cover browsers virtualization platforms office applications and even server services like apache httpd the bind dns service free radius ios sharepoint mysql i did remove the list of mobile operating systems whilst i was shuffling the list around and by mistake i forgot to add it back in but it is supposed to be there too now this page is the one that you get to from

whichever benchmark you click on from the main site so if you go and search for anything in the cion um benchmark site you get to this page eventually they email you a url which takes you to another list which gives you the actual download they don't really care which benchmark you're actually clicking on just that your email address is valid uh because it's an email address i'm not really sure whether you get put on a spam list at that point because the company that i used to work for had actually signed up for a corporate corporate membership at this site so i get to go in a different way but i don't recall getting any extra

spam when i signed up for it with my personal address so your mileage may vary i don't know um

sorry just got lost there for a second it's also worth mentioning the terms and conditions here as well you're not allowed to use this as a commercial offering so you can use it to having your own servers but you best not offer a cis hardening service if you want to go with the free account i think even the paid corporate service prevents that too so just check what you're planning to do with those benchmarks before you use them okay that's all the legal disclaimers out of the way let's take a look at the ubuntu benchmark well actually it's just the table of contents for right now you see each of those numbered points there uh

1.1.1.1.1.1 and so on and so forth these are checks to perform now on my screen i can see file system configuration which can covers preventing certain certain kernel modules being loaded setting volume amount configuration values next is software updates file system integrity checking and so on just on this one page of the table of contents there's over 40 checks so let's look at the next page oh look more checks setting up access control banners disabling gui logins removing server services network protocols you see this is blanket guidance turn off what you're not using on the box justify what you are it's just like a check test hmm strange that anyway next page more content more networking stuff enable a

firewall configure it turn on order d use it then you get more auditly more logging authentication sudo ssh pam users permissions etc goodness this is just the table of contents well here we are last page all in all over 250 checks in here spanning 11 pages just of content and nearly 500 pages of actual content so should we have a look at one of the actual checks so this is um a simple check i've checked skipped past the check whether a kernel is loaded module my kernel module loaded checks and gone straight for the installer package for faster to integrate file system integrity checking basically you've got six sections here what sort of profile machine this will

check relevant to which cya cis controls does it support um why would you want to run this check how do you run this check and then how to remediate a failure of that check this one also lists a few other bits and pieces like the details about the problems you might run into when you're using this so this is looking for a particular software package in this case eight and it's telling you how to install it and then how to perform basic configuration on it even without automation side of things these are actually really useful documents so what's next well let's look at ansible now i thought you might have had a bit too much text

on the previous few pages so i drew a pretty diagram well say pretty ansible is an open source project from red hat you can run the command line tool on any unix like shell including linux and osx doesn't natively run on windows but if you're running windows subsystem for linux wsl it'll run quite nicely albeit slowly on there if your environment doesn't use wsl or let you run it in a bastion host you can install the ansible automation platform which is a charged product from red hat or their open source upstream project awx awx is basically an unbranded version of the ansible automation platform and in theory runs on any system that runs docker personally i've

only tried awx on ubuntu and ansible automation platform on braille awx and the anti-ansible automation platform have engines that run the same playbooks that the command line tool and civil runs so from this point i'll refer to everything as though we're just the command line version which is good otherwise you'd have even more pointless screenshots in the forthcoming pages so answer will use an inventory file or an inventory script to determine which hosts it needs to talk to it also reads a yaml file which details what plays it's going to execute and a play is a combination of a host selection and a collection of tasks which will be performed sequentially across all those hosts each task is executed against one

of the following a server connected over ssh or winrm a network device over https or ssh and a cloud or sas api over https so what might that look like so here's a simple representation of that previous slide so on our unix like shell we execute the command and simple playbook telling it which playbook to read and which inventory file to read then here's our playbook the playbook has a sim a single in this case play which is named confirm comment that lists which hostile target and the tasks it wants to be performed now in this case the first task is going to be a connection check using the module ping that's not the icmp or udp

ping but more like the ilc ping pong challenge response um it's named confirm we can connect and registers the response in the comms check variable next we output our response using the debug module which we pass in our argument of the variable columnscheck that we previously defined we also say we only want this command to run if the previous command didn't fail so that's our playbook done in our entry file we first list the localhost now if we run ansible without any inventory you get the localhost added automatically but as soon as you add an inventory file you need to manually specify the localhost and here we can see that the localhost variable has a variable

assigned against it from the outset the ansible connection equals local so by default ansible talks ssh anytime we're not using ssh we need to tell ansible that we'll see another example of that in a bit so next we jump down to the group linux all linux servers now again we've included the local host in this group as it's actually running wsl so therefore it's kind of a linux environment i've also added a web load balancer and because that doesn't resolve to a specific host in either the dns server nor in our ssh config file i've specified the real hostname it will connect to so this means you can give a long complex host name a short alias or

it can give a meaningless host name or ip address descriptive names for your logging purposes lastly in this block i've added a dns resolvable range of three back end servers now naturally those won't actually resolve well you'll see that in a bit um i've also added some windows servers even though they're not referenced in the playbook because well maybe there's another playbook which targets windows servers or perhaps we didn't get to those tasks yet when we were writing the playbook either way we have two ip addressed note hosts 81 and 82 and like with the load balancer they don't have dns names instead they have an ip address we also have seven dns resolvable rds

servers excellent we're not going to connect to those but you'll see what happens anyway these windows servers all have some common connection variables like they use with rm for example they have a common service council against them and if i were being completely and entirely insecure i'd dump a plain text password for this service account into the inventory but i'm not completely foolish no instead i've stored that password in an encrypted file in the group vars directory for this group of servers now ansible has its own name for this encryption system called volt it uses standard encryption primitives offhand i don't know what they were but i think it's aes256 something like that so it's

not completely unreasonable and actually this is one of the few serious benefits of ansible tower and awx which is the awx or ansible tower can segregate the action of storing access credentials away from users who are actually executing the ansible playbooks so they're still in one central location and you can harden protect that host accordingly but they're not completely accessible to everyone anyway let's move on so the last thing we have in this inventory is a final group called all servers which has two child groups associated to it all linux and all windows servers so in theory we could target both platforms with a standard set of configuration steps we don't do that here but you can see how you might extend

this out to other things as well so what does this actually look like when it runs skipped too far so let's run this video and it's stored off elsewhere so uh sorry about that it's not gonna look very pretty for a second let's run this so that's playbook minus i inventory playbook you see it's confirming the comms running the play confirming comes and it does the first thing it does it runs this gathering facts task now you see there it's failed to connect to some hosts because it couldn't resolve the host names after that it ran the test it then output the debug results we asked it to and then you get this recap at the end

where you see here the fact that localhost ran okay it was able to run three tasks um the three back end servers were unreachable unreachable because it couldn't resolve the dns names and then the load balancer it connected too fine so that's good so let's uh let's close that screen and come back to our select

so how does how else can we use ansible so that previous slide and in fact all the rest of these slides as well actually don't do really any templating but this is quite a large part of why i like ants we see almost anywhere you see a defined variable in an ansible playbook or a config file it can be templated and by that i mean ansible will on demand render that templated string to build a new value like in the yaml file here at the top we provide a default value when something's missing so some var might be defined somewhere else and if it's not there we use a default value you can run if else

if else end if script and you can even do ternary you know if value is true then return true and so if value is x then return y and if it's not x then returns it you can also create template files as well so like in the bottom block there you can see a for loop there um stepping over items uh to build up a more complicated um more complicated configuration file or documentation file you can also see that there's um you can use these strings in tasks um so let's put ansible and the cis benchmark together so here we have our setup importing a role which currently has two files in it the defaults file which stores some

overrideable values and the task which will be executed as part of that role now i'm not going to go too far into what this role does right now but basically it does the remediation steps we documented in the benchmark but only if that overrideable value down here execute cis harden os one one one one is true

now when we put that role into your playbook it becomes a reusable block of code anywhere that you want to use it this screen shows two roles as part of a test playbook embedded into the environment using a github module packed now you can see where you might put those files to testings you can also store this role elsewhere in your environment and ask your developers to edit their requirements there's loads of documentation about this on the ansible website now if your team is already using ansible then perhaps they'll contribute fixes tweaks improvements to your playbook you never know now if you're interested how a role gets put together this slide shows you what files go where feel free to screen grab

this or take a picture or even as this is going up as a video you may want to play it all back and you know catch a specific part of it even better if you want to get involved in the project that i'm writing to write these 240 checks for ubuntu and later some of the other cis benchmark checks then click on the qr code that's there if not visit back come back to to look at the the url that's in the top of all of these slides click through to that link at the bottom there to the github repo on the other side there you'll see that i've already written some of those tests

in fact i've written the first eight of them so that's good anyway thank you very much for listening to my presentation i wish you lots of luck getting yourself started on using ansible or the cis benchmarks or even better maybe use both and if you want to talk to me about any of this lot then please feel free to give me a shout thanks very much