The Ansible Hardening role from the OpenStack project is a great way to secure Linux boxes in a reliable, repeatable and customisable manner.
It was created by former colleague of mine Major Hayden and while it was spun out of OpenStack, it can be applied generally to a number of the major Linux distros (including Fedora, RHEL, CentOS, Debian, SUSE).
The role is based on the Secure Technical Implementation Guide (STIG) out of the Unites States for RHEL, which provides recommendations on how best to secure a host and the services it runs (category one for highly sensitive systems, two for medium and three for low). This is similar to the Information Security Manual (ISM) we have in Australia, although the STIG is more explicit.
Rules and customisation
There is deviation from the STIG recommendations and it is probably a good idea to read the documentation about what is offered and how it’s implemented. To avoid unwanted breakages, many of the controls are opt-in with variables to enable and disable particular features (see defaults/main.yml).
You probably do not want to blindly enable everything without understanding the consequences. For example, Kerberos support in SSH will be disabled by default (via “security_sshd_disable_kerberos_auth: yes” variable) as per V-72261, so this might break access if you rely on it.
Other features also require values to be enabled. For example, V-71925 of the STIG recommends passwords for new users be restricted to a minimum lifetime of 24 hours. This is not enabled by default in the Hardening role (central systems like LDAP are recommended), but can be enabled be setting the following variable for any hosts you want it set on.
security_password_min_lifetime_days: 1
In addition, not all controls are available for all distributions.
For example, V-71995 of the STIG requires umask to be set to 077, however the role does not currently implement this for RHEL based distros.
Run a playbook
To use this role you need to get the code itself, using either Ansible Galaxy or Git directly. Ansible will look in the ~/.ansible/roles/ location by default and find the role, so that makes a convenient spot to clone the repo to.
mkdir -p ~/.ansible/roles git clone https://github.com/openstack/ansible-hardening \ ~/.ansible/roles/ansible-hardening
Next, create an Ansible play which will make use of the role. This is where we will set variables to enable or disable specific control for hosts which are run using the play. For example, if you’re using a graphical desktop, then you will want to make sure X.Org is not removed (see below). Include any other variables you want to set from the defaults/main.yml file.
cat > play.yml << EOF
---
- name: Harden all systems
hosts: all
become: yes
vars:
security_rhel7_remove_xorg: no
security_ntp_servers:
- ntp.internode.on.net
roles:
- ansible-hardening
EOF
Now we can run our play! Ansible uses an inventory of hosts, but we’ll just run this against localhost directly (with the options -i localhost, -c local). It’s probably a good idea to run it with the –check option first, which will not actually make any changes.
If you’re running in Fedora, make sure you also set Python3 as the interpreter.
ansible-playbook -i localhost, -c local \ -e ansible_python_interpreter=/usr/bin/python3 \ --ask-become-pass \ --check \ ./play.yml
This will run through the role, executing all of the default tasks while including or excluding others based on the variables in your play.
Running specific sets of controls
If you only want to run a limited set of controls, you can do so by running the play with the relevant –tags option. You can also exclude specific tasks with –skip-tags option. Note that there are a number of required tasks with the always tag which will be run regardless.
To see all the available tags, run your playbook with the –list-tags option.
ansible-playbook --list-tags ./play.yml
For example, if you want to only run the dozen or so Category III controls you can do so with the low tag (don’t forget that some tasks may still need enabling if you want to run them and that the always tagged tasks will still be run). Combine tags by comma separating them, so to also run a specific control like V-72057, or controls related to SSH, just add it them with low.
ansible-playbook -i localhost, -c local \ -e ansible_python_interpreter=/usr/bin/python3 \ --ask-become-pass \ --check \ --tags low,sshd,V-72057 \ ./play.yml
Or if you prefer, you can just run everything except a specific set. For example, to exclude Category I controls, skip the high tag. You can also add both options.
ansible-playbook -i localhost, -c local \ -e ansible_python_interpreter=/usr/bin/python3 \ --ask-become-pass \ --check \ --tags sshd,V-72057 \ --skip-tags high \ ./play.yml
Once you’re happy, don’t forget to remove the –check option to apply the changes.
