Ansible Lockdown is a security baseline project sponsored by Mindpoint Group to use Ansible playbooks which aim to solve STIG or CIS baseline implementation woes.

Getting Started

This writeup uses the Ubuntu 20 CIS playbook as an example and has three parts:

  1. Installation requirements
  2. Understanding actions taken by plays
  3. Executing plays

Requirements

The requirements are pretty slim since Ansible is made to be as compatible as possible without requiring many additonal tools. It is important to note that there are differences between the two architectures since the requirements are broadly just Ansible and maybe Git to easily clone the repository onto the machine.

  • Ansible
  • Git (optional)
  • Repository of plays corresponding with your host(s)

Understanding the playbook

The Ubuntu CIS playbook is divided into various sections which include such actions as service configuration, network configuration,

Executing plays on host(s)

Depending on if you would like to execute the playbook on a fleet or an individual system, you will configure the playbook differently.

Installing on a single host

This is the easier of the two to configure, however not as convenient and may result in configuration drift.

  1. Install Ansible using your package manager of choice in our case this is done by issuing the command sudo apt get install ansible.

  2. Git clone or download the ZIP of the resporitory corresponding to the system you intend to run the plays on. In our case this is Ubuntu 20 CIS playbook.

  3. By default, localhost is configured as the only host and is ignored so it will actually result in an error if no hosts are added. Since we do actually want to run this on localhost, edit the hosts: field in site.yml from all to localhost.

  4. You are ready to run the playbook, now make sure you fully understand what is happening to your system. By default, the playbook is made to not break your system. While in the directory with site.yml, run the command ansible-playbook site.yml.

  5. The plays should now be executing, notice the color indicators green for configurations that already exist and yellow for reconfiguration.

Installing on Ansible Tower to deploy on a fleet

Coming soon..