2 minutes
Automating security configuration with Ansible Lockdown
Ansible Lockdown is a security baseline project sponsored by Mindpoint Group to use Ansible playbooks which aim to solve STIG or CIS baseline implementation woes.
Getting Started
This writeup uses the Ubuntu 20 CIS playbook as an example and has three parts:
- Installation requirements
- Understanding actions taken by plays
- Executing plays
Requirements
The requirements are pretty slim since Ansible is made to be as compatible as possible without requiring many additonal tools. It is important to note that there are differences between the two architectures since the requirements are broadly just Ansible and maybe Git to easily clone the repository onto the machine.
- Ansible
- Git (optional)
- Repository of plays corresponding with your host(s)
Understanding the playbook
The Ubuntu CIS playbook is divided into various sections which include such actions as service configuration, network configuration,
Executing plays on host(s)
Depending on if you would like to execute the playbook on a fleet or an individual system, you will configure the playbook differently.
Installing on a single host
This is the easier of the two to configure, however not as convenient and may result in configuration drift.
-
Install Ansible using your package manager of choice in our case this is done by issuing the command
sudo apt get install ansible
. -
Git clone or download the ZIP of the resporitory corresponding to the system you intend to run the plays on. In our case this is Ubuntu 20 CIS playbook.
-
By default, localhost is configured as the only host and is ignored so it will actually result in an error if no hosts are added. Since we do actually want to run this on localhost, edit the
hosts:
field insite.yml
fromall
tolocalhost
. -
You are ready to run the playbook, now make sure you fully understand what is happening to your system. By default, the playbook is made to not break your system. While in the directory with
site.yml
, run the commandansible-playbook site.yml
. -
The plays should now be executing, notice the color indicators green for configurations that already exist and yellow for reconfiguration.
Installing on Ansible Tower to deploy on a fleet
Coming soon..