Let’s explore more about CIS and system hardening with Ansible on Debian in this article. Bobcares, as a part of our Server Management Services, offers solutions to every query that comes our way.

Ansible CIS Hardening On Debian

We can defend systems, software, and networks against modern, growing cyber threats with the aid of CIS (Center for Internet Security) Benchmarks. In order to protect IT systems and data from cyberattacks, CIS benchmarks are widely recognized as security standards. They provide prescriptive advice for creating a secure baseline configuration, and thousands of businesses use them.

For industries like banking, telecommunications, and healthcare that must comply with PCI-DSS and HIPPA, auditors frequently suggest using CIS benchmarks as a system hardening option.

In this article, we’ll look at how to use Ansible to leverage CIS Benchmark compliance while running a straightforward playbook on Debian. We have to configure Debian 10 machine to be CIS compliant.

How to set up Ansible CIS Hardening on Debian?

The Debian CIS benchmarks divide into two distinct profiles called “Level 1” and “Level 2,” which are designed for server and workstation environments, respectively. The goal of a Level 1 profile is to secure a system in an efficient and responsible manner with a minimal performance impact. For systems where security is a high priority and can affect negatively the system performance, we use a Level 2 profile.

We can automate system hardening in a variety of ways by using the CIS Benchmarks as a guide. Here, we are going to use the Ansible playbook. They may outline a set of steps in a general IT process or a policy users want the remote systems to follow. They can assign tasks to other hosts, delegate multi-tier rollouts with rolling updates, and interact with load balancers and monitoring servers as they go.

The main steps includes:

• Firstly, install Ansible.
• Then create an Ansible playbook.
• Lastly, run the Ansible playbook.

Let’s see each step in detail.

Ansible Installation

1. Firstly, log into the Ubuntu instance.
2. Then type the below command on the command line.

   sudo apt install software-properties-common
3. Now install Ansible by typing the command:

   sudo apt install ansible
4. After the installation completes, upgrade the Ansible using the command:

   sudo apt upgrade ansible
5. Now go to the installation directory of Ansible using the following command:

   cd /etc/ansible
6. Create a directory in which we can keep our playbooks using the command:

   sudo mkdir playbooks
7. Here use the 2.3.4 CIS Benchmark configuration. Also, make sure the telnet client is not installed. We should design the playbook as such so that we can add multiple plays for a particular section in a single playbook because this particular configuration item is a part of a larger section, 2.3 Service Clients.

   In order to do this, confirm we are on the Ansible directory and type the below command. This will create a .yaml file called 2.3_service_clients.yaml:

   sudo touch 2.3_service_clients.yaml

Playbook Creation

1. Every playbook starts with 3 dashes to indicate the beginning of a .yaml file. So put a “—” at the beginning of the playbook.
2. Now configure the host. Here, we are running it locally. So set the port to 127.0.0.1 and the connection to local in the playbook.
3. Then define a task or list of tasks that we want to run in the playbook. “– name: 2.3.4 Ubuntu and Debian Ensure telnet client is not installed (Scored)” is a logical name of a task that is going to run.
4. Now define the Ansible module that we will be using. Using the parameter “state,” we’ll specify that the desired package state is “absent.” In order for the playbook to know whether to run apt or yum depending on the OS, we also have an Ansible conditional statement. This will guarantee that the telnet client is not present or has been removed from our local machine:

   apt:

   name: telnet

   state: absent

   yum:

   name: telnet

   state: absent

    
5. And add a conditional statement so we can run the playbook across multiple OSs.

   when: ansible_distribution == ‘Debian’ or ansible_distribution == ‘Ubuntu’

   when: ansible_distribution == ‘CentOS’ or ansible_distribution == ‘Red Hat Enterprise Linux’

    

Playbook Execution

1. Firstly, use the below command to ensure the telnet client is installed so that we can see the changes all the way through and make sure the playbook is working.

   dpkg -s telnet
2. Then confirm we are on the directory: /etc/ansible/playbooks. Now run the Ansible Playbook.

   sudo ansible-playbook 2.3_service_clients.yaml
3. We will see in the output above that the first task ran successfully and a change in the “2.3.4 Ubuntu & Debian Ensure telnet client is not installed (Scored)” play and that the “2.3.4 CentOS & Rhel Ensure telnet client is not installed (Scored)” play was skipped. To verify the change was successful, we can run the below command:

   dpkg -s telnet
4. We can also run the Ansible playbook again to confirm that no changes were made. This is because Ansible will skip over a defined task if no modifications are necessary. We can do this by including the second play in the playbook to remove the talk client.
5. The task of uninstalling the talk client for the “2.3.3 Ubuntu & Debian Ensure talk client is not installed (Scored)” play was changed, as we can see from the result. The playbook ran successfully, as we can see.

[Looking for a solution to another query? We’re available 24/7.]

Conclusion

Many playbooks get very complex depending on their purpose like implementing all Level 1 CIS Benchmarks. The one we explained in the article is a simple Ansible playbook for CIS – hardening on Debian.