Automatic CIS controls check with Ansible

Table of contents

Latest posts

Post cover

The cost of complexity: Ansible AWX
May 05, 2024

Post cover

Opt-out from Web Archive
April 29, 2024

Post cover

Ansible Workbook
April 27, 2024

Post cover

Self-Hacking: How I learned to love the Cold again
April 26, 2024

Post cover

EVE-NG Workbook (Amazon Kindle)
April 25, 2024

Categories

Category cover

Automation
35 posts

Category cover

Notes
19 posts

Category cover

Security
19 posts

Category cover

Personal Security
14 posts

Category cover

Infrastructure
11 posts

Category cover

CISO
9 posts

Category cover

OT/ICS
5 posts

Category cover

UNetLab
3 posts

Category cover

Write-up
3 posts

Category cover

Books
2 posts

Category cover

OSInt
2 posts

Category cover

My life
1 posts

Automatic CIS controls check with Ansible

Andrea Dainese
July 15, 2022
Automation, Security
Post cover

Security assessments are part of my daily job, and automation is part of my mindset. CIS Controls provides a set of standard controls that should be checked on… anything. To be specific CIS also provides a benchmark (a sort of step-by-step guide) for many environments. Moreover, Lockdown Enterprise delivers a set of Ansible playbooks ready to be used.

In this post, we’ll see how to check CIS controls on Ubuntu 20.04 servers and remediate them.

Audit phase

We know that Ansible playbooks are good to remediate, but sometimes reporting is not so good as well. Lockdown Enterprise used goss to provide good audit reports.

Let’s install goss and clone the Git repository into a Ubuntu Linux 20.04 system:

sudo curl -fsSL https://goss.rocks/install | sh
git clone https://github.com/ansible-lockdown/UBUNTU20-CIS-Audit /var/tmp/UBUNTU20-CIS-Audit
cd /var/tmp/UBUNTU20-CIS-Audit

We can audit the entire system using the provided script:

$ sudo ./run_audit.sh

## Pre-Checks Start

OK Audit binary /usr/local/bin/goss is available
OK /var/tmp/UBUNTU20-CIS-Audit/goss.yml is available

## Pre-checks Successful

#############
Audit Started
#############


    "summary": {
        "failed-count": 154,
        "summary-line": "Count: 372, Failed: 154, Duration: 91.345s",
        "test-count": 372,
        "total-duration": 91344507858
    }
}

Completed file can be found at /var/tmp/audit_linux-station_1657459563.json
###############
Audit Completed
###############

We can also run goss manually on a subset of controls:

sudo goss --vars /var/tmp/UBUNTU20-CIS-Audit/vars/CIS.yml -g /var/tmp/UBUNTU20-CIS-Audit/section_1/cis_1.1/cis_1.1.1.1_7.yml validate
sudo goss --vars /var/tmp/UBUNTU20-CIS-Audit/vars/CIS.yml -g /var/tmp/UBUNTU20-CIS-Audit/section_1/cis_1.1/cis_1.1.1.1_7.yml validate -f documentation

Remember that by default the server profile will be used. To audit with the workstation profile using:

sudo ./run_audit.sh -w

Remediation phase

Once we have completed the audit, we can analyze the non-compliant items, evaluate the risk and decide if we want to remediate them.

From our Ansible server, clone the Ansible repository:

git clone https://github.com/ansible-lockdown/UBUNTU20-CIS
cd UBUNTU20-CIS

The following Ansible commands may vary depending on your Ansible infrastructure. We can remediate all controls with:

ansible-playbook -i inventory.ini -u andrea -b -k -K site.yml

All controls should be remediated just after the OS installation. For production environments, we probably want to remediate single controls with:

ansible-playbook -i inventory.ini -u andrea -b -k -K --tags rule_1.1.1.1 site.yml

Be sure you are using the -C flag during the first run.

References