Ansible battle tested hardening for Linux, SSH, Nginx, MySQL

75 points by walterbell 6 days ago

About ansible: I really like the idea and popularity of ansible but find it so painful to use. YAML sucks, and testing is not straightforward (I use molecule in docker containers with geerlingguy’s spécial images)

What’s your workflow for writing tested playbooks?

tuananh - 2 hours ago

I would much prefer to use RHEL/Fedora image mode for this. Use Dockerfile syntax. Immutable. Easy to update/rollback. CIS hardening baked in.

```

[customizations.openscap]

datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml"

profile_id = "xccdf_org.ssgproject.content_profile_cis"

custom_remediate_script_path = "/your/custom/script.sh"

```

yjftsjthsd-h - 13 hours ago

"battle tested" how? Widely deployed? Red teamed and shown to actually help?

observationist - 10 hours ago

They've got a red-team type process they apply repeatedly, you have to piece things together from the changelogs to get a grasp on what they're doing. They've built a positive feedback loop on which to iterate improvements in security, and bundled it in a way to be used effectively with Ansible.
They're following CIS guidelines, so if you're in a situation where that matters, it's probably a solid starting point for building things you need to have compliant and predictable. Could probably save weeks of effort, depending on the size of the team.

TacticalCoder - 10 hours ago

The Linux hardening list lists quite some modifications but what hardening is made to SSH compared to a stock config? For Linux they summarize the list of hardened changes but for SSH I couldn't find it.

For SSH it's basically a list of default values with a comment saying "change this if you must". Some summary as to what is hardened compared to a stock SSH install would be nice.

observationist - 10 hours ago

https://github.com/dev-sec/ansible-collection-hardening/blob...
The changelogs contain a summary of actions and changes, and full changelogs go into detail.
- imcritic - 2 hours ago
  
  That's a poor answer. Changelogs are logs of changes between versions of a project.

Spivak - 12 hours ago

These playbooks apply the CIS benchmarks, very very useful for compliance. I use them at $dayjob to build our base AMIs.

As for whether they actually harden your servers, that's up for you to decide if you think that CIS actually helps. It certainly does reduce attack surface.

viraptor - 2 hours ago

> decide if you think that CIS actually helps. It certainly does reduce attack surface.
Official Ubuntu cis docker images in AWS:
- change the sysctls which do not apply to containers
- install a file consistency checker, which likely makes no sense in a dedicated container
- install tcpwrappers which you'll probably never use... for compliance reasons
- adjust system user password policies which you're probably not using at all
Unless you need to tick some compliance boxes in the quickest and most silly way, go for CIS. If you don't, schedule some time with a security person at your company to create a real threat model and change the things that will make an impact.
hackernudes - 11 hours ago

Context: https://www.cisecurity.org/cis-benchmarks, https://www.cisecurity.org/about-us
"""The CIS Benchmarks® are prescriptive configuration recommendations for more than 25+ vendor product families. They represent the consensus-based effort of cybersecurity experts globally to help you protect your systems against threats more confidently."""
- infocollector - 7 hours ago
  
  https://learn.cisecurity.org/benchmarks - this seems broken at least right now. Are these benchmarks on github so that I can download and run it on a linux box?
  - firesteelrain - 4 hours ago
    
    You used to have to make an account to download them.
wingmanjd - 12 hours ago

At my $DAYJOB, we have a bunch in-house saltstack states for applying the CIS benchmarks for Ubuntu, Debian, and CentOS. I never looked into it, but I always wondered if I'd be allowed to publish them publicly.
- bhattisatish - 10 hours ago
  
  Well there is one available for oscap at https://github.com/ComplianceAsCode/content

mhb - 13 hours ago

What does this mean?

ggm - 10 hours ago

If you have compliance for contractual reasons (e/g you are the supply chain for an entity which has been declared to be a national-strategic service delivery) then this would probably help get you over the line to meet minimum proofs you have tried to comply with the obligations.
So, "what does this mean" is "it means you can tender to sell services to people who put CIS obligations in the contract"