Security workflow with ansible
- 2. $Whoami • Devansh Dubey • Final Year student from UIT RGPV • Infosec enthusiast • Volunteer at NULL Bhopal • RHCSA • https://github.com/devanshdubey • https://twitter.com/devanshdubey97
- 3. Table of Content • Introduction • Architecture • Playbooks • Security with ansible • Examples • Luks with ansible • Webserver with ansible
- 4. INTRODUCTION TO ANSIBLE Ansible is an IT automation tool. It can configure systems, deploy software, and orchestrate more advanced IT tasks such as continuous deployments or zero downtime rolling updates. Ansible is an open source automation platform. It is very, very simple to setup and yet powerful. Ansible can help you with configuration management, application deployment, task automation. It can also do IT orchestration
- 5. SETTING UP ENVIRONMENT 1. Python 2.7,3.x 2. Ansible 2.8 (latest) 3. SSH FEATURES :- • Agentless • Open Source • Simple • Powerfull
- 6. ARCHITECTURE
- 8. Configuration Management Orchestration Application Deployment Infrastructure Provisioning Security Automation Continuous Integration/Delivery Common Ansible Use Cases
- 9. IMPORTANT FILES • /etc/ansible/ansible.cfg (conf file) • ./inventory (list of managed hosts) • /etc/sudoers.d/ansible
- 10. PLAYBOOKS • A playbook is like a recipe or an instructions manual which tells Ansible what to do when it connects to each machine. • Playbooks are written in YAML, which simplistically could be viewed as XML but human readable.
- 11. Example
- 12. Why ansible for Security Automation • Agentless • SSH/WinRM • Desired State • Extensible and modular • Push-based architecture • Easy targeting based on facts
- 13. Why Ansible Developers Security Team Operations APPLICATION
- 14. Information security with Ansible • Application Security • Network Security • Forensics • Incident Response • Penetration Testing • Fraud Detection and Prevention • Governance, Risk, Compliance
- 15. EXAMPLES • Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendorsupplied security patches. Install critical security patches within one month of release. - name: RHEL | Install updates yum: name: "*" state: latest exclude: "mysql* httpd* nginx*" when: “ansible_os_family == ‘RedHat’” - name: DEBIAN | Install updates apt: update_cache: yes cache_valid_time: 7200 name: "*" state: latest when: “ansible_os_family == ‘Debian’”
- 16. REMEDIATION - name: Protect against CVE-2016-5696 hosts: all become: yes become_user: root tasks: - name: CVE-2016-5696 | Limit TCP challenge ACK limit sysctl: name: net.ipv4.tcp_challenge_ack_limit value: 999999999 sysctl_set: yes
- 17. INCIDENT RESPONSE LOGS - name: Gather log files from remote systems hosts: lab become: yes tasks: - name: Find logs find: paths: /var/log/ patterns: '*.log’ recurse: yes register: _logs - name: Fetch logs fetch: src: "{{ item.path }}" dest: logs with_items: "{{ _logs.files }}"
- 18. Change root password every 60 days - name: Change root password hosts: all become: yes vars: root_password: "{{ vault_root_password }}" root_password_salt: "{{ vault_root_password_salt }}" tasks: - name: Change root password user: name: root password: "{{ root_password | password_hash(salt=root_password_salt) }}"
- 19. LUKS And NBDE • Linux Unified Key Setup-on-disk-format (or LUKS) allows you to encrypt partitions on your Linux computer. This is particularly important when it comes to mobile computers and removable media. LUKS allows multiple user keys to decrypt a master key, which is used for the bulk encryption of the partition. Ansible playbook : https://github.com/devanshdubey • The Network-Bound Disk Encryption (NBDE) allows the user to encrypt root volumes of hard drives on physical and virtual machines without requiring to manually enter a password when systems are restarted.
- 21. REFERENCES • https://docs.ansible.com • https://github.com/samdoran/demo-playbooks • https://www.ansible.com/hubfs/2018_Content/AA%20NYC%202018%20Slides/Security%20Automation%20with%20Ansible_MichellePerz-NYCAutomates.pdf • https://www.ansible.com/overview/how-ansible-works • https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Network-Bound_Disk_Encryption.html • https://www.google.com/url?sa=i&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwjp0NmUrqblAhVLnY8KHTdBD4QQMwiaASgUMBQ&url=https%3A%2F%2Fwww.riskgro upllc.com%2Finformation-security-risks%2F&psig=AOvVaw26pQCGJDKMyEoUa5l_MKhD&ust=1571507066500358&ictx=3&uact=3 • https://www.google.com/url?sa=i&source=images&cd=&ved=2ahUKEwjr17-IkajlAhULbo8KHX25BasQjRx6BAgBEAQ&url=https%3A%2F%2Fwww.edureka.co%2Fblog%2Fwhat- is-ansible%2F&psig=AOvVaw2vlVuhe23b28xWk0tQwjem&ust=1571567951915575 • https://a.wattpad.com/cover/147035011-352-k202749.jpg • https://media.licdn.com/dms/image/C560BAQHxkF3dudpvEQ/company-logo_200_200/0?e=2159024400&v=beta&t=cNaLAqnnv3gVvkUY3KIeKo5j_hXMSyYt7N4qg1HcJxg • https://www.google.com/imgres?imgurl=https%3A%2F%2Fwww.riskgroupllc.com%2Fwp-content%2Fuploads%2Finformation-Security- 1.jpg&imgrefurl=https%3A%2F%2Fwww.riskgroupllc.com%2Finformation-security- risks%2F&docid=K7PzfgbIaDq3PM&tbnid=opNfbkYnxph8QM%3A&vet=10ahUKEwjRle_9harlAhUJKo8KHaedDZEQMwiMASgRMBE..i&w=750&h=500&bih=657&biw=1396&q= information%20security&ved=0ahUKEwjRle_9harlAhUJKo8KHaedDZEQMwiMASgRMBE&iact=mrc&uact=8