ansible getting started
This commit is contained in:
Whisker Jones
66
tech_docs/automation/ansible/ansible_step0.md
Normal file
66
tech_docs/automation/ansible/ansible_step0.md
Normal file
@@ -0,0 +1,66 @@
|
||||
tarting with gathering facts and conducting audits on APT-based systems (like Ubuntu) is a great way to begin your compliance process. Here's a step-by-step guide to set up your initial Ansible playbook stages focusing on these tasks:
|
||||
|
||||
### Stage 1: Gathering Facts
|
||||
|
||||
1. **Create a Playbook for Gathering Facts:**
|
||||
This playbook will collect detailed system information which is crucial for auditing against STIGs.
|
||||
|
||||
```yaml
|
||||
---
|
||||
- name: Gather System Facts
|
||||
hosts: all
|
||||
become: yes
|
||||
|
||||
tasks:
|
||||
- name: Collect system facts
|
||||
ansible.builtin.setup:
|
||||
|
||||
- name: Save facts to a file
|
||||
ansible.builtin.copy:
|
||||
content: "{{ ansible_facts | to_nice_json }}"
|
||||
dest: "/tmp/{{ inventory_hostname }}_facts.json"
|
||||
mode: '0644'
|
||||
```
|
||||
|
||||
- This playbook uses the `ansible.builtin.setup` module to gather all facts about the system.
|
||||
- The facts are then saved as a JSON file under `/tmp/`, which can be used for audits.
|
||||
|
||||
### Stage 2: Basic Security Audits
|
||||
|
||||
2. **Create a Basic Audit Playbook:**
|
||||
Begin with some simple checks that are common in STIGs, such as ensuring no unauthorized accounts exist and verifying correct permissions on important directories.
|
||||
|
||||
```yaml
|
||||
---
|
||||
- name: Basic Security Audits
|
||||
hosts: all
|
||||
become: yes
|
||||
|
||||
tasks:
|
||||
- name: Ensure no unauthorized accounts exist
|
||||
ansible.builtin.command:
|
||||
cmd: "awk -F':' '$3 < 1000 {print $1}' /etc/passwd"
|
||||
register: system_accounts
|
||||
failed_when: "'daemon' not in system_accounts.stdout_lines"
|
||||
|
||||
- name: Check permissions for /etc/shadow
|
||||
ansible.builtin.stat:
|
||||
path: /etc/shadow
|
||||
register: shadow_file
|
||||
|
||||
- name: Fail if /etc/shadow permissions are not 0640
|
||||
ansible.builtin.fail:
|
||||
msg: "/etc/shadow permissions are not correctly set"
|
||||
when: shadow_file.stat.mode != '0640'
|
||||
```
|
||||
|
||||
- The first task uses `awk` to check for system accounts typically not needed for users.
|
||||
- The second task verifies the permissions of `/etc/shadow`.
|
||||
|
||||
### Notes on Implementation:
|
||||
|
||||
- **Modularity:** These playbooks are designed to be modular, allowing you to expand or modify audits as needed.
|
||||
- **Scheduling:** Consider scheduling these playbooks via Ansible Tower or a cron job to ensure periodic compliance checks.
|
||||
- **Integration:** Integrate the results with a reporting tool or dashboard for better visibility of compliance status.
|
||||
|
||||
This staged approach lets you build on your compliance framework iteratively, starting with fundamental audits and expanding to more detailed checks as you align your systems more closely with STIG requirements. If you need further assistance or specific checks, feel free to ask!
|
||||
Reference in New Issue
Block a user