medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
the_information_nexus/tech_docs/automation/ansible/ansible_step0.md
Whisker Jones 7ca736e3c8 ansible getting started
2024-05-13 11:10:43 -06:00

2.7 KiB
Raw Permalink Blame History

tarting with gathering facts and conducting audits on APT-based systems (like Ubuntu) is a great way to begin your compliance process. Here's a step-by-step guide to set up your initial Ansible playbook stages focusing on these tasks:

Stage 1: Gathering Facts

  1. Create a Playbook for Gathering Facts: This playbook will collect detailed system information which is crucial for auditing against STIGs.

    ---
- name: Gather System Facts
  hosts: all
  become: yes

  tasks:
    - name: Collect system facts
      ansible.builtin.setup:

    - name: Save facts to a file
      ansible.builtin.copy:
        content: "{{ ansible_facts | to_nice_json }}"
        dest: "/tmp/{{ inventory_hostname }}_facts.json"
        mode: '0644'
    • This playbook uses the ansible.builtin.setup module to gather all facts about the system.
    • The facts are then saved as a JSON file under /tmp/, which can be used for audits.

Stage 2: Basic Security Audits

  1. Create a Basic Audit Playbook: Begin with some simple checks that are common in STIGs, such as ensuring no unauthorized accounts exist and verifying correct permissions on important directories.

    ---
- name: Basic Security Audits
  hosts: all
  become: yes

  tasks:
    - name: Ensure no unauthorized accounts exist
      ansible.builtin.command:
        cmd: "awk -F':' '$3 < 1000 {print $1}' /etc/passwd"
      register: system_accounts
      failed_when: "'daemon' not in system_accounts.stdout_lines"

    - name: Check permissions for /etc/shadow
      ansible.builtin.stat:
        path: /etc/shadow
      register: shadow_file

    - name: Fail if /etc/shadow permissions are not 0640
      ansible.builtin.fail:
        msg: "/etc/shadow permissions are not correctly set"
      when: shadow_file.stat.mode != '0640'
    • The first task uses awk to check for system accounts typically not needed for users.
    • The second task verifies the permissions of /etc/shadow.

Notes on Implementation:

  • Modularity: These playbooks are designed to be modular, allowing you to expand or modify audits as needed.
  • Scheduling: Consider scheduling these playbooks via Ansible Tower or a cron job to ensure periodic compliance checks.
  • Integration: Integrate the results with a reporting tool or dashboard for better visibility of compliance status.

This staged approach lets you build on your compliance framework iteratively, starting with fundamental audits and expanding to more detailed checks as you align your systems more closely with STIG requirements. If you need further assistance or specific checks, feel free to ask!