048 Security

Automate RHCSA Security Tasks Using Ansible on RHEL #

picture sketch of a guy fending off a boar

Introduction #

Security automation is a critical aspect of managing enterprise environments effectively, ensuring consistent application of security policies across a wide range of systems. In this tutorial, we will explore how to automate various RHCSA security tasks using Ansible, specifically focusing on Red Hat Enterprise Linux (RHEL) systems. This approach not only enhances security but also reduces the possibility of human error and saves time for system administrators.

Prerequisites #

Before proceeding, ensure you have the following setup:

  • A control node with Ansible installed. This can be any system where Ansible is installed and from which it will orchestrate the configuration tasks.
  • One or more RHEL 8 systems as managed nodes.
  • SSH access and appropriate privileges on all managed nodes.

Step-by-Step Guide #

1. Setting Up Ansible on RHEL #

First, ensure Ansible is installed on your control node, which could also be a RHEL system:

sudo dnf install ansible -y

Create an inventory file /etc/ansible/hosts and add your RHEL managed nodes:

[rhel-nodes]
192.168.1.101
192.168.1.102

2. Configuring SSH Key-Based Authentication #

To facilitate Ansible’s communication with managed nodes, set up SSH key-based authentication:

ssh-keygen -t rsa
ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.1.101
ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.1.102

3. Ansible Playbook for Security Tasks #

Create a YAML file named security.yml for the Ansible playbook which will include tasks related to security configurations.

Task 1: Ensuring SELinux is Enabled and Enforcing #

SELinux is a security module that provides a mechanism for supporting access control security policies. Here’s how to ensure it is enabled and set to enforcing mode:

---
- name: Ensure SELinux is enforcing
  hosts: rhel-nodes
  become: true

  tasks:
    - name: Ensure SELinux is not disabled
      selinux:
        state: enforcing

Task 2: Managing User Accounts and Password Policies #

Ensuring that password policies and user account security are compliant with organizational standards is crucial.

  tasks:
    - name: Ensure password expiration is 90 days
      pamd:
        name: system-auth
        type: password
        control: sufficient
        module_path: pam_unix.so
        module_arguments: remember=5 minlen=12
        state: updated

    - name: Create a secure user account
      user:
        name: secureuser
        password: "{{ 'securepassword' | password_hash('sha512') }}"
        comment: Secure User Account

Task 3: Configuring Firewall Settings #

Firewalls are essential for defining which services are visible on your network. In RHEL, firewalld is the default firewall management tool.

  tasks:
    - name: Ensure firewalld is running
      service:
        name: firewalld
        state: started
        enabled: yes

    - name: Open default secure SSH port
      firewalld:
        service: ssh
        permanent: true
        state: enabled

4. Running the Playbook #

Execute the playbook to apply these security settings across all specified RHEL nodes:

ansible-playbook security.yml

Conclusion #

In this tutorial, we’ve automated several key security tasks for RHEL systems using Ansible. By leveraging Ansible, system administrators can ensure that all RHEL systems in their environment adhere to the same security standards, efficiently and consistently. This not only improves security but also simplifies management and enhances compliance across the infrastructure.

Remember, the examples provided here should be tailored as per your organizational security policies and requirements. Automation is a powerful tool, and with great power comes great responsibility—always test in a controlled environment before deploying into production.