Links

Ansible

Cheatsheet

1. Install Ansible
  • Download and install Ansible on the control node.
2. Configure Ansible Hosts
  • Define hosts and groups in the Ansible inventory.
3. Write Playbooks
  • Create Ansible playbooks to define the desired state of systems.
4. Use Ansible Roles
  • Utilize roles for organizing and reusing playbooks.
5. Run Ansible Playbooks
  • Execute playbooks to apply configurations to hosts.
6. Use Ansible Galaxy
  • Leverage Ansible Galaxy to use pre-built roles.
7. Secure Ansible Vault
  • Use Ansible Vault to secure sensitive data.
8. Optimize Ansible Configurations
  • Tweak ansible.cfg for performance and behavior.
9. Utilize Ansible Modules
  • Use modules to define the desired state in playbooks.
10. Implement Ansible Facts
diffCopy code- Use gathered facts for making informed decisions in playbooks.

Examples for Hardening with Ansible

1. Install Ansible
sudo apt update
sudo apt install ansible
2. Add Hosts to Ansible Inventory
[webservers]
192.168.1.10
192.168.1.11
3. Simple Ansible Playbook to Update Systems
---
- hosts: webservers
become: yes
tasks:
- name: Ensure all packages are updated
apt:
update_cache: yes
upgrade: safe
4. Run Ansible Playbook
ansible-playbook -i hosts update_system.yml
5. Use Ansible Role from Galaxy
ansible-galaxy install dev-sec.os-hardening
6. Use Ansible Vault to Encrypt Data
ansible-vault create secret.yml
7. Use Encrypted Data in Playbook
---
- hosts: webservers
become: yes
vars_files:
- secret.yml
tasks:
- name: Add user
user:
name: "{{ username }}"
password: "{{ password }}"
8. Run Playbook with Vault Password
ansible-playbook --ask-vault-pass -i hosts add_user.yml
9. Use Ansible Facts in Playbook
---
- hosts: webservers
tasks:
- name: Display OS
debug:
var: ansible_distribution
10. Install and Start Apache using Ansible
---
- hosts: webservers
become: yes
tasks:
- name: Ensure Apache is installed
apt:
name: apache2
state: present
- name: Ensure Apache is running
service:
name: apache2
state: started
11. Create a User with Ansible
---
- hosts: webservers
become: yes
tasks:
- name: Ensure user 'john' exists
user:
name: john
state: present
12. Disable Unused Service
---
- hosts: webservers
become: yes
tasks:
- name: Ensure telnet is stopped and disabled
service:
name: telnet
state: stopped
enabled: no
13. Configure SSH Hardening
---
- hosts: webservers
become: yes
tasks:
- name: Ensure only SSH protocol 2 is used
lineinfile:
path: /etc/ssh/sshd_config
regex: '^Protocol'
line: 'Protocol 2'
14. Set Up a Firewall Rule
---
- hosts: webservers
become: yes
tasks:
- name: Allow only SSH and HTTP through the firewall
ufw:
rule: allow
name: "{{ item }}"
loop:
- ssh
- http
15. Ensure a Package is Removed
---
- hosts: webservers
become: yes
tasks:
- name: Ensure 'telnet' is removed
apt:
name: telnet
state: absent
16. Configure Password Authentication
---
- hosts: webservers
become: yes
tasks:
- name: Disable password authentication
lineinfile:
path: /etc/ssh/sshd_config
regex: '^PasswordAuthentication'
line: 'PasswordAuthentication no'
17. Ensure NTP is Configured
---
- hosts: webservers
become: yes
tasks:
- name: Ensure NTP is installed
apt:
name: ntp
state: present
18. Configure Kernel Parameters
---
- hosts: webservers
become: yes
tasks:
- name: Ensure IP forwarding is disabled
sysctl:
name: net.ipv4.ip_forward
value: '0'
state: present
19. Ensure a Service is Running
---
- hosts: webservers
become: yes
tasks:
- name: Ensure Apache is running
service:
name: apache2
state: started
20. Apply Security Patches
---
- hosts: webservers
become: yes
tasks:
- name: Ensure all packages are updated
apt:
upgrade: dist