Essential Ansible Security Playbooks
April 17, 2024
ansible security automation
As cyber threats evolve, organizations need reliable ways to automate security hardening across their infrastructure. Here are essential Ansible playbooks that help standardize and enforce security configurations across your systems.
SSH Hardening Playbook
This playbook implements SSH security best practices to reduce unauthorized access risks:
---
- name: Secure SSH Configuration
hosts: all
become: yes
vars:
ssh_port: 22
allowed_users: []
max_auth_tries: 3
tasks:
- name: Ensure SSH configuration is secure
template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: '0600'
validate: '/usr/sbin/sshd -t -f %s'
notify: restart sshd
- name: Set SSH banner
copy:
content: |
******************************************
* Unauthorized access prohibited *
* All actions are monitored *
******************************************
dest: /etc/ssh/banner
owner: root
group: root
mode: '0644'
handlers:
- name: restart sshd
service:
name: sshd
state: restarted
SSH Configuration Template
Create templates/sshd_config.j2:
# Security hardened SSH configuration
Port {{ ssh_port }}
Protocol 2
# Authentication
PermitRootLogin no
MaxAuthTries {{ max_auth_tries }}
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
# Security
X11Forwarding no
AllowTcpForwarding no
Banner /etc/ssh/banner
# Logging
LogLevel VERBOSE
Firewall Configuration
This playbook sets up a basic firewall using UFW:
---
- name: Configure Basic Firewall
hosts: all
become: yes
vars:
allowed_ports:
- 22 # SSH
- 80 # HTTP
- 443 # HTTPS
tasks:
- name: Install UFW
apt:
name: ufw
state: present
update_cache: yes
when: ansible_os_family == "Debian"
- name: Set default UFW policies
ufw:
direction: "{{ item.direction }}"
policy: "{{ item.policy }}"
loop:
- { direction: incoming, policy: deny }
- { direction: outgoing, policy: allow }
- name: Configure allowed ports
ufw:
rule: allow
port: "{{ item }}"
proto: tcp
loop: "{{ allowed_ports }}"
- name: Enable UFW
ufw:
state: enabled
System Auditing Playbook
This playbook sets up basic system auditing:
---
- name: Configure System Auditing
hosts: all
become: yes
tasks:
- name: Install audit packages
apt:
name:
- auditd
- audispd-plugins
state: present
update_cache: yes
when: ansible_os_family == "Debian"
- name: Enable auditd service
service:
name: auditd
state: started
enabled: yes
- name: Configure basic audit rules
copy:
dest: /etc/audit/rules.d/security.rules
content: |
# Log authentication attempts
-w /etc/passwd -p wa -k identity
-w /etc/group -p wa -k identity
# Monitor SSH configuration
-w /etc/ssh/sshd_config -p wa -k sshd_config
# Monitor sudo usage
-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers
notify: restart auditd
handlers:
- name: restart auditd
service:
name: auditd
state: restarted
Best Practices
-
Testing
- Always test playbooks in a staging environment first
- Verify that services remain accessible after applying changes
- Use
--checkmode to preview changes
-
Security
- Use vault for sensitive variables
- Regularly update allowed ports and users
- Monitor logs for unauthorized access attempts
-
Maintenance
- Keep playbooks in version control
- Document all customizations
- Regularly review and update security configurations
Using These Playbooks
- Save each playbook in a separate YAML file
- Customize variables for your environment
- Run the playbooks:
# Run SSH hardening
ansible-playbook ssh-hardening.yml
# Configure firewall
ansible-playbook firewall.yml
# Set up auditing
ansible-playbook system-audit.yml
Remember to verify access after applying security changes and maintain backups of your configurations.