Configuration Management Integration

3 min read Infrastructure & DevOps Security

Configuration Management Integration

Modern configuration management tools like Ansible, Puppet, and Chef provide powerful security automation capabilities at scale. These tools ensure consistent security configurations across hundreds or thousands of systems while maintaining audit trails and enabling rapid remediation. Understanding configuration management principles helps implement enterprise-grade security automation.

Ansible security playbook implementation: ```yaml

Comprehensive Security Hardening Playbook

  • name: Security Hardening for Linux Systems hosts: all become: yes vars: security_updates_enabled: true firewall_enabled: true ssh_port: 22 allowed_ssh_users: ["admin", "ansible"]

    tasks:

    • name: Update all packages package: name: "*" state: latest when: security_updates_enabled

    • name: Ensure necessary security packages are installed package: name: - fail2ban - aide - rkhunter - auditd - firewalld state: present

    • name: Configure kernel security parameters sysctl: name: "{{ item.name }}" value: "{{ item.value }}" state: present reload: yes loop:

      • { name: 'net.ipv4.ip_forward', value: '0' }
      • { name: 'net.ipv4.conf.all.send_redirects', value: '0' }
      • { name: 'net.ipv4.conf.default.send_redirects', value: '0' }
      • { name: 'net.ipv4.tcp_syncookies', value: '1' }
      • { name: 'net.ipv4.conf.all.accept_source_route', value: '0' }
      • { name: 'net.ipv4.conf.default.accept_source_route', value: '0' }
      • { name: 'net.ipv4.conf.all.accept_redirects', value: '0' }
      • { name: 'net.ipv4.conf.default.accept_redirects', value: '0' }
      • { name: 'net.ipv4.conf.all.secure_redirects', value: '0' }
      • { name: 'net.ipv4.conf.default.secure_redirects', value: '0' }
      • { name: 'net.ipv4.icmp_echo_ignore_broadcasts', value: '1' }
      • { name: 'net.ipv4.icmp_ignore_bogus_error_responses', value: '1' }
      • { name: 'net.ipv4.conf.all.rp_filter', value: '1' }
      • { name: 'net.ipv4.conf.default.rp_filter', value: '1' }
      • { name: 'kernel.randomize_va_space', value: '2' }
      • { name: 'fs.suid_dumpable', value: '0' }
      • { name: 'kernel.exec-shield', value: '1' }
      • { name: 'kernel.dmesg_restrict', value: '1' }

    • name: Configure SSH hardening lineinfile: path: /etc/ssh/sshd_config regexp: "^{{ item.regexp }}" line: "{{ item.line }}" state: present validate: 'sshd -t -f %s' loop:

      • { regexp: '^#?Port', line: 'Port {{ ssh_port }}' }
      • { regexp: '^#?PermitRootLogin', line: 'PermitRootLogin no' }
      • { regexp: '^#?PasswordAuthentication', line: 'PasswordAuthentication no' }
      • { regexp: '^#?PermitEmptyPasswords', line: 'PermitEmptyPasswords no' }
      • { regexp: '^#?X11Forwarding', line: 'X11Forwarding no' }
      • { regexp: '^#?MaxAuthTries', line: 'MaxAuthTries 3' }
      • { regexp: '^#?ClientAliveInterval', line: 'ClientAliveInterval 300' }
      • { regexp: '^#?ClientAliveCountMax', line: 'ClientAliveCountMax 2' }
      • { regexp: '^#?UsePAM', line: 'UsePAM yes' }
      • { regexp: '^#?AllowUsers', line: 'AllowUsers {{ allowed_ssh_users | join(" ") }}' } notify: restart sshd

    • name: Configure fail2ban template: src: fail2ban.jail.local.j2 dest: /etc/fail2ban/jail.local owner: root group: root mode: '0644' notify: restart fail2ban

    • name: Configure auditd rules template: src: audit.rules.j2 dest: /etc/audit/rules.d/hardening.rules owner: root group: root mode: '0640' notify: restart auditd

    • name: Set up automated security scanning cron: name: "Security scan" job: "/usr/local/bin/security_scan.sh > /var/log/security_scan.log 2>&1" hour: "2" minute: "0" state: present

    • name: Configure log rotation for security logs template: src: security-logs.j2 dest: /etc/logrotate.d/security owner: root group: root mode: '0644'

    handlers:

    • name: restart sshd service: name: sshd state: restarted

    • name: restart fail2ban service: name: fail2ban state: restarted

    • name: restart auditd service: name: auditd state: restarted

Compliance validation playbook

  • name: Security Compliance Validation hosts: all become: yes tasks:

    • name: Check password policy shell: | grep -E '^PASS_MAX_DAYS|^PASS_MIN_DAYS|^PASS_MIN_LEN|^PASS_WARN_AGE' /etc/login.defs register: password_policy changed_when: false

    • name: Verify SSH configuration shell: | sshd -T | grep -E 'permitrootlogin|passwordauthentication|permitemptypasswords' register: ssh_config changed_when: false

    • name: Check for users with empty passwords shell: | awk -F: '($2 == "") {print $1}' /etc/shadow register: empty_passwords changed_when: false failed_when: empty_passwords.stdout != ""

    • name: Generate compliance report template: src: compliance_report.j2 dest: /tmp/compliance_report_{{ ansible_hostname }}.html delegate_to: localhost