System Hardening

Maturity Level 1-4

System Hardening is the process of securing a system's configuration and settings to reduce IT vulnerability and the possibility of being compromised. This can be done by reducing the attack surface and attack vectors which attackers continuously try to exploit for purpose of malicious activity.

ansible

Ansible is a tool for automation of configurations and deployments. Scripts are written in yaml files as playbooks. As a Security tool we can use ansible to apply OS updates, service packs, and patches automatically; remove unnecessary drivers, file sharing, libraries, software, services, and functionality. These tasks are part of system hardening.

Installation

pip3 install ansible==2.10.4 ansible-lint==4.3.7

create an inventory file

cat > inventory.ini <<EOL

# Our Company App Inventory
[staging]
staging-ourcompany-app

[prod]
prod-ourcompany-app

EOL

In order to run ansible on these machinesvia SSH, we need to put them in our know-hosts list

ssh-keyscan -t rsa  staging-ourcompany-app prod-ourcompany-app >> ~/.ssh/known_hosts

Check the uptime of the production system with ansible

ansible -i inventory.ini prod -m shell -a "uptime"

Install a service called "ntp" with ansible on the production machine:

ansible -i inventory.ini prod -m apt -a "name=ntp state=present"

Ad-hoc commands

Which version of bash is running on my machines?

ansible -i inventory.ini all -m command -a "bash --version"

Get all parameters and vars of your inventory

ansible -i inventory.ini all -m setup

copy a file from executing machine to remote hosts

ansible -i inventory.ini machinename -m copy -a "src=notes.txt dest=notes.txt"

Playbooks

Check if nginx is installed

If nginx is installed, print nginx version to the terminal by using the msg module

---
- name: Get the version of nginx
  hosts: all
  remote_user: root
  gather_facts: no

  tasks:
  - name: Check if nginx is installed
    command: which nginx
    register: nginx_version

  - name: Print nginx version
    command: nginx -v | echo
    when: nginx_version != -1

  - debug:
      msg: "Nginx is not installed"
      when: nginx_version == -1

Register an output

On the machines, using cat /etc/os-release outputs the following data:

PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
ID=kali
VERSION="2021.1"
VERSION_ID="2021.1"
VERSION_CODENAME="kali-rolling"
ID_LIKE=debian
ANSI_COLOR="1;31"
HOME_URL="https://www.kali.org/"
SUPPORT_URL="https://forums.kali.org/"
BUG_REPORT_URL="https://bugs.kali.org/"

We can use this information and store it into a variable with register: os_release

---
- name: Simple playbook
  hosts: all
  remote_user: root
  gather_facts: no     # what does it mean?

  tasks:
  - name: Show the content of /etc/os-release
    command: cat /etc/os-release
    register: os_release

  - debug:
      msg: "This system uses Ubuntu-based distro"
    when: os_release.stdout.find('Ubuntu') != -1

Conditionals

PreviousDynamic Application Security Testing (DAST)NextSystem Compliance Analysis

Last updated 4 years ago