Hi Ben.I'm currently working on hardening RHEL 9 using the CIS Benchmarks playbook. However, I've noticed that some tasks are being skipped, even though the settings are relevant. I see the message skipping local host in the output. How can i troubleshoot why these tasks are being skipped? Any help would be greatly appreciated. Thanks!
i want to scan multiple servers of rhel and centOS so far every research i did came to this conclusion that i have to use openscap for scanning and then ansible for hardening my concerns are that if swift wants an organization A do be complaint with cis benchmarks and if i use ansible for the hardening wouldnt it be considered as a third party source. and second how can would we be able to customize the benchmark if it is already present in the ansible package like if the organization suppose doesnt want particular areas to be hardened how will we do that.
Hi Abdul, Sorry for not replying to you sooner! 1. Ansible is included with RHEL for the purposes of automating select tasks on RHEL, so in this instance I would not consider it to be a third party source. You can read more here: www.redhat.com/en/blog/center-internet-security-cis-compliance-red-hat-enterprise-linux-using-openscap 2. You can customise the reporting and remediation via the Red Hat Insights Console at console.redhat.com; using the "tags" inside the ansible playbook to exclude specific checks; or customise a profile using the SCAP workbench: access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#customizing-a-security-profile-with-scap-workbench_scanning-the-system-with-a-customized-profile-using-scap-workbench
Hi Ben, Very Helpful Video, Need to Clarify Couple of things. ==> you installed ansible and performed hardening task on same machine. If I want to use Ansible as a separate machine and do hardening on multiple vm's . where do I need to perform below things 1. subscription manager enable (Ansible (or) host where I need to perform hardening) 2. install ansible scap-security guide (Ansible (or) host where I need to perform hardening) 3. Ansible playbook I know it will be executed from Ansible vm. Appreciate your's response, .Khaled Syed.
Hi! Thanks for the feedback. Here are my responses: 1. You will install Ansible on a host (which we will refer to as the control node) that can reach all of the hosts you want to harden 2. Install scap-security-guide on the control node so you can take a copy of the relevant playbook to customise. 3. Correct. You need to ensure the control node has the relevant credentials to log in to each host and escalate to root. Here's how to get started It's very important to test all of your automation against a non production environment before making any changes in production. Security hardening can often break the functionality of running applications and cause problems with "brownfield" environments that have been deployed some time and are serving workloads before they have been hardened, so you will need to take a lot of care here. You will need to review the contents of any playbook you want to run, and potentially exclude specific tasks using the tags that can be found in the playbook. This is relatively advanced Ansible so please take care with your automating, and good luck!
@@swetasingh0907 that is something you want to do with extreme care, and taking a backup first. Please always test in a non production environment first!
Hi Ben, when i perform this process for RHEL9 i get such an ERROR: ERROR! couldn't resolve module/action 'ini_file'. This often indicates a misspelling, missing collection, or incorrect module path. The error appears to be in '/usr/share/scap-security-guide/ansible/rhel9-playbook-cis_server_l1.yml': line 525, column 7, but may be elsewhere in the file depending on the exact syntax problem. The offending line appears to be: - name: Disable the GNOME3 Login User List ^ here what do you recommend for this situation?
@@mehmeteminkozankurt3298 You have to install the community.general collection for Ansible, as that has the ini_file module the error message is referring to.
Nice video, but in any production environment you wouldn't want to do this given you have no idea if the changes made will. have an impact. This is fine if you just want a vanilla CIS build.
Absolutely. I'd advise incorporating this into your SOE build and customising the execution of the playbook using the tags embedded within it to explicitly include or exclude certain checks. Running a playbook like this in a brownfield/running environment is almost guaranteed to break functionality.
I can't comment on the specific content in CentOS 7, but can tell you that the CIS benchmark has been officially supported since RHEL 7.8 from memory. If the content is provided by CentOS then I imagine it would work. Let us know how your testing goes!
Hi Dewayne, what do you mean by practice? There are many different hardening profiles available and more get added. You can always run playbooks in --check mode to see what they would change.
Do you have a log of the Ansible playbook run? You may need to comb through the output of that to investigate and understand the changes that were made. You will also want to update from RHEL 8.2 to something fully supported like 8.6 or 8.7 when you have recovered your system. Another troubleshooting step is that you may also need to log in to the system via the console as root and check the logs to investigate login failures. Finally... Create a support case with Red Hat if you're still stuck!
@@benblascotech it would be great if you can make videos to learn redhat satelite in detail including it's all feature and setup of the same, thanks in advance, looking forward ☺️⏩
Hi Gagandeep there's an open bug for this: bugzilla.redhat.com/show_bug.cgi?id=2105162 I'd suggest hardening from a central location anyway, so that you can address many hosts at once.
Hi Gagandeep, it's a known bug at the moment: bugzilla.redhat.com/show_bug.cgi?id=2105162 Your alternative is to use a system with a full Ansible install (such as Ansible Automation Platform), or use Red Hat Connector as per this video: ruclips.net/video/j36NEMhf-2w/видео.html
Hi again, the release notes for 9 have been updated here: access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/9.0_release_notes/index Look for the Bugzilla ID in the previous reply and you will find the instructions.
Hi Ben.I'm currently working on hardening RHEL 9 using the CIS Benchmarks playbook. However, I've noticed that some tasks are being skipped, even though the settings are relevant. I see the message skipping local host in the output. How can i troubleshoot why these tasks are being skipped? Any help would be greatly appreciated. Thanks!
Thanks a lot Ben!
Cheers! Hope you find it useful.
i want to scan multiple servers of rhel and centOS so far every research i did came to this conclusion that i have to use openscap for scanning and then ansible for hardening my concerns are that if swift wants an organization A do be complaint with cis benchmarks and if i use ansible for the hardening wouldnt it be considered as a third party source. and second how can would we be able to customize the benchmark if it is already present in the ansible package like if the organization suppose doesnt want particular areas to be hardened how will we do that.
Hi Abdul,
Sorry for not replying to you sooner!
1. Ansible is included with RHEL for the purposes of automating select tasks on RHEL, so in this instance I would not consider it to be a third party source. You can read more here: www.redhat.com/en/blog/center-internet-security-cis-compliance-red-hat-enterprise-linux-using-openscap
2. You can customise the reporting and remediation via the Red Hat Insights Console at console.redhat.com; using the "tags" inside the ansible playbook to exclude specific checks; or customise a profile using the SCAP workbench: access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#customizing-a-security-profile-with-scap-workbench_scanning-the-system-with-a-customized-profile-using-scap-workbench
How can I approach this on an airgapped machine with no access to the red hat repo's?
is there one for oracle linux?
Hi Ben,
Very Helpful Video, Need to Clarify Couple of things.
==> you installed ansible and performed hardening task on same machine. If I want to use Ansible as a separate machine and do hardening on multiple vm's . where do I need to perform below things
1. subscription manager enable (Ansible (or) host where I need to perform hardening)
2. install ansible scap-security guide (Ansible (or) host where I need to perform hardening)
3. Ansible playbook I know it will be executed from Ansible vm.
Appreciate your's response,
.Khaled Syed.
Hi! Thanks for the feedback. Here are my responses:
1. You will install Ansible on a host (which we will refer to as the control node) that can reach all of the hosts you want to harden
2. Install scap-security-guide on the control node so you can take a copy of the relevant playbook to customise.
3. Correct. You need to ensure the control node has the relevant credentials to log in to each host and escalate to root. Here's how to get started
It's very important to test all of your automation against a non production environment before making any changes in production. Security hardening can often break the functionality of running applications and cause problems with "brownfield" environments that have been deployed some time and are serving workloads before they have been hardened, so you will need to take a lot of care here. You will need to review the contents of any playbook you want to run, and potentially exclude specific tasks using the tags that can be found in the playbook. This is relatively advanced Ansible so please take care with your automating, and good luck!
what is you have make a live node compliant?
@@swetasingh0907 that is something you want to do with extreme care, and taking a backup first. Please always test in a non production environment first!
Hi Ben, when i perform this process for RHEL9 i get such an ERROR:
ERROR! couldn't resolve module/action 'ini_file'. This often indicates a misspelling, missing collection, or incorrect module path.
The error appears to be in '/usr/share/scap-security-guide/ansible/rhel9-playbook-cis_server_l1.yml': line 525, column 7, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
- name: Disable the GNOME3 Login User List
^ here
what do you recommend for this situation?
@@mehmeteminkozankurt3298 You have to install the community.general collection for Ansible, as that has the ini_file module the error message is referring to.
Nice video, but in any production environment you wouldn't want to do this given you have no idea if the changes made will. have an impact. This is fine if you just want a vanilla CIS build.
Absolutely. I'd advise incorporating this into your SOE build and customising the execution of the playbook using the tags embedded within it to explicitly include or exclude certain checks. Running a playbook like this in a brownfield/running environment is almost guaranteed to break functionality.
Can this work on CentOS 7?
I can't comment on the specific content in CentOS 7, but can tell you that the CIS benchmark has been officially supported since RHEL 7.8 from memory. If the content is provided by CentOS then I imagine it would work. Let us know how your testing goes!
Hi Ben,
I tried to harden but a lot of tasks were skipped. What can cause such action?
Additionaly i get an error which stopping remediation
TASK [Get all world-writable directories with no sticky bits set] **************************************************************************
fatal: [localhost]: FAILED! => {"changed": true, "cmd": "set -o pipefail
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) 2>/dev/null
", "delta": "0:00:01.901746", "end": "2023-06-30 13:33:22.232866", "msg": "non-zero return code", "rc": 123, "start": "2023-06-30 13:33:20.331120", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
Do you have any ideas what happened here?
nice, how do i practice this, that before and after... I see hipaa up there too
Hi Dewayne, what do you mean by practice? There are many different hardening profiles available and more get added. You can always run playbooks in --check mode to see what they would change.
@@benblascotech ok, i will try it out
@@dewaynebranch776 Let me know how you go! You can also try out a heap of other RHEL features at lab.redhat.com
is there any other method available instead of using playbooks ?
The scap-security-guide package also includes shell scripts. I far prefer the Ansible approach, however.
Hi. Performed this on RHEL 8.2 but after rebooting, unable to login. After keyin password, goes back to the login screen. Any advice?
Do you have a log of the Ansible playbook run? You may need to comb through the output of that to investigate and understand the changes that were made. You will also want to update from RHEL 8.2 to something fully supported like 8.6 or 8.7 when you have recovered your system. Another troubleshooting step is that you may also need to log in to the system via the console as root and check the logs to investigate login failures. Finally... Create a support case with Red Hat if you're still stuck!
Please create more videos on redhat satelite
Thanks for the feedback. I am working on it!
@@benblascotech it would be great if you can make videos to learn redhat satelite in detail including it's all feature and setup of the same, thanks in advance, looking forward ☺️⏩
How do it in oracle linux????
I have not done any testing on Oracle Linux. If you figure it out please share your results!
Please confirm if this works for RHEL9 with ansible-core
Hi Gagandeep there's an open bug for this: bugzilla.redhat.com/show_bug.cgi?id=2105162
I'd suggest hardening from a central location anyway, so that you can address many hosts at once.
Hi Gagandeep, it's a known bug at the moment:
bugzilla.redhat.com/show_bug.cgi?id=2105162
Your alternative is to use a system with a full Ansible install (such as Ansible Automation Platform), or use Red Hat Connector as per this video:
ruclips.net/video/j36NEMhf-2w/видео.html
Hi again, the release notes for 9 have been updated here: access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/9.0_release_notes/index
Look for the Bugzilla ID in the previous reply and you will find the instructions.