Cody Bunch Some Random IT Guy - OpenStack, DevOps, Cloud, Things

Ansible, CIS, and Ubuntu

Following on from my RHEL and CIS with Ansible post, comes qutie a bit of work to proceed down the Ubuntu path in applying CIS benchmarks with Ansible. Before we get too deep, however, it is important to call out that this Ansible role is still based on the RHEL benchmarks, just applied to the applicable systems in Ubuntu. This is because the benchmarks for RHEL have been further developed and harden many parts of the system the Ubuntu benchmarks didn’t touch.

To begin with, we’ll use the adapted Ansible role from here. Like so:

git clone https://github.com/bunchc/ansible-role-cis /etc/ansible/roles/cis-ubuntu

From there, create a playbook.yaml that contains the following:

- hosts: all
  user: root
  tasks:
    - group_by: key=os_

- hosts: os_CentOS
  user: root
  roles:
    - cis-centos

- hosts: os_Ubuntu
  user: root
  roles:
    - cis-ubuntu

Your playbook file contains three sections. The first uses a ‘group_by’ task to separate hosts out by operating system. The last two sections then apply the right CIS role according to the OS reported back in.

Finally, apply the playbooks as follows:

ansbile-playbook -i /etc/ansible/hosts ./playbook.yaml