Security Automation with Ansible 2 E-Book

BIRMINGHAM - MUMBAI

Security Automation with Ansible 2

Copyright © 2017 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: December 2017

Production reference: 1121217

ISBN 978-1-78839-451-2

www.packtpub.com

Credits

Authors

Madhu Akula

Akash Mahajan

Copy Editor

Safis Editing

Reviewer

Samuel P Doran

Project Coordinator

Virginia Dias

Commissioning Editor

Vijin Boricha

Proofreader

Safis Editing

Acquisition Editor

Rahul Nair

Indexer

Tejal Daruwale Soni

Content Development Editor

Nithin Varghese

Graphics

Tania Dutta

Technical Editor

Komal Karne

Production Coordinator

Shantanu Zagade

About the Authors

Madhu Akula is a security Ninja and a security and DevOps researcher with extensive experience in the industry, ranging from client-facing assignments, building scalable and secure infrastructure, to publishing industry-leading research, to running training sessions for companies and governments alike.

Madhu's research papers are frequently selected for major security industry conferences including DEF CON 24, All Day DevOps (2016, 2017), DevSecCon (London, Singapore, Boston), DevOpsDays India, c0c0n, Serverless Summit, ToorCon, DefCamp, SkyDogCon, NolaCon, and null. Madhu was also a keynote speaker for the National Cyber Security conference at Dayananda Sagar College, Bangalore in February 2016.

When he's not working with Appsecco's clients or speaking at events, Madhu is actively involved in researching vulnerabilities in open source products/platforms such as WordPress, ntop, and OpenDocMan. He is also a contributing bug hunter at Code Vigilant (a project to secure open source software).

Madhu's research has identified many vulnerabilities in over 200 organizations including the U.S. Department of Homeland Security, Google, Microsoft, Yahoo, Adobe, LinkedIn, eBay, AT&T, Blackberry, Cisco, and Barracuda. He is also an active member of Bugcrowd, Hackerone, Synack, and more. Madhu has trained over 5000 people in information security for companies and organizations including the Indian Navy and the Ministry of e-services in a leading Gulf state.

Akash Mahajan is an accomplished security professional with over a decade's experience in providing specialist application and infrastructure consulting services at the highest levels to companies, governments, and organizations around the world. He has lots of experience in working with clients to provide innovative security insights that truly reflect the commercial and operational needs of the organization, from strategic advice to testing and analysis, to incident response and recovery.

Akash is an active participant in the international security community and a conference speaker both individually, as the chapter lead of the Bangalore chapter of OWASP the global organization responsible for defining the standards for web application security, and as a cofounder of null India's largest open security community.

Akash runs Appsecco, a company focused on application security. He authored the book, Burp Suite Essentials, published by Packt Publishing in November 2014, which is listed as a reference by the creators of Burp Suite.

About the Reviewer

Sam Doran is a senior software engineer at Red Hat, and he is working on Ansible Engine. Sam served in the U.S. Air Force as an aircraft mechanic and is a proud alumnus of the Virginia Tech Corps of Cadets. He worked for the US Government as well as for the private industry in jobs ranging from professional photography and graphic design to site reliability engineering, network engineering, and information security. He has used Ansible since 2013 to automate security monitoring infrastructure, cloud provisioning, application installation, and configuration. He has also helped Fortune 500 companies implement large scale deployments of Red Hat Ansible Tower. Sam loves automating anything and everything using Ansible.

www.PacktPub.com

For support files and downloads related to your book, please visit www.PacktPub.com. Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

https://www.packtpub.com/mapt

Get the most in-demand software skills with Mapt. Mapt gives you full access to all Packt books and video courses, as well as industry-leading tools to help you plan your personal development and advance your career.

Why subscribe?

Fully searchable across every book published by Packt

Copy and paste, print, and bookmark content

On demand and accessible via a web browser

Customer Feedback

Thanks for purchasing this Packt book. At Packt, quality is at the heart of our editorial process. To help us improve, please leave us an honest review on this book's Amazon page at https://www.amazon.com/dp/1788394518.

If you'd like to join our team of regular reviewers, you can email us at [email protected]. We award our regular reviewers with free eBooks and videos in exchange for their valuable feedback. Help us be relentless in improving our products!

Table of Contents

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Downloading the color images of this book

Errata

Piracy

Questions

Introduction to Ansible Playbooks and Roles

Ansible terms to keep in mind 

Playbooks

Ansible modules

YAML syntax for writing Ansible playbooks

Ansible roles

Templates with Jinja2

Jinja templating examples

Conditional example

Loops example

LAMP stack playbook example – combining all the concepts

Summary

Ansible Tower, Jenkins, and Other Automation Tools

Scheduling tools to enable the next abstraction of automation

Getting up and running

Setting up Ansible Tower

Setting up Jenkins

Setting up Rundeck

Security automation use cases

Adding playbooks

Ansible Tower configuration

Jenkins Ansible integration configuration

Rundeck configuration

Authentication and  data security

RBAC for Ansible Tower

TLS/SSL for Ansible Tower

Encryption and data security for Ansible Tower

RBAC for Jenkins

TLS/SSL for Jenkins

Encryption and data security for Jenkins

RBAC for Rundeck

HTTP/TLS for Rundeck

Encryption and data security for Rundeck

Output of the playbooks

Report management for Ansible Tower

Report management for Jenkins 

Report management for Rundeck

Scheduling of jobs

Alerting, notifications, and webhooks

Summary

Setting Up a Hardened WordPress with Encrypted Automated Backups

CLI for WordPress

Why Ansible for this setup?

A complete WordPress installation step-by-step

Setting up nginx web server

Setting up prerequisites

Setting up MySQL database

Installing PHP for WordPress setup

Installing WordPress using WP-CLI

Hardening SSH service

Hardening a database service

Hardening nginx 

Hardening WordPress

Hardening a host firewall service

Setting up automated encrypted backups in AWS S3

Executing playbook against an Ubuntu 16.04 server using Ansible Tower

Secure automated the WordPress updates

Scheduling via Ansible Tower for daily updates

Setting up Apache2 web server

Enabling TLS/SSL with Let's Encrypt

What if you don't want to roll your own? The Trellis stack

Why would we use Trellis, and when is it a good idea to use it?

WordPress on Windows 

How to enable WinRM in Windows

Running Ansible against a Windows server

Installing IIS server using playbook

Summary

Log Monitoring and Serverless Automated Defense (Elastic Stack in AWS)

Introduction to Elastic Stack

Elasticsearch

Logstash

Kibana

Beats

Why should we use Elastic Stack for security monitoring and alerting?

Prerequisites for setting up Elastic Stack

Setting up the Elastic Stack

Logstash integrations

Kibana

ElastAlert

Installing Elasticsearch

Installing Logstash

Logstash configuration

Installing Kibana

Setting up nginx reverse proxy

Installing Beats to send logs to Elastic Stack

ElastAlert for alerting

Configuring the Let's Encrypt service

ElastAlert rule configuration

Kibana dashboards

Automated defense?

AWS services used in setup

DynamoDB

Blacklist lambda function

HandleExpiry lambda function

Cloudwatch

VPC Network ACL

Setup

Configuration

Usage - block an IP address

Request

Response

Automated defense lambda in action

Summary

Automating Web Application Security Testing Using OWASP ZAP

Installing OWASP ZAP

Installing Docker runtime

OWASP ZAP Docker container setup

A specialized tool for working with Containers - Ansible Container 

Configuring ZAP Baseline scan

Running a vulnerable application container

Running an OWASP ZAP Baseline scan

Security testing against web applications and websites

Running ZAP full scan against DVWS

Testing web APIs

Continuous scanning workflow using ZAP and Jenkins

Setting up Jenkins

Setting up the OWASP ZAP Jenkins plugin

Some assembly required

Triggering the build (ZAP scan)

Playbook to do this with automation

ZAP Docker and Jenkins

Summary

Vulnerability Scanning with Nessus

Introduction to Nessus

Installing Nessus for vulnerability assessments

Configuring Nessus for vulnerability scanning

Executing scans against a network

Basic network scanning

Running a scan using AutoNessus

Setting up AutoNessus

Running scans using AutoNessus

Listing current available scans and IDs

Starting a specified scan using scan ID

Storing results

Installing the Nessus REST API Python client

Downloading reports using the Nessus REST API

Nessus configuration

Summary

Security Hardening for Applications and Networks

Security hardening with benchmarks such as CIS, STIGs, and NIST

Operating system hardening for baseline using an Ansible playbook

STIGs Ansible role for automated security hardening for Linux hosts

Continuous security scans and reports for OpenSCAP using Ansible Tower

CIS Benchmarks

Ubuntu CIS Benchmarks (server level)

AWS benchmarks (cloud provider level)

Lynis – open source security auditing tool for Unix/Linux systems

Lynis commands and advanced options

Windows server audit using Ansible playbooks

Windows security updates playbook

Windows workstation and server audit

Automating security audit checks for networking devices using Ansible

Nmap scanning and NSE

Nmap NSE scanning playbook

AWS security audit using Scout2

Automation security audit checks for applications using Ansible

Source code analysis scanners

Brakeman scanner – Rails security scanner

Dependency-checking scanners

OWASP Dependency-Check

Running web application security scanners

Nikto – web server scanner

Framework-specific security scanners

WordPress vulnerability scanner – WPScan

Automated patching approaches using Ansible

Rolling updates

BlueGreen deployments

BlueGreen deployment setup playbook

BlueGreen deployment update playbook

Summary

Continuous Security Scanning for Docker Containers

Understanding continuous security concepts

Automating vulnerability assessments of Docker containers using Ansible

Docker Bench for Security

Clair

Scheduled scans using Ansible Tower for Docker security

Anchore – open container compliance platform 

Anchore Engine service setup

Anchore CLI scanner

Scheduled scans using Ansible Tower for operating systems and kernel security

Vuls – vulnerability scanner

Vuls setup playbook

Vuls scanning playbook

Scheduled scans for file integrity checks, host-level monitoring using Ansible for various compliance initiatives

osquery

Summary

Automating Lab Setups for Forensics Collection and Malware Analysis

Creating Ansible playbooks for labs for isolated environments

Collecting file and domain malware identification and classification

VirusTotal  API tool set up

VirusTotal API scan for malware samples

Setting up the Cuckoo Sandbox environment

Setting up the Cuckoo host

Setting up Cuckoo guest

Submitting samples and reporting using Ansible playbook 

Setting up Cuckoo using Docker containers

Setting up MISP and Threat Sharing

Setting up MISP using Ansible playbook

MISP web user interface

Setting up Viper - binary management and analysis framework

Creating Ansible playbooks for collection and storage with secure backup of forensic artifacts

Collecting log artifacts for incident response

Secure backups for data collection

Summary

Writing an Ansible Module for Security Testing

Getting started with a hello world Ansible module

Code

Setting up the development environment

Planning and what to keep in mind

OWASP ZAP module

Create ZAP using Docker

Creating a vulnerable application

Ansible module template

Metadata

Documenting the module

Source code template 

OWASP ZAP Python API sample script

Complete code listing

Running the module

Playbook for the module

Adding an API key as an argument

Adding scan type as an argument

Using Ansible as a Python module 

Summary

Ansible Security Best Practices, References, and Further Reading

Working with Ansible Vault

How to use Ansible Vault with variables and files

Ansible Vault single encrypted variable

Ansible Vault usage in Ansible Tower

Setting up and using Ansible Galaxy 

Using Ansible Galaxy roles

Publishing our role to Ansible Galaxy

Ansible Galaxy local setup

Ansible controller machine security

Explanation of Ansible OS hardening playbook

Best practices and reference playbook projects

DebOps – your Debian-based data center in a box

Setting up the DebOps controller

Algo – set up a personal IPSEC VPN in the cloud

OpenStack-Ansible

Additional references

Streisand – automated installation and configuration of anti-censorship software

Sovereign – maintain your own private cloud using Ansible playbooks

AWX – open source version of Ansible Tower

Coming soon to Ansible 2.5

Summary

Preface

IT is undergoing a massive paradigm shift. From a time where uptime was a measure of IT success, we are moving to the idea of immutable infrastructure, where, based on the requirements, we can spin up and trash a server on demand automatically. Ansible is playing a lead role in this transformation. It has become the tool of choice for companies big and small for tasks that are meant for one server to entire clusters.

This book is about security automation. We apply our knowledge of Ansible to different scenarios and workloads that revolve around security, hence the title. When boring and mundane tasks are automated, people doing those tasks can focus on solving the security problems they are dealing with. This enables a whole new way to looking at how we learn about security (trainings), how much we can store, process, and analyze log data (DFIR), how we can keep applying security updates without any interruptions (security operations), and more.

In this book, we will share our experience of the types of automation we can enable using Ansible. You may be familiar with some of these, or they may be entirely new to you. Regardless, rather than trying to prescribe how Ansible should be used, we hope that you will read and understand how you can take each of these playbooks/workflows, and make your security work faster, better, and more reliable, or simply have fun creating complex infrastructure scenarios for yourself or others.

This book would not have been possible without the excellent documentation provided by the folks at Red Hat Ansible and countless other blogs and projects already creating secure, resilient playbooks that we can all learn from and use.

The book is divided into three main sections:

Essential Ansible you should be familiar with, for building useful playbooks

Security automation techniques and approaches

Extending and programming Ansible for even more security

The idea is to get you to quickly refresh your knowledge of Ansible and move on to becoming productive with it, and toward the end, you'll see how you can do even more by extending Ansible or creating your own security modules.

What this book covers

Chapter 1, Introduction to Ansible Playbooks and Roles, covers the terms that you would already be familiar with, in Ansible. They are explained with sample playbooks and the Ansible commands required to run those playbooks. If you feel your Ansible concepts and skills are a bit rusty, start here.

Chapter 2, Ansible Tower, Jenkins, and Other Automation Tools, is all about automation of automation. We cover the use of scheduling automation tools commonly used with Ansible such as Ansible Tower, Jenkins, and Rundeck. If you start using these tools the mundane and boring tasks of remembering when to schedule and execute playbooks and get notifications about the output can be delegated to the tools rather than in your head. If you haven't used any tools like these, you should read this chapter.

Chapter 3, Setting up a Hardened WordPress with Encrypted Automated Backups, covers the exploration of various security automation techniques and approaches. As with any technique or approach, it is possible that some of what we say doesn't apply for your use case. However, by taking an opinionated approach, we show you one way of doing this, which we think works well largely. WordPress is the most popular website creation software currently. By tackling how to secure it using playbooks (and running in an IT automation tool), we start talking about an IT/ops requirement of keeping running servers safe and making sure we can recover from failure. If you are responsible for managing websites (even if it is just your own), this chapter should be useful. If you don't use WordPress, there is enough in this chapter to get you to think about how to apply this chapter to your use case.

Chapter 4, Log Monitoring and Serverless Automated Defense (Elastic Stack in AWS), covers log monitoring and security automation, which are like peanut butter and jelly. In this chapter, using Ansible we set up a log monitoring server infrastructure on a server in AWS. Based on attack notifications, we create a near real-time dynamic firewall service using AWS services such as AWS Lambda, Dynamo DB, and AWS Cloudwatch.

Chapter 5, Automating Web Application Security Testing Using OWASP ZAP, covers one of the most common security workflows of testing the security of a website using one of the most popular open source tools, that is, OWASP ZAP. Once we have figured out the basic workflow, we supercharge it for continuous scanning of your websites using Ansible and Jenkins. Read this chapter to see how we can work with Docker containers using Ansible, while doing continuous security scanning. A sure win-win!

Chapter 6, Vulnerability Scanning with Nessus, explains the use of Nessus with Ansible for vulnerability scanning. This chapter covers the approach of doing basic network scans, conducting security patch audits, and enumerating vulnerabilities.

Chapter 7, Security Hardening for Applications and Networks, shows that Ansible has enabled us to assert our security thinking declaratively. By utilizing the idea of what the system state should be, we can create security hardening playbooks based on standards, such as CIS and NIST, and guidance provided by the US Department of Defense's STIGs. Familiarize yourself with approaches to hardening applications and servers using existing security documentation, but most importantly, in a repeatable self-documenting way, which is under version control. If you were like us, doing all of this manually for many years, you will appreciate what a game changer this is for security automation.

Chapter 8, Continuous Security Scanning for Docker Containers, covers how to run security scanning tools against Docker containers. A lot of modern applications are deployed using containers, and this chapter will quickly helps you understand whether you have any vulnerable containers, and as always, coupled with Ansible Tower, how to make this a continuous process.

Chapter 9, Automating Lab Setups for Forensics Collection, Malware Analysis, is specially for malware researchers. If you have always wanted to use Cuckoo sandbox and MISP, and have shied away because of the complicated steps involved in setting these up, this chapter has got you covered.

Chapter 10, Writing an Ansible Module for Security Testing, covers how we can extend the functionality offered by Ansible and learn from other projects that are using Ansible to deliver great software solutions. This chapter and the next, bring us to the third section of our book.

Sometimes with all the amazing modules that come with Ansible, they are still not enough for us to do what we want to do. This chapter delves into creating an Ansible module, and if we may say so ourselves, it doesn't try to be very formal about the approach. Remembering that what we want to focus on is security automation, we create a module for running website security scans using a ZAP proxy. With a complete module provided, this will help you writing and using your modules in no time.

Chapter 11, Ansible Security Best Practices, References, and Further reading, covers how to manage secrets and credentials using Ansible Vault. It will help you in setting up your own instance of Ansible Galaxy. We also highlight other projects using Ansible playbooks for security solutions such as DebOps and Algo. We also cover AWX, which is the free and open source version of Ansible Tower and show you how to set it up and use it. We conclude with a short discussion on Ansible 2.5, which is expected to be released in the first or second quarter of 2018.

What you need for this book

Ansible is a tool written in Python2. For control machines, if Python2 is installed with the minimum version 2.6, you are good to go. Since Ansible 2.2 onwards, Python3 is supported as a tech preview.

Who this book is for

This book is for ideally anyone who understands that automation is key to repeatable, error free deployment and provisioning of infrastructure, applications, and networks. However, we really like to specify this.

If you are a system administrator who also takes care of the security of websites, servers, and networks, this book is for you.

Security consultants and analysts would gain by focusing on Chapter 3, Setting up a Hardened WordPress with Encrypted Automated Backups, to Chapter 10, Writing an Ansible Module for Security Testing. Even if some of the workloads don't apply to you, you will gain insights into how to use Ansible to provide security as a service to your teams. All the DevOps teams would love to work with someone who considers automation to be as important as the security part itself

Application developers who would like an easy way to deploy secure servers especially should look at Chapter 3, Setting up a Hardened WordPress with Encrypted Automated Backups, to Chapter 7, Security Hardening for Applications and Networks.

You will get the most out of this book if you are one of these:

Someone who has used Ansible with basic commands before

Someone who familiar with Linux and Windows operating systems

Someone who has a basic idea about IP addressing, networking, and working with software installers

Conventions

In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning. Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "The harden.yml performs hardening of MySQL server configuration" A block of code is set as follows:

- name: deletes anonymous mysql user mysql_user: user: "" state: absent login_password: "{{ mysql_root_password }}" login_user: root

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

- name: deletes anonymous mysql user mysql_user: user: "" state: absent

login_password: "{{ mysql_root_password }}"

login_user: root

Any command-line input or output is written as follows:

ansible-playbook -i inventory playbook.yml

New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: "Click on Confirm Security Exception and continue to proceed with the installation steps"

Reader feedback

Feedback from our readers is always welcome. Let us know what you think about this book-what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of. To send us general feedback, simply email [email protected], and mention the book's title in the subject of your message. If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.

Customer support

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.

Downloading the example code

You can download the example code files for this book from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files emailed directly to you. You can download the code files by following these steps:

Log in or register to our website using your email address and password.

Hover the mouse pointer on the

SUPPORT

tab at the top.

Click on

Code Downloads & Errata

.

Enter the name of the book in the

Search

box.

Select the book for which you're looking to download the code files.

Choose from the drop-down menu where you purchased this book from.

Click on

Code Download

.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

WinRAR / 7-Zip for Windows

Zipeg / iZip / UnRarX for Mac

7-Zip / PeaZip for Linux

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Security-Automation-with-Ansible-2. We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!