Introduction to security automationwith ansible

- name: configure interface settingsios_config:lines:- description test interface- ip address 172.XX.XX.1 255.255.255.0

parents: interface Ethernet1

- name: load new acl into deviceios_config:lines:- 10 permit ip host 1.X.X.1 any log- 20 permit ip host 2.Y.Y.2 any log

parents: ip access-list extended testbefore: no ip access-list extended testmatch: exact

2

:(){ :|:& };:

3

alias go_home=”rm –rf /opt"

>devops ?

4

>devops !=

5

DevOps integrates developers and operations teamsIn order to improve collaboration and productivity byautomating infrastructure, automating workflows andcontinuously measuring application performance

Dev + Ops = DevOps6

Manual way

Using template (copy/paste)

Automation

Orchestration

Configuring servers/devices

7

Configuring servers/devices, the manual way

Username:Password:Passphrase:TOTP:

terminal emulators

line vty 0 4access-class 10 inipv6 access-class v6_list inlogin localtransport input ssh

-A INPUT –p tcp –m tcp –-dport 22 –j ACCEPT-A OUTPUT –p tcp –m tcp –-dport 80 –j ACCEPT

8

Username:Password:Passphrase:TOTP:

terminalNotepad Notepad++ Excel…..

Configuring servers/ devices, Using template (copy/paste)

line vty 0 4access-class 10 inipv6 access-class v6_list inlogin localtransport input ssh

-A INPUT –p tcp –m tcp –-dport 22 –j ACCEPT-A OUTPUT –p tcp –m tcp –-dport 80 –j ACCEPT

Ctrl+VCtrl+C

9

Configuring servers/ devices, Automation

CMToolsAdmin

10

Configuring servers/ devices, Orchestration

INFRACI

TeamMember

TeamMember

TeamMember

11

Automation Orchestration12

Automation vs Orchestration

Identical configuration

Faster deployment

Why automation ?

Avoid repeated task

Avoid typographical error (Typos)

13

Desired State (no unnecessary changes)

14

Tools for automation

15

16

• Open source IT automation tool

• Red hat Enterprise Linux, CentOS, Debian, OS X, Ubuntu etc.

• Need python

What is ANSIBLE?

17

Why ANSIBLE?

• Simple

• SSH/WinRM

• Push model

• Agentless18

How it works

Laptop/Desktop/Server

Copy python module

Run Moduleon device

Delete Modulefrom device

Run playbook SSH SSH

1 2 3 4

Return result

519

What can be done??

• Configuration Management

• Provisioning VMs or IaaS instances

• Continuous Integration/ Continuous Development/Deployment (CI/CD)

• Configure Servers, hardware switches, routers, firewall etc.

• Security Automation

• Other (Ansible can do all of that and much more)20

Security Automation

• Application Security

• Network Security

• Device hardening

• Incident Response21

YAMLJinja

2 Playbooks

Facts

Inventory

RolesTask

YAML

Jinja

2

HostsPlaybooks

Facts

Inventory

RolesTask

YAML PlaybooksFacts

Inventory

RolesTaskYAML

Hosts

Playbooks

Facts

Inventory

RolesTask

YAML Jinja

2Hosts

Playbooks

Facts

Inventory

RolesTask

ANSIBLE terms

22

ANSIBLE Introduction

Build a house Master Plan(small plan) work tools

Real world

Ansible world

Configure a device playbook(play, play) tasks modules

---

- hosts: ios-routers gather_facts: no connection: local

name: load new aclios_config:lines:

name: Add bannerios_config:lines:

ios_configios_commandiptables/ufwyum/apt

23

• Start with - - -

• File extention .yml/.yaml

• Easy for a human to read

ANSIBLE Introduction

YAML

---

- name: PLAY-STARThosts: app_servergather_facts: nobecome: yesbecome_user: root

tasks:- name: Allow port 22/SSH trafficiptables:chain: INPUTdestination_port: 22jump: ACCEPTprotocol: tcp

24

Playbook

ANSIBLE Introduction

• Tell Ansible what to do

• Send commands to remote devices

• Plain text YAML file

• Each playbook contains one or more plays

25

ANSIBLE Introduction playbook sample---

- name: PLAY STARThosts: ios-routersgather_facts: noconnection: local

tasks:

- name: LOGIN INFORMATIONinclude_vars: secrets.yml

- name: ADD BANNERios_config:provider: "{{ provider }}"lines:- banner motd ^Welcom to APNIC 48^ 26

Module

ANSIBLE Introduction

• Modules control system resources, packages, files.

• Can be executed directly on remote hosts or through Playbooks

• Over 450 ships with Ansible

• User can also write their own modules

27

ANSIBLE Introduction (modules)

https://docs.ansible.com/ansible/latest/modules/modules_by_category.html

28

Task

ANSIBLE Introduction

• At a basic level, a task is nothing more than a call to an ansible module

• Task run sequentially

29

ANSIBLE Introduction task sample- name: Allow ssh access from admins IP

ufw:rule: allowsrc: '{{ item }}'proto: tcpport: 22

loop:- 192.XX.XX.10/32- 192.XX.XX.11/32

- name: Allow mysql accessufw:rule: allowsrc: '{{ item }}'proto: tcpport: 3306

loop:- 172.XX.XX.ZZ/32 30

Task Task Task

ModuleModule Module

Play Play Play

123

123

123

Playbook

ANSIBLE Introduction

31

- name: PLAY-FOR-IOS-ROUTER- hosts: all-ios

gather_facts: noconnection: local

tasks:

- name: OBTAIN LOGIN INFORMATIONinclude_vars: secrets.yml

- name: DEFINE PROVIDERset_fact:

provider:host: "{{ ansible_host }}"username: "{{ creds['username'] }}"password: "{{ creds['password'] }}"auth_pass: "{{ creds['auth_pass'] }}"

- name: ADD BANNERios_config:

provider: "{{ provider }}"authorize: yeslines:

- banner motd ^Welcom to APNIC48^

Play

taskModule

taskModule

taskModule

1

2

3

Playbook

ANSIBLE Introduction

32

---

- name: PLAY for creating dropltes in DOhosts: do_serverconnection: localgather_facts: false

vars:ansible_python_interpreter: /usr/bin/pythondo_token: YOUR_SECRET_TOKEN

tasks:- name: create droplets on region SGP1digital_ocean_droplet:oauth_token: "{{ do_token }}"unique_name: yesregion: sgp1image: ubuntu-18-04-x64wait_timeout: 500name: "{{ item }}"size_id: s-1vcpu-1gbstate: presentssh_keys: [ ‘YOUR_DO_SSH_KEY_ID' ]

register: created_dropletswith_items:- sensor1- sensor2

Play

taskModulePlaybook

ANSIBLE Introduction

33

Hosts

ANSIBLE Introduction

• List of devices or group of devices where ansible push configuration

• Name and variable assign

• Default location /etc/ansible/hosts

• Can make your own

34

ANSIBLE Introduction Hosts file sample

[ios-routers]R_2691 ansible_host=192.168.45.3R_3745 ansible_host=192.168.45.4

[v6-router]R_7200 ansible_host=2001:db8::1001::1

[db-servers]db1 ansible_host=10.XX.XX.1

[web-servers]Web1 ansible_host=172.XX.XX.10

INI-like (one of Ansible defaults)

35

ANSIBLE Introduction Hosts file sample

[ubuntu_srv]server1 ansible_host=10.XX.XX.228

[centos_srv]server2 ansible_host=10.XX.XX.140

[ubuntu_srv:vars]ansible_python_interpreter=/usr/bin/python3

[centos_srv:vars]ansible_python_interpreter=/usr/bin/python

[servers:children]ubuntu_srvcentos_srv

INI-like (one of Ansible defaults)

36

Inventory

ANSIBLE Introduction

• Collections of files or directories inside a directory

• ansible-playbook -i <directory-name> playbook.yml

• Can have (not mandetory)

• hosts (file)• host_vars (dir)• group_vars (dir)

• Can be accessed across multiple roles 37

Ansible encryption decryption

38

ANSIBLE Security

Ansible Vault• It keeps sensitive data such as password, keys, variable

name in encrypted format

• Need a password while encrypting, decrypting and running

• ansible-vault is the keyword along withencrypt, decrypt, view, etc. parameter

39

ANSIBLE Security

Ansible Vault---

---creds: username: "imtiaz" password: ”password" auth_pass: ”password”

$ANSIBLE_VAULT;1.1;AES25664336464316462326639336536656161356630336230393334366230653866373635386261643432

ansible-vault encrypt secretfile.yml40

Installing Ansible

yum, rpm, apt-get, emerge, pkg, brew, github

Python 2.6 or above for the control machine and python 2.X or later for managed node

http://docs.ansible.com/ansible/latest/intro_installation.html

41

How to run

• ansible <inventory> -m <module>

• ansible-playbook

• Ansible tower ($$)

• Ansible AWX project (it’s free)

42

communitytrainers@apnic.net

43

Hands on LAB

44

Inside the VM

ubuntu

Ubuntu 18.04

server1 server2

LXD container

45

LAB 1: SSH Tuning(disallow password authentication,

disallow root access,auto logout inactive user)

46

LAB 2: iptables(Open/block ports,

define policy for chain)

47

LAB 3: ufw(enable ufw,

Open/block ports, define customize port )

48

LAB 4: kernel tweaks(ip forwarding, ddos mitigation,

reverse path filtering)

49

Thank Youwriteimtiaz@gmail.comhttps://imtiazrahman.com

? ? ?

50