Post on 28-May-2020
transcript
Introduction to security automationwith ansible
- name: configure interface settingsios_config:lines:- description test interface- ip address 172.XX.XX.1 255.255.255.0
parents: interface Ethernet1
- name: load new acl into deviceios_config:lines:- 10 permit ip host 1.X.X.1 any log- 20 permit ip host 2.Y.Y.2 any log
parents: ip access-list extended testbefore: no ip access-list extended testmatch: exact
2
:(){ :|:& };:
3
alias go_home=”rm –rf /opt"
>devops ?
4
>devops !=
5
DevOps integrates developers and operations teamsIn order to improve collaboration and productivity byautomating infrastructure, automating workflows andcontinuously measuring application performance
Dev + Ops = DevOps6
Manual way
Using template (copy/paste)
Automation
Orchestration
Configuring servers/devices
7
Configuring servers/devices, the manual way
Username:Password:Passphrase:TOTP:
terminal emulators
line vty 0 4access-class 10 inipv6 access-class v6_list inlogin localtransport input ssh
-A INPUT –p tcp –m tcp –-dport 22 –j ACCEPT-A OUTPUT –p tcp –m tcp –-dport 80 –j ACCEPT
8
Username:Password:Passphrase:TOTP:
terminalNotepad Notepad++ Excel…..
Configuring servers/ devices, Using template (copy/paste)
line vty 0 4access-class 10 inipv6 access-class v6_list inlogin localtransport input ssh
-A INPUT –p tcp –m tcp –-dport 22 –j ACCEPT-A OUTPUT –p tcp –m tcp –-dport 80 –j ACCEPT
Ctrl+VCtrl+C
9
Configuring servers/ devices, Automation
CMToolsAdmin
10
Configuring servers/ devices, Orchestration
INFRACI
TeamMember
TeamMember
TeamMember
11
Automation Orchestration12
Automation vs Orchestration
Identical configuration
Faster deployment
Why automation ?
Avoid repeated task
Avoid typographical error (Typos)
13
Desired State (no unnecessary changes)
14
Tools for automation
15
16
• Open source IT automation tool
• Red hat Enterprise Linux, CentOS, Debian, OS X, Ubuntu etc.
• Need python
What is ANSIBLE?
17
Why ANSIBLE?
• Simple
• SSH/WinRM
• Push model
• Agentless18
How it works
Laptop/Desktop/Server
Copy python module
Run Moduleon device
Delete Modulefrom device
Run playbook SSH SSH
1 2 3 4
Return result
519
What can be done??
• Configuration Management
• Provisioning VMs or IaaS instances
• Continuous Integration/ Continuous Development/Deployment (CI/CD)
• Configure Servers, hardware switches, routers, firewall etc.
• Security Automation
• Other (Ansible can do all of that and much more)20
Security Automation
• Application Security
• Network Security
• Device hardening
• Incident Response21
YAMLJinja
2 Playbooks
Facts
Inventory
RolesTask
YAML
Jinja
2
HostsPlaybooks
Facts
Inventory
RolesTask
YAML PlaybooksFacts
Inventory
RolesTaskYAML
Hosts
Playbooks
Facts
Inventory
RolesTask
YAML Jinja
2Hosts
Playbooks
Facts
Inventory
RolesTask
ANSIBLE terms
22
ANSIBLE Introduction
Build a house Master Plan(small plan) work tools
Real world
Ansible world
Configure a device playbook(play, play) tasks modules
---
- hosts: ios-routers gather_facts: no connection: local
name: load new aclios_config:lines:
name: Add bannerios_config:lines:
ios_configios_commandiptables/ufwyum/apt
23
• Start with - - -
• File extention .yml/.yaml
• Easy for a human to read
ANSIBLE Introduction
YAML
---
- name: PLAY-STARThosts: app_servergather_facts: nobecome: yesbecome_user: root
tasks:- name: Allow port 22/SSH trafficiptables:chain: INPUTdestination_port: 22jump: ACCEPTprotocol: tcp
24
Playbook
ANSIBLE Introduction
• Tell Ansible what to do
• Send commands to remote devices
• Plain text YAML file
• Each playbook contains one or more plays
25
ANSIBLE Introduction playbook sample---
- name: PLAY STARThosts: ios-routersgather_facts: noconnection: local
tasks:
- name: LOGIN INFORMATIONinclude_vars: secrets.yml
- name: ADD BANNERios_config:provider: "{{ provider }}"lines:- banner motd ^Welcom to APNIC 48^ 26
Module
ANSIBLE Introduction
• Modules control system resources, packages, files.
• Can be executed directly on remote hosts or through Playbooks
• Over 450 ships with Ansible
• User can also write their own modules
27
ANSIBLE Introduction (modules)
https://docs.ansible.com/ansible/latest/modules/modules_by_category.html
28
Task
ANSIBLE Introduction
• At a basic level, a task is nothing more than a call to an ansible module
• Task run sequentially
29
ANSIBLE Introduction task sample- name: Allow ssh access from admins IP
ufw:rule: allowsrc: '{{ item }}'proto: tcpport: 22
loop:- 192.XX.XX.10/32- 192.XX.XX.11/32
- name: Allow mysql accessufw:rule: allowsrc: '{{ item }}'proto: tcpport: 3306
loop:- 172.XX.XX.ZZ/32 30
Task Task Task
ModuleModule Module
Play Play Play
123
123
123
Playbook
ANSIBLE Introduction
31
- name: PLAY-FOR-IOS-ROUTER- hosts: all-ios
gather_facts: noconnection: local
tasks:
- name: OBTAIN LOGIN INFORMATIONinclude_vars: secrets.yml
- name: DEFINE PROVIDERset_fact:
provider:host: "{{ ansible_host }}"username: "{{ creds['username'] }}"password: "{{ creds['password'] }}"auth_pass: "{{ creds['auth_pass'] }}"
- name: ADD BANNERios_config:
provider: "{{ provider }}"authorize: yeslines:
- banner motd ^Welcom to APNIC48^
Play
taskModule
taskModule
taskModule
1
2
3
Playbook
ANSIBLE Introduction
32
---
- name: PLAY for creating dropltes in DOhosts: do_serverconnection: localgather_facts: false
vars:ansible_python_interpreter: /usr/bin/pythondo_token: YOUR_SECRET_TOKEN
tasks:- name: create droplets on region SGP1digital_ocean_droplet:oauth_token: "{{ do_token }}"unique_name: yesregion: sgp1image: ubuntu-18-04-x64wait_timeout: 500name: "{{ item }}"size_id: s-1vcpu-1gbstate: presentssh_keys: [ ‘YOUR_DO_SSH_KEY_ID' ]
register: created_dropletswith_items:- sensor1- sensor2
Play
taskModulePlaybook
ANSIBLE Introduction
33
Hosts
ANSIBLE Introduction
• List of devices or group of devices where ansible push configuration
• Name and variable assign
• Default location /etc/ansible/hosts
• Can make your own
34
ANSIBLE Introduction Hosts file sample
[ios-routers]R_2691 ansible_host=192.168.45.3R_3745 ansible_host=192.168.45.4
[v6-router]R_7200 ansible_host=2001:db8::1001::1
[db-servers]db1 ansible_host=10.XX.XX.1
[web-servers]Web1 ansible_host=172.XX.XX.10
INI-like (one of Ansible defaults)
35
ANSIBLE Introduction Hosts file sample
[ubuntu_srv]server1 ansible_host=10.XX.XX.228
[centos_srv]server2 ansible_host=10.XX.XX.140
[ubuntu_srv:vars]ansible_python_interpreter=/usr/bin/python3
[centos_srv:vars]ansible_python_interpreter=/usr/bin/python
[servers:children]ubuntu_srvcentos_srv
INI-like (one of Ansible defaults)
36
Inventory
ANSIBLE Introduction
• Collections of files or directories inside a directory
• ansible-playbook -i <directory-name> playbook.yml
• Can have (not mandetory)
• hosts (file)• host_vars (dir)• group_vars (dir)
• Can be accessed across multiple roles 37
Ansible encryption decryption
38
ANSIBLE Security
Ansible Vault• It keeps sensitive data such as password, keys, variable
name in encrypted format
• Need a password while encrypting, decrypting and running
• ansible-vault is the keyword along withencrypt, decrypt, view, etc. parameter
39
ANSIBLE Security
Ansible Vault---
---creds: username: "imtiaz" password: ”password" auth_pass: ”password”
$ANSIBLE_VAULT;1.1;AES25664336464316462326639336536656161356630336230393334366230653866373635386261643432
ansible-vault encrypt secretfile.yml40
Installing Ansible
yum, rpm, apt-get, emerge, pkg, brew, github
Python 2.6 or above for the control machine and python 2.X or later for managed node
http://docs.ansible.com/ansible/latest/intro_installation.html
41
How to run
• ansible <inventory> -m <module>
• ansible-playbook
• Ansible tower ($$)
• Ansible AWX project (it’s free)
42
communitytrainers@apnic.net
43
Hands on LAB
44
Inside the VM
ubuntu
Ubuntu 18.04
server1 server2
LXD container
45
LAB 1: SSH Tuning(disallow password authentication,
disallow root access,auto logout inactive user)
46
LAB 2: iptables(Open/block ports,
define policy for chain)
47
LAB 3: ufw(enable ufw,
Open/block ports, define customize port )
48
LAB 4: kernel tweaks(ip forwarding, ddos mitigation,
reverse path filtering)
49
Thank Youwriteimtiaz@gmail.comhttps://imtiazrahman.com
? ? ?
50