In Chapter 13, Using CIS Benchmarks, we explored in detail the concept of CIS Benchmarks, how they benefit Linux security in the enterprise, and how to apply them. We examined in some detail an example of the CIS hardening benchmarks, that being the one for Red Hat Enterprise Linux (and CentOS) 7. Although we concluded that the benchmark document provided a great deal of detail regarding the validation checks, and even how to implement the benchmarks, we also saw that the whole process was incredibly manual. Further, with almost 400 pages of detail to a single operating system benchmark, we established that the potential workload for an engineer to implement this on just one server would be huge.

In this chapter, we will once again bring Ansible into consideration. We have already established that Ansible lends itself extremely well to automation at enterprise scale, and implementation of the CIS Benchmarks is no exception. As we proceed through this chapter, we will learn how to rewrite the CIS Benchmarks in Ansible, and then how to apply them at enterprise scale and even maintain oversight of the ongoing compliance of your Linux servers against these benchmarks going forward. In doing this, we will develop a highly scalable, repeatable approach to implementing security benchmarks in the enterprise in a manner that is manageable, repeatable, reliable, and secure – all the hallmarks of effective automation in the enterprise.

The following topics will be covered in this chapter:

• Writing Ansible security policies
• Application of enterprise-wide policies with Ansible
• Testing security policies with Ansible