We have spent some time exploring the CIS Benchmarks and how they are intended to be worked with. Now, let us turn our attention to more practical matters—how to audit them and how to implement them. In this book, we have focused on Ansible as our chosen tool for automating such tasks, and indeed Ansible is an excellent solution for this purpose. With that said, of course, you will have noticed that the examples in the CIS Benchmark document itself are often shell commands or, in some cases, are simply statements regarding configuration lines that should exist (or not exist) in a given file.

In order to clearly explain the auditing and implementation of the CIS Benchmark on a Linux system, I have split the examples into two. In this part of this chapter, we will develop traditional shell scripts for checking for CIS Benchmark compliance, and then for implementing the recommendations if required. This will look very similar to the CIS Benchmark document itself and thus will help with generating an understanding of how to implement them. Then, in the next chapter, we will develop these shell script-based examples into Ansible roles so that we can use our favorite automation tool to manage our CIS Benchmark compliance.

Let's work through some examples to demonstrate how to develop such scripts, starting with our root login over SSH example.