One of the examples we considered in detail in Chapter 13, Using CIS Benchmarks, was recommendation 3.1.2, which is concerned with packet redirect sending being disabled. This is considered important on any machine that is not supposed to be acting as a router (though it should not be implemented on a router as it would stop the router from functioning correctly).

On the face of it, this recommendation looks quite straightforward – we simply need to set these two kernel parameters, as follows:

net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

In spite of this apparent simplicity, we ended up developing almost 60 lines of shell script to implement this check because we had to check both the currently active kernel parameters and persistent configuration file values, and then perform the appropriate changes if the values were not set as desired.

Here, once again, Ansible comes to our rescue. The sysctl module within Ansible wraps up many of the tests and configuration work that we constructed into our shell script. Further, we can use a loop so that the same task code can we run twice – once against each of the aforementioned kernel parameters.

When developing a role for this, we could define a single task that looks something like this:

---
- name: 3.1.2 Ensure packet redirect sending is disabled (Scored - L1S L1W)
  sysctl:
    name: "{{ item.paramname }}"
    value: "{{ item.paramvalue }}"
    reload: yes
    ignoreerrors: yes
    sysctl_set: yes
    state: present
  loop:
    - { paramname: net.ipv4.conf.all.send_redirects, paramvalue: 0 }
    - { paramname: net.ipv4.conf.default.send_redirects, paramvalue: 0 }
  notify:
    - Flush IPv4 routes

The recommendation also says that if we implement these changes, we should also flush out the IPv4 routes on the system. This is also achieved through a sysctl parameter, and so we simply use the sysctl module again, only this time in a handler:

- name: Flush IPv4 routes
  sysctl:
    name: net.ipv4.route.flush
    value: "1"
    sysctl_set: yes

Running this against a test system might yield output similar to that shown in the following screenshot:

As we can see from the preceding screenshot, this code has run successfully and applied the setting recommended by the benchmark, and as a direct result of the change, the handler has fired and flushed the IPv4 routes. The overall result of this is that what took 57 lines of fairly unreadable shell script can now be achieved in 14 lines of far more readable YAML.

So far, we have built up a clear picture of how Ansible can make the design and implementation of CIS recommendations straightforward, especially when compared to alternatives such as shell scripting. We have noted that native Ansible modules such as sysctl and lineinfile can gracefully wrap up a multitude of steps that would have have been performed by a shell script. However, there are times when you, as the playbook author, must make some important decisions for your playbooks, and we will look at this in more detail in the following section.