Security compliance is no longer optional—especially in regulated industries like BFSI. Organizations are expected to adhere to well-defined benchmarks such as the Center for Internet Security (CIS) standards to ensure hardened and secure systems.
In this blog, we’ll explore how to automate CIS Benchmark enforcement on RHEL 9 using Ansible, making compliance repeatable, auditable, and scalable.
Why CIS Benchmarking Matters
CIS benchmarks provide:
-
Industry-recognized security standards
-
Hardened configurations for OS and applications
-
Reduced attack surface
-
Compliance alignment (PCI-DSS, ISO 27001, etc.)
Manual implementation is complex and error-prone—automation solves that.
Playbook Overview
This playbook performs:
-
GRUB password hardening
-
User account preparation
-
CIS role execution (Level 1 Server profile)
-
Audit and compliance validation
Key Components Explained
1. Secure Bootloader Configuration (GRUB Hardening)
One of the critical CIS controls is protecting bootloader settings to prevent unauthorized changes.
This playbook:
-
Uses
expect to automate interactive password setup
-
Sets a GRUB2 password securely
-
Updates GRUB configuration
🔐 Why it matters:
Prevents attackers from modifying boot parameters (e.g., entering single-user mode).
2. Secure Password Handling
The playbook uses:
This ensures:
-
Passwords are not exposed in logs
-
Sensitive data remains protected
⚠️ Best Practice:
Use Ansible Vault instead of plain text passwords.
3. User Management
The playbook:
-
Gathers existing users
-
Sets password for the automation user
🔐 This aligns with secure password storage practices.
4. CIS Role Execution
The core of the automation is the RHEL9-CIS role, which enforces multiple controls:
-
File permissions
-
SSH hardening
-
Audit configuration
-
Kernel parameters
-
Logging and monitoring
Key configurations:
-
setup_audit: true → Enables auditd setup
-
run_audit: true → Runs compliance checks
-
skip_reboot: false → Allows required reboots
5. Compliance Validation with Goss
The playbook integrates Goss for validation:
-
Lightweight validation tool
-
Ensures system state matches expectations
-
Provides quick compliance feedback
Execution Flow
Security Considerations
✅ Handled Well
-
Sensitive data masked (
no_log)
-
Idempotent execution
-
Automated audit validation
⚠️ Needs Improvement
-
Avoid hardcoded passwords (
primod123)
-
Use Ansible Vault for secrets
-
Validate impact before enabling reboot
Best Practices for Production
Use Cases in Enterprise Environments
-
BFSI compliance enforcement
-
Cloud VM hardening (AWS, Azure, etc.)
-
Regulatory audits
-
Secure baseline creation
Benefits of This Approach
🚀 Automation at Scale
Apply CIS policies across hundreds of servers consistently.
🔁 Repeatability
Same configuration every time—no drift.
📊 Audit-Ready
Reports and validation built-in.
🔒 Improved Security Posture
Reduced vulnerabilities and misconfigurations.
Potential Enhancements
-
Integrate with **Red Hat Ansible Automation Platform workflows
-
Add approval gates (ServiceNow/Jira)
-
Enable Event-Driven Automation (EDA)
-
Centralized reporting dashboards
-
Role-based execution (Level 1 vs Level 2 CIS)
Conclusion
Automating CIS benchmark enforcement transforms security from a manual task into a continuous, reliable process. With Ansible, organizations can ensure systems remain compliant, secure, and audit-ready at all times.
This playbook is a strong foundation for building a compliance-as-code strategy, enabling proactive security management across your infrastructure.
This is a playbook which i have use to benchmark my server its score is around 91.00%
---
- name: CIS Benchmark mapping
hosts: all
become: true
vars:
# It is strongly recommended to store this in an Ansible Vault
grub_password: "YourSecurePasswordHere"
pre_tasks:
- name: Ensure the expect package is installed
ansible.builtin.package:
name: expect
state: present
- name: Set GRUB2 password for the root user
ansible.builtin.expect:
command: grub2-setpassword
responses:
'Enter password:': "{{ grub_password }}"
'Confirm password:': "{{ grub_password }}"
# Only run if the user configuration doesn't already exist
creates: /boot/grub2/user.cfg
register: grub_pw_set
no_log: true # Prevents the password from appearing in logs
- name: Update GRUB2 configuration
ansible.builtin.command:
cmd: grub2-mkconfig -o /boot/grub2/grub.cfg
when: grub_pw_set.changed
- name: Gather available local users
ansible.builtin.getent:
database: passwd
register: user_facts
# - name: "Setup Password for ec2-user"
# ansible.builtin.user:
# name: ec2-user
# password: "{{ 'primod123' | password_hash('sha512') }}"
# when: "'ec2-user' in user_facts"
# - name: "Setting password"
# ansible.builtin.debug:
# msg: "Password for ec2-user has been set. Please change it after first login."
# when: "'ec2-user' in user_facts"
# - name: "Setup Password for azureuser"
# ansible.builtin.user:
# name: azureuser
# password: "{{ 'primod123' | password_hash('sha512') }}"
# when: "'azureuser' in user_facts"
# - name: "Setting password"
# ansible.builtin.debug:
# msg: "Password for azureuser has been set. Please change it after first login."
# when: "'azureuser' in user_facts"
- name: "Setup password for ansible_user"
ansible.builtin.user:
name: "{{ ansible_user }}"
password: "{{ 'primod123' | password_hash('sha512') }}"
#when: "'{{ ansible_user }}' in user_facts"
roles:
- name: "RHEL9-CIS"
vars:
setup_audit: true
run_audit: true
# audit_only: true
rhel9cis_allow_authselect_updates: false
rhel9cis_crypto_policy_ansiblemanaged: false
skip_reboot: false
rhel9cis_warning_banner: |
'This Policy is Applied on RHEL9-CIS Benchmark.
Unauthorized access to this system is prohibited.
All activities on this system are logged and monitored.
By accessing this system, you consent to such monitoring and logging.
By Anible Automation Platform Team
Automation Engineering Team
for any new changes please reach out to us.'
rhel9cis_sudoers_exclude_nopasswd_list:
- "{{ ansible_user }}"
goss_url: https://github.com/goss-org/goss/releases/download/v0.4.9/goss-linux-arm64
goss_version:
release: v0.4.9
checksum: "sha256:87dd36cfa1b8b50554e6e2ca29168272e26755b19ba5438341f7c66b36decc19"
tags:
- level1-server
