Recently, I was tasked to apply CIS Benchmarks to some of my systems. Fortunately, Red Hat has some Ansible roles that make this process almost trivial.
[ Download now: A system administrator's guide to IT automation. ]
One challenge I encountered was with firewalld. One of the controls in the official CIS Ansible roles ensures that firewalld is enabled and running. However, some of my systems didn't have firewalld enabled, by design. This would mean proceeding to deploy the playbooks, which would cause applications to be inaccessible. That would be a huge cost to the organization.
After some research, I found the community.general.listen_ports_facts Ansible module, which made it possible to find all listening TCP and UDP ports. This module is based on the traditional netstat command, which is part of the net-tools package, and the newer ss command. Because I wasn't sure which systems did not have net-tools, I made sure net-tools was installed as part of the process.
My solution
My solution, which is in my Git repository, contains four tasks:
- Install or upgrade the
net-toolspackage. - Gather facts on listening ports by loading the
listen_ports_factsmodule. - Add TCP ports listed by the
listen_ports_factsto firewalld. - Display the ports added to the server.
Also, the comunity.general collection needs to be installed. If it is not installed, you can install it with:
ansible-galaxy collection install community.general
Here's the playbook:
---
- name: Add Listening TCP port to Firewalld
hosts: localhost
gather_facts: true
become: true
tasks:
- name: Install or upgrade the net-tools package
yum:
name: net-tools
state: latest
- name: tcp ports facts
listen_ports_facts:
- name: Add ports to firewall
firewalld:
port: "{{ item }}/tcp"
state: enabled
immediate: true
permanent: true
loop: "{{ ansible_facts.tcp_listen | map(attribute='port') | sort | list }}"
register: ports_added_to_firewalld
- name: print Ports Added
debug:
var: ports_added_to_firewalld
I added this playbook to the role, and it solved my issue.
Future improvements
One issue I've discovered is the inability to filter specific ports on each server. Any ideas are welcome as either issues or pull requests to my Git repository. I did have to remove unwanted ports from a few specific servers but, all in all, this made my process much easier!
Sobre el autor
I work as Unix/Linux Administrator with a passion for high availability systems and clusters. I am a student of performance and optimization of systems and DevOps. I have passion for anything IT related and most importantly automation, high availability, and security.
Más como éste
Data-driven automation with Red Hat Ansible Automation Platform
Accelerating NetOps transformation with Ansible Automation Platform
Technically Speaking | Taming AI agents with observability
How Should We Handle Failure? | Compiler
Navegar por canal
Automatización
Las últimas novedades en la automatización de la TI para los equipos, la tecnología y los entornos
Inteligencia artificial
Descubra las actualizaciones en las plataformas que permiten a los clientes ejecutar cargas de trabajo de inteligecia artificial en cualquier lugar
Nube híbrida abierta
Vea como construimos un futuro flexible con la nube híbrida
Seguridad
Vea las últimas novedades sobre cómo reducimos los riesgos en entornos y tecnologías
Edge computing
Conozca las actualizaciones en las plataformas que simplifican las operaciones en el edge
Infraestructura
Vea las últimas novedades sobre la plataforma Linux empresarial líder en el mundo
Aplicaciones
Conozca nuestras soluciones para abordar los desafíos más complejos de las aplicaciones
Virtualización
El futuro de la virtualización empresarial para tus cargas de trabajo locales o en la nube
