Os-security-patch-management-automation-with-ansible
My mission is to empower organizations and professionals to build secure, resilient, and compliant digital ecosystems. Through thought leadership in security operations, architecture, compliance, and advisory, this blog serves as a trusted platform to illuminate best practices, share strategic insights, and advance the maturity of modern information systems!
Ansible playbook that automates security audits using Lynis on one or multiple Ubuntu hosts. The playbook scans for vulnerabilities and generates actionable remediation steps, which can then be automated using another playbook.
Patch Management with Ansible
In enterprise environments, vulnerability management typically follows this workflow:
A vulnerability scanner (Tenable, Qualys, Rapid7, OpenVAS) performs scans on infrastructure.
The results are collected in an Excel format (usually a template proposed by the CISO) where findings are organized by severity level, CVSS score, plugin, and other relevant factors.
Prioritization is then carried out from critical to less critical vulnerabilities, enabling teams to apply patches accordingly using tools like Microsoft WSUS or other enterprise-level solutions.
To streamline this process, I have implemented an Ansible playbook that automates security audits using Lynis on one or multiple Ubuntu hosts. The playbook scans for vulnerabilities at the OS mainly at the kernel level and generates actionable remediation steps, which can then be automated using another playbook.
SCRIPTS/PLAYBOOKS I’ve write to use for the demonstration
vul_scan_automation.yml : Here is the playbook which have been write to automate secutity weaknesses discovery at the OS level, you can assess it here —> PATCH-MANAGEMENT-AUTOMATION-WITH-ANSIBLE/automatelynis.yml at main · yvesstan/PATCH-MANAGEMENT-AUTOMATION-WITH-ANSIBLE |
Scan results: Here is the result that have been obtained from the scan performed by the discovery playbook, you can access it here —> PATCH-MANAGEMENT-AUTOMATION-WITH-ANSIBLE/scan_results.txt at main · yvesstan/PATCH-MANAGEMENT-AUTOMATION-WITH-ANSIBLE |
ossec.yml —> You ou have to install ossec to fix the error encounter at the section “Install Ossec“ of the discovery playbook, you can access it here —> PATCH-MANAGEMENT-AUTOMATION-WITH-ANSIBLE/ossec.yml at main · yvesstan/PATCH-MANAGEMENT-AUTOMATION-WITH-ANSIBLE
automatelynis.yml —> Here is the final playbook which main goal is to patch all the security weaknesses that have been discovered at the OS level, you can access it here —> PATCH-MANAGEMENT-AUTOMATION-WITH-ANSIBLE/automatelynis.yml at main · yvesstan/PATCH-MANAGEMENT-AUTOMATION-WITH-ANSIBLE
Step 1: Security Audit Scan Playbook
The first step involves creating an Ansible playbook to automate CVE discovery on a Linux system using the Lynis tool. This playbook is designed for enterprise environments, ensuring professionalism and efficiency.
📜 Playbook: vul_scan_automation.yml
🔄 Workflow:
Update the package list: Ensures all repositories and packages are up to date.
Install required packages: Installs Lynis and other necessary tools for CVE scanning.
Run vulnerabilities scan using Lynis: Executes a system scan with Lynis and captures the results.
Save vulnerabilities scan results to a file: Logs scan results for later review.
Notify the administrator: Sends an email notification with scan completion details and log file location (not yet implemented).
Clean up unused packages: Removes unnecessary packages and dependencies.
Reboot the system if required: Applies updates and reboots the system if necessary.
This playbook ensures automated security weaknesses discovery at the OS Kernel level and logs results for administrators to review and take the appropriate actions.
📂 Log File Location
In my setup, scan results are stored at:
/home/master/lynis_cve_scan.log
on both the Ansible master and slave nodes.
Viewing Scan Results
To review the CVE scan results, you can use various methods:
Terminal Commands:
Using
cat:cat /home/master/lynis_cve_scan.logUsing
less:less /home/master/lynis_cve_scan.log(Use arrow keys to navigate, press
qto quit.)Using a text editor:
nano /home/master/lynis_cve_scan.logor
vim /home/master/lynis_cve_scan.logRemote Access:
- Using
scpto transfer the file to your local machine:
- Using
scp user@remote_host:/home/master/lynis_cve_scan.log /path/to/local/directory
- Viewing in a web browser:
sudo mv /home/master/lynis_cve_scan.log /var/www/html/
Then access: http://your_server_ip/lynis_cve_scan.log
Converting Scan Results to HTML
If you prefer an HTML format, install aha (ANSI-to-HTML converter):
sudo apt-get install aha
Convert the scan results:
cat /home/master/lynis_cve_scan.log | aha > /home/master/lynis_cve_scan.html
Step 2: Automating Security Remediation
Once vulnerabilities are identified, we can automate the remediation process by writing another playbook.
📜 Playbook: automatelynis.yml
Check the contents of this file in the repository for the remediation steps implemented.
Possible Errors & Fixes
If you encounter an error in the task Install OSSEC, you will find a separate playbook named ossec.yml that resolves this issue.
Conclusion
This project demonstrates how Ansible can be leveraged to automate security audits and vulnerability remediation in an enterprise environment. By integrating these playbooks into your security workflow, you can enhance efficiency, consistency, and response time in patch management.
Feel free to contribute, suggest improvements, or reach out for discussions!
