# Security Audit Playbook Cheatsheet Quick reference for using the security audit playbook. ## Quick Start ```bash # Run full security audit on all hosts ansible-playbook playbooks/security_audit.yml # Audit specific environment ansible-playbook -i inventories/production playbooks/security_audit.yml # Audit specific host ansible-playbook playbooks/security_audit.yml --limit hostname ``` ## Common Usage ### Full Audit ```bash # Complete security audit with all checks ansible-playbook playbooks/security_audit.yml # Production environment only ansible-playbook -i inventories/production playbooks/security_audit.yml ``` ### Selective Audits ```bash # SELinux and AppArmor only ansible-playbook playbooks/security_audit.yml --tags selinux,apparmor # Firewall configuration audit ansible-playbook playbooks/security_audit.yml --tags firewall # SSH security audit ansible-playbook playbooks/security_audit.yml --tags ssh # User and permission audit ansible-playbook playbooks/security_audit.yml --tags users # Network security audit ansible-playbook playbooks/security_audit.yml --tags network # Compliance checks only ansible-playbook playbooks/security_audit.yml --tags compliance ``` ## Available Tags | Tag | Description | |-----|-------------| | `audit` | All audit tasks | | `selinux` | SELinux status and configuration | | `apparmor` | AppArmor status and profiles | | `firewall` | Firewall configuration | | `ssh` | SSH hardening checks | | `packages` | Package and update audits | | `users` | User and permission audits | | `network` | Network security checks | | `compliance` | Compliance verification | | `report` | Generate audit reports | ## What Gets Audited ### Security Modules - ✅ SELinux status (RHEL family) - ✅ AppArmor status (Debian family) - ✅ SELinux denials count - ✅ AppArmor violations ### Firewall - ✅ Firewalld status (RHEL) - ✅ UFW status (Debian) - ✅ Firewall rules configuration - ✅ Default policies ### SSH Configuration - ✅ Root login disabled - ✅ Password authentication disabled - ✅ GSSAPI authentication disabled - ✅ Maximum authentication attempts ### Package Management - ✅ Available security updates - ✅ Automatic updates enabled - ✅ Update schedule ### Users and Permissions - ✅ Users with UID 0 (should be root only) - ✅ Users with empty passwords - ✅ Sudoers configuration - ✅ World-writable files ### Network Security - ✅ Listening ports - ✅ Promiscuous interfaces - ✅ IP forwarding status ### Audit and Monitoring - ✅ Auditd service status - ✅ Audit log size - ✅ AIDE installation and database ### Compliance - ✅ Timezone configuration (UTC) - ✅ NTP synchronization - ✅ Kernel security parameters ## Output and Reports Reports saved to: `./reports/security_audit//_audit_report.txt` ## Example Output ``` ========================================= Security Audit Summary ========================================= Host: webserver01 Environment: production === Security Modules === SELinux: Enforcing === Firewall === Firewalld: Active === SSH Security === Root Login: Disabled Password Auth: Disabled === Updates === Critical/Important updates: 0 === Users === UID 0 users: root === Audit Logging === Auditd: Active AIDE: Installed ========================================= ``` ## Troubleshooting ### No audit reports generated Check report directory exists: ```bash ls -la ./reports/security_audit/ ``` ### Failed checks Review specific failed checks: ```bash ansible-playbook playbooks/security_audit.yml -vv ``` ### Permission denied Ensure become is enabled: ```bash ansible-playbook playbooks/security_audit.yml --become ``` ## Integration with CI/CD ```yaml # GitLab CI example security_audit: stage: compliance script: - ansible-playbook playbooks/security_audit.yml only: - schedules ``` ## Best Practices 1. **Schedule regular audits** - Run weekly or after changes 2. **Review reports** - Don't just run audits, act on findings 3. **Track trends** - Compare audit results over time 4. **Document exceptions** - Note why certain checks fail 5. **Remediate findings** - Create tasks to fix issues ## Quick Reference Commands ```bash # Dry-run audit ansible-playbook playbooks/security_audit.yml --check # Verbose output ansible-playbook playbooks/security_audit.yml -vvv # Specific environment ansible-playbook -i inventories/production playbooks/security_audit.yml # Multiple tags ansible-playbook playbooks/security_audit.yml --tags "selinux,firewall,ssh" # Skip specific checks ansible-playbook playbooks/security_audit.yml --skip-tags packages ``` ## See Also - [Security Audit Playbook](../../playbooks/security_audit.yml) - [CLAUDE.md Security Guidelines](../../CLAUDE.md) - [Vault Management Guide](../../docs/security/vault-management.md)