-
Linux system hardening based on
CIS Distribution Independent Linux
Benchmarkv2.0.0 - 07-16-2019
- AlmaLinux 8 and 9
- Ubuntu 20.04
- openSUSE Leap 15.3
-
Compliance Scanning and Report with OpenSCAP
- AlmaLinux 8 and 9
- Ubuntu 20.04
-
Security tools installation: Wazuh agent
- AlmaLinux 8 and 9
- Ubuntu 20.04
- openSUSE Leap 15.3
User Interface for:
- Creating Ansible inventory file
- Enabling and disabling tasks from above roles
- Overriding default variables from above roles
- Generating Ansible playbook and executing the playbook
Additional features:
- Tab completion
- Input validation
- Sensitive data encryption with Ansible Vault, for instance, password variables in above roles
- Unsaved changes reminder
- Python >= 3.9.0
- GNU/Linux
- Windows with Docker
- SSH service running
- Python3 installed
Choose either one:
-
Pull from docker hub registry
docker pull d0ublew/shaa
-
Build from source
# Clone the repository git clone https://github.com/d0UBleW/shaa cd shaa docker build -t d0ublew/shaa .
After the docker image is ready, use this command to interact
docker run -it \
--rm \
-v ~/.shaa:/home/shaa/.shaa \
d0ublew/shaa-shell
# Clone the repository
git clone https://github.com/d0UBleW/shaa
cd shaa
# Copy roles to ansible default role search path
mkdir -p ~/.ansible/roles
cp -r ./ansible/roles ~/.ansible/roles
# Install Ansible vault password file
sudo mkdir -p /opt/shaa
sudo chown -R $USER:$USER /opt/shaa
cp ./ansible/vault-password.py /opt/shaa
chmod +x /opt/shaa/vault-password.py
##########
# Install the interactive shell
##########
# Create virtual environment (optional, but recommended)
python3 -m venv venv
. ./venv/bin/activate
pip install ./ui
-
Set an environment variable called
VAULT_PASSWORD
to encrypt sensitive data-
shaa
using Docker (~/.shaa
is mounted to/home/shaa/.shaa
)$ cat ~/.shaa/.env VAULT_PASSWORD=password
-
shaa
without Docker: Use.env
file as above orexport VAULT_PASSWORD=password
-
-
View help page
$ shaa-shell -h
-
Run a
shaa-shell
script. Read more aboutshaa-shell
script$ shaa-shell /path/to/shaa-shell-script
-
Run a
shaa-shell
script and go into interactive mode$ shaa-shell -i /path/to/shaa-shell-script
-
Start the interactive shell
$ shaa-shell shaa>
-
Use
help -v
to display the help menushaa> help -v
-
To create an inventory
shaa> inventory create my/local [inv: my/local] shaa>
-
To list out existing inventories
shaa> inventory list
Notice that even though we have created an inventory, it is not listed because it only lists inventories which have been saved.
-
To unload current inventory
[inv: my/local] shaa> inventory unload shaa>
-
To load an existing inventory
shaa> inventory load my/local [inv: my/local] shaa>
-
To save current inventory
[inv: my/local] shaa> inventory save
-
To save current inventory as another name
[inv: my/local] shaa> inventory save my/local-dup
-
To rename current inventory (saves changes internally)
[inv: my/local] shaa> inventory rename my/new-local [inv: my/new-local] shaa> inventory rename my/local [inv: my/local] shaa> inventory rename my/local
-
To delete an inventory
-
If an inventory is currently loaded
[inv: my/local] shaa> inventory delete shaa>
-
Otherwise
[inv: my/local] shaa> inventory delete my/local-dup
-
-
To add a machine, it is necessary to have an inventory loaded.
shaa> inventory load my/local
-
View help page
[inv: my/local] shaa> help node create [inv: my/local] shaa> node create --help
-
Create a node with password authentication
[inv: my/local] shaa> node create ubuntu-01 192.168.10.11 root -p P@ssw0rd
-
Create a node with SSH private key authentication. The keys should be located under
~/.shaa/data/ssh/
[inv: my/local] shaa> node create ubuntu-02 192.168.10.12 root -k ubuntu.key
-
Create a node and put it under a group named
webserver
. The group would be created if does not exist yet.[inv: my/local] shaa> node create rhel-01 192.168.10.13 root -k rhel.key -g webserver
-
To list available inventory nodes
[inv: my/local] shaa> node list
-
To view detailed information on nodes with name that match given regex pattern
[inv: my/local] shaa> node info -g webserver rhel-01 [inv: my/local] shaa> node info ubuntu.*
-
To edit data other than the node name.
-
Edit
ubuntu-02
node's IP address[inv: my/local] shaa> node edit ubuntu-02 -i 192.168.10.22
-
Edit
ubuntu-01
node's IP address, username, and switch password authentication to SSH private key[inv: my/local] shaa> node edit ubuntu-01 -i 192.168.10.21 -p '' -k ubuntu.key
-
-
To rename a node
[inv: my/local] shaa> node rename ubuntu-01 ubuntu-focal-01
-
To remove an inventory node
[inv: my/local] shaa> node delete ubuntu-02 [inv: my/local] shaa> node delete -g webserver rhel-01
-
To unset host variables
[inv: my/local] shaa> node unset ubuntu-focal-01 var_name
-
To create a group
[inv:my/local] shaa> group create prod
-
To list out existing groups
[inv:my/local] shaa> group list
-
To view detailed information on groups with name that match the given regex pattern
[inv: my/local] shaa> group info .
-
To rename a group
[inv: my/local] shaa> group rename prod production
-
To unset group variables
[inv: my/local] shaa> group unset production var_name
-
To create a preset, specify the preset type:
cis
,oscap
,sec_tools
,util
shaa> preset cis create part-1 [cis: part-1] shaa>
-
To list out available presets
shaa> preset cis list
-
To unload current preset
[cis: part-1] shaa> preset cis unload shaa>
-
To load an existing preset
shaa> preset cis load part-1 [cis: part-1] shaa>
-
To list out available tasks on a preset
-
CIS preset
[cis: part-1] shaa> cis section list [cis: part-1] shaa> cis section list 3.2
-
Other preset, e.g.,
oscap
[oscap: pre_hardened] shaa> oscap action list
-
-
To enable or disable tasks
-
CIS preset
[cis: part-1] shaa> cis section enable 3.5 5.2.5 [cis: part-1] shaa> cis section disable 3.5.1 3.5.2.2
-
Other preset, e.g.,
sec_tools
[sec_tools: example] shaa> sec_tools action enable all [sec_tools: example] shaa> sec_tools action disable all
-
-
To list out enabled or disabled sections
-
CIS preset
[cis: part-1] shaa> cis section list --status enabled [cis: part-1] shaa> cis section list --status disabled
-
Other preset, e.g.,
util
[util: example] shaa> util action list --status enabled [util: example] shaa> util action list --status disabled
-
-
To search sections with matching title
[cis: part-1] shaa> cis search ssh [cis: part-1] shaa> cis search --ignore-case ssh
-
To view a section information on settable variables
-
CIS preset
[cis: part-1] shaa> cis section info 5.2.15
-
Other preset, e.g.,
oscap
[oscap: pre_hardened] shaa> oscap action info scan
-
-
To set or unset a variable value globally
-
CIS preset
[cis: part-1] shaa> cis set -s 5.2.15 sshd_kex_algs ecdh-sha2-nistp521 [cis: part-1] shaa> cis unset -s 5.2.5 sshd_log_level
-
Other preset
[oscap: pre_hardened] shaa> oscap set -a scan scan_profiles level_1_server level_1_workstation [oscap: pre_hardened] shaa> oscap unset -a scan report_output_prefix
-
-
To set or unset a variable value on a node under a certain group
[inv: my/local] [cis: part-1] shaa> cis set -s 5.2.15 sshd_kex_algs ecdh-sha2-nistp256 -n ubuntu-focal-01 [inv: my/local] [cis: part-1] shaa> cis set -s 5.2.15 sshd_kex_algs ecdh-sha2-nistp256 -n ubuntu-03 -g production [inv: my/local] [cis: part-1] shaa> cis unset -s 5.2.15 sshd_kex_algs -n ubuntu-focal-01 [inv: my/local] [cis: part-1] shaa> cis unset -s 5.2.15 sshd_kex_algs -n ubuntu-03 -g production
-
To set or unset a variable value on a certain group
[inv: my/local] [cis: part-1] shaa> cis set -s 5.2.5 sshd_log_level INFO -g production [inv: my/local] [cis: part-1] shaa> cis unset -s 5.2.5 sshd_log_level -g production
-
To save the current CIS preset
[inv: my/local] [cis: part-1] shaa> preset cis save
-
To save the current CIS preset as another name
[inv: my/local] [cis: part-1] shaa> preset cis save dup-part-1
-
To rename the current CIS preset (saves changes internally)
[inv: my/local] [cis: part-1] shaa> preset cis rename new-part-1 [inv: my/local] [cis: new-part-1] shaa> preset cis rename part-1 [inv: my/local] [cis: part-1] shaa>
-
To delete a CIS preset
-
If a CIS preset is currently loaded
[cis: part-1] shaa> preset cis delete shaa>
-
Otherwise
[cis: part-1] shaa> preset cis dup-part-1
-
-
To list out existing profiles
shaa> profile list
-
To create a profile
-
No inventory and presets loaded
shaa> profile create empty [pro: empty] shaa> profile info profile name : empty inventory : cis : oscap : sec_tools : util :
-
With inventory or preset loaded
[inv: my/local] [cis: part-1] shaa> profile create example-1 [pro: example-1] [inv: my/local] [cis: part-1] shaa> profile info profile name : example-1 inventory : my/local cis : part-1 oscap : sec_tools : util :
-
-
To unload current profile
[pro: example-1] [inv: my/local] [cis: part-1] shaa> profile unload [inv: my/local] [cis: part-1] shaa>
-
To load an existing profile
[inv: idk] [cis: idk] [oscap: idk] shaa> profile load example-1 [pro: example-1] [inv: my/local] [cis: part-1] shaa>
-
To configure profile
[pro: example-1] [inv: my/local] [cis: part-1] shaa> profile set inventory idk [pro: example-1] [inv: idk] [cis: part-1] shaa> profile set oscap pre_hardened [pro: example-1] [inv: idk] [cis: part-1] [oscap: pre_hardened] shaa> profile unset cis [pro: example-1] [inv: idk] [*cis: part-1] [oscap: pre_hardened] shaa>
Notice the asterisk
*
in[*cis: part-1]
. This is to indicate that the loaded object differs from the loaded profile configuration -
To save current profile
[pro: example-1] [inv: my/local] [oscap: pre_hardened] shaa> profile save
-
To save current profile as another name
[pro: example-1] [inv: my/local] [oscap: pre_hardened] shaa> profile save example-1-dup
-
To rename current profile (saves changes internally)
[pro: example-1] [inv: my/local] [oscap: pre_hardened] shaa> profile rename example-2 [pro: example-2] [inv: my/local] [oscap: pre_hardened] shaa> inventory rename example-1 [pro: example-1] [inv: my/local] [oscap: pre_hardened] shaa>
-
To delete a profile
-
If a profile is currently loaded
[pro: example-1] [inv: my/local] [oscap: pre_hardened] shaa> profile delete [inv: my/local] [oscap: pre_hardened] shaa>
-
Otherwise
[pro: example-1] [inv: my/local] [oscap: pre_hardened] shaa> profile delete example-1-dup
-
Result of playbook is logged into a file under ~/.shaa/log
with file name in this format: <profile name>-<timestamp>
-
Run according to currently loaded inventory and presets (
-c
to enable colorized output)[inv: my/local] [cis: part-1] shaa> play -c
-
Run on specific target
[inv: my/local] [cis: part-1] shaa> play -c --target production ubuntu-focal-01
-
Run specific presets
[inv: my/local] [cis: part-1] [oscap: pre_hardened] [sec_tools: idk] shaa> play -c -p oscap sec_tools
-
Unload everything, i.e., profile, inventory, and presets
[pro: example-1] [inv: my/local] [oscap: pre_hardened] [sec_tools: idk] shaa> unload shaa>
-
Clear screen
shaa> clear
-
Create alias
shaa> alias create c clear shaa> alias create inv inventory shaa> alias create pre preset shaa> alias create pro profile
-
Edit startup script
shaa> config
Alternative: edit the file directly on
~/.shaa/shaashrc
-
Suppress output that starts with
[*]
or[+]
shaa> set quiet true
-
Disable error message red highlight
shaa> set allow_style never
-
Run script
shaa> run_script /path/to/script
-
Example script to initialize inventory
# file: /tmp/init-inv.shaa set quiet true inventory delete -f abcdef inventory create abcdef node create ubuntu-01 192.168.10.101 vagrant -p vagrant node create rhel-01 192.168.11.101 vagrant -k rhel.key -g prod inventory save
-
Example script to run automation
# file: /tmp/run-example.shaa profile load example play -c
If shaa-shell
is installed locally
$ shaa-shell /tmp/init-inv.shaa
If shaa-shell
is run via docker, copy the script to the directory which is mounted to the docker container
# Prepare the directory
mkdir -p ~/.shaa/scripts
# Copy the scripts
cp /tmp/init-inv.shaa ~/.shaa/scripts
# Run the docker container
docker run -it \
--rm \
-v ~/.shaa:/home/shaa/.shaa \
d0ublew/shaa-shell \
shaa-shell /home/shaa/.shaa/scripts/init-inv.shaa
-
AlmaLinux 8 box from Vagrant pre-hardening with compliance score of 77.4%
-
AlmaLinux 8 box from Vagrant post-hardening with compliance score of 92.2%
-
Ubuntu 20.04 box from Vagrant pre-hardening with compliance score of 66.5%
-
Ubuntu 20.04 box from Vagrant post-hardening with compliance score of 89.4%
This project is licensed under the terms of the MIT license. For more information, see LICENSE file in this repository.
If you have any feedback or run into issues, feel free to open an issue on this repository.