AutomA Playbooks
Introduction
This chapter deals with the documentation on the part of the playbooks and the questions for all the recommendations made available to users. You will find the project AutomA-Playbooks on github as well as the procedure to follow to contribute to the project in the section Contribute.
Tree structure
The tree structure of the github repository is divided into the following form:
βββ KERNEL
βββ OS
βββ VERSION
βββ CATEGORY
βΒ Β βββ REFERENCE
βΒ Β β βββ LEVEL
βΒ Β β βββ RXX_ACTION_NAME
βΒ Β β βββ playbook.yml.j2
βΒ Β β βββ questions.yml
βΒ Β βββ REFERENCE2
βΒ Β βββ LEVEL2
βΒ Β βββ CXX_ACTION_NAME2
βΒ Β βββ playbook.yml.j2
βΒ Β βββ questions.yml
βββ CATEGORY2
βΒ Β βββ REFERENCE
βΒ Β βββ LEVEL
βΒ Β βββ RXX_ACTION_NAME3
βΒ Β βββ playbook.yml.j2
βΒ Β βββ questions.yml
βββ CATEGORY3
βββ REFERENCE2
βββ LEVEL
βββ RXX_ACTION_NAME4
βββ playbook.yml.j2
βββ questions.ymlAs of November 30, 2023, the project looked like the following tree:
βββ LINUX
βββ DEBIAN
βββ 12
βββ KERNEL
βΒ Β βββ ANSSI
βΒ Β βββ 1_INTERMEDIATE
βΒ Β βββ R11_CONFIGURE_YAMA_LSM
βΒ Β βββ playbook.yml.j2
βΒ Β βββ questions.yml
βββ NETWORK_STACK
βΒ Β βββ ANSSI
βΒ Β βββ 1_INTERMEDIATE
βΒ Β βββ R13_DISABLE_IPV6
βΒ Β βββ playbook.yml.j2
βΒ Β βββ questions.yml
βββ PACKAGE_MANAGEMENT
βΒ Β βββ ANSSI
βΒ Β βββ 0_MINIMAL
βΒ Β βββ R61_PERFORM_REGULAR_UPDATES
βΒ Β βββ playbook.yml.j2
βΒ Β βββ questions.yml
βββ PERMISSIONS
βΒ Β βββ ANSSI
βΒ Β βββ 0_MINIMAL
βΒ Β βΒ Β βββ R54_ACTIVATE_STICKY_BIT
βΒ Β βΒ Β βββ playbook.yml.j2
βΒ Β βΒ Β βββ questions.yml
βΒ Β βββ 3_REINFORCED
βΒ Β βββ R36_CHANGE_UMASK_VALUE
βΒ Β βββ playbook.yml.j2
βΒ Β βββ questions.yml
βββ USERS
βββ ANSSI
βββ 0_MINIMAL
βββ R30_DISABLE_UNUSED_USER_ACCOUNTS
βββ playbook.yml.j2
βββ questions.ymlWe thought about it and chose this folder structure to allow for better integration of future hardening rules and environments. The principle of this slightly substantial structure is to allow better modularity of the project.
Do you want to contribute to the project by adding hardening rules for Windows Server 2022?
You must create the tree (if it does not exist), here /WINDOWS/SERVER/2022/. Then you need to create the following structure according to the hardening actions you want to add. Genericly, here are the folders to create (in order):
- CATEGORY : The name of the category that the hardening rule fits into. It is possible that toughening actions could be in several categories. In this case, choose the category in which it would be the most logical but in case of questions, you can open an issue on the Github project or by email at automa.project@proton.me.
- REFERENCE : The reference frame in which the hardening action is taken. We base all of our actions on the recommendations of ANSSI but it is possible to use other repositories such as the CIS.
- LEVEL : This file is taken from the ANSSI level system in its guide to Security Recommendations relating to a GNU/Linux system. In this guide, they offer a grid of hardening levels which therefore allows you to locate the level of hardening action. It is necessary to carefully choose the level of hardening of the hardening rules to enable better segmentation and user experience. The possible levels are as follows:
- 0_MINIMAL
- 1_INTERMEDIATE
- 2_REINFORCED
- 3_HIGH
- HARDENING_ACTION : The name of the hardening action preceded by a non-necessarily unique identifier. In the case of Security Recommendations relating to a GNU/Linux system, the identifier consists of an R followed by a number, for example R30. The goal is to keep the same nomenclature for the same reference system.
When your folders are created, two files playbook.yml.j2 and questions.yml are no longer missing. The contents of these files will be described in parts playbook.yml.j2 and questions.yml.