alivx.cis_ubuntu_20_04_ansible

Ansible CIS Ubuntu 20.04 LTS Hardening V1.1.0

CIS Secured Ubuntu: Protecting systems from cyber attacks and malware CIS benchmarks help secure your systems by removing:

Unsecure applications.
Turning off unnecessary filesystems.
Disabling extra ports or services.
Monitoring important actions.
Limiting admin access.

CIS benchmarks can be used in virtual machines across public and private clouds and also help protect on-site systems. In some industries, meeting publicly known security standards is important for audits. Auditors often recommend CIS benchmarks to help meet compliance needs for standards like PCI-DSS and HIPAA in sectors like banking, telecommunications, and healthcare. If you're aiming for compliance with these standards, you need to show that you followed proper hardening guidelines for all evaluated systems.

The Ubuntu CIS benchmarks are divided into two main profiles: ‘Level 1’ and ‘Level 2’, which are aimed at server and workstation setups.

Level 1 Profile: A practical way to secure systems without major performance loss.

Turn off unnecessary filesystems,
Limit user permissions,
Disable unneeded services,
Set up network firewalls.

Level 2 Profile: Designed for high-security environments which may affect performance.

Create separate partitions,
Monitor important actions.

The Ubuntu CIS hardening tool allows you to choose your hardening level (Level 1 or 2) and the environment (server or workstation). Usage Example:

ansible-playbook -i inventory cis-ubuntu-20.yaml --tags="level_1_server"

To see all available tags, run:

ansible-playbook -i host run.yaml --list-tags

All roles are built based on:

CIS Ubuntu Linux 20.04 LTS Benchmark
v1.1.0 - 07-21-2020

Check Example Directory

Requirements

Read through the tasks carefully to avoid breaking your systems before running this playbook.

You can download the CIS Benchmark book for free here: Free Benchmark.

To start using this Role, install Ansible first. Installing Ansible.

Role Variables

Review the default settings in defaults/main.yml before running the playbook.

If applying this role to servers, have some knowledge of the CIS Benchmark and understand its impacts.
Read and adjust any necessary values.

Examples of config items to reconsider:

5.1.8 Ensure cron is restricted to authorized users
5.2.17 Ensure SSH access is limited

Example Configuration:

# Section 5
# 5.1.8 Ensure cron is restricted to authorized users
allowed_hosts: "ALL: 0.0.0.0/0.0.0.0, 192.168.2.0/255.255.255.0"
# 5.2.17 Ensure SSH access is limited
allowed_users: ali saleh baker root  # Enter None or users with space in between

File templates can be found under files/templates/*.

Dependencies

Ansible version > 2.9

Example Playbook

Below is a sample playbook:

---
- hosts: host1
  become: yes
  remote_user: root
  gather_facts: no
  roles:
    - { role: "CIS-Ubuntu-20.04-Ansible", }

Run All

To run all tasks, use this command:

ansible-playbook -i [inventoryfile] [playbook].yaml

Run Specific Section

ansible-playbook -i host run.yaml -t section2

Run Multiple Sections

ansible-playbook -i host run.yaml -t section2 -t 6.1.1

Note: When running a specific task, ensure the task dependencies are met. For example, run 4.1.1.2 Ensure auditd service is enabled after 4.1.1.1 Ensure auditd is installed to avoid errors.

Functions marked with ~~Tilde~~ are not yet implemented; improvements are ongoing.
Choose one time service (e.g., ntp). You can also use other options like [systemd-timesyncd, ntp, chrony] in defaults/main.yaml.

Testing Results 11/1/2020 Tested on AWS EC2 Ubuntu 20.04 LTS [Pass] 11/1/2020 Tested on local Ubuntu 20.04 LTS server [Pass]
Before running, update the user list in defaults/main.yaml for list_of_os_users + allowed_users.
Ensure correct subnet configuration in defaults/main.yaml for allowed_hosts.

Table of Roles

1. Initial Setup

1.1 Filesystem Configuration
1.2 Software Updates
1.3 Filesystem Integrity Checking
1.4 Secure Boot Settings
1.5 Process Hardening
1.6 Access Control
1.7 Warning Banners
1.8 GNOME Display Manager
1.9 Ensuring security updates and software are installed

2. Services

2.1 inetd Services
2.2 Special Purpose Services
2.3 Service Client Management

3. Network Configuration

3.1 Disable unused network protocols
3.2 Host-only network parameters
3.3 Network security measures
3.4 Manage uncommon network protocols
3.5 Firewall settings

4. Logging and Auditing

4.1 System accounting configuration
4.2 Logging configuration

5. Access, Authentication, and Authorization

5.1 Job scheduler configuration
5.2 SSH server configuration
5.3 PAM configuration

6. System Maintenance

6.1 System file permissions
6.2 User and Group settings

Troubleshooting

To run the playbook locally, add this to the task:

- hosts: 127.0.0.1
  connection: local

If you run into issues, try executing the playbook from a different path, like /srv/.
If you get an error such as stderr: chage: user 'ubuntu' does not exist in /etc/passwd, update CIS-Ubuntu-20.04-Ansible/defaults/main.yml.

TASK [CIS-Ubuntu-20.04-Ansible : 1.4.1 Ensure AIDE is installed] 
fatal: [192.168.80.129]: FAILED! => {"msg": "Could not get lock /var/lib/dpkg/lock-frontend."}

Make sure no apt process is running in the background or wait for it to finish.

TASK [CIS-Ubuntu-20.04-Ansible : 5.4.1.1 Ensure password expiration is 365 days or less] 
fatal: [192.168.80.129]: {"msg": "non-zero return code", "stderr": "chage: user 'ubuntu' does not exist in /etc/passwd."}

Ensure the correct user is set in defaults/main.yaml.

TASK [CIS-Ubuntu-20.04-Ansible : Creating users without admin access] 
fatal: [golden]: FAILED! => {"msg": "crypt.crypt not supported on Mac OS X/Darwin."}