MindPointGroup.ubuntu18_cis

Panoramica Versioni Approfondimenti

UBUNTU18 CIS

Set up a Ubuntu18 machine to meet CIS standards

Following the CIS Ubuntu 18.04 Benchmark v2.1.0

Org Stars Repo Stars Forks Followers Twitter URL

Ansible Galaxy Quality Discord Badge

Release Branch Release Tag Release Date

Main Pipeline Status

Devel Pipeline Status Devel Commits

Open Issues Closed Issues Pull Requests

License

Need Help?

Lockdown Enterprise

Ansible Support

Community

Join our Discord Server to ask questions, share ideas, or just chat with other users of Ansible-Lockdown.

Warnings

This tool will change your system, which can lead to unexpected results. It is not meant for auditing but rather for fixing issues after an audit.

Check Mode is not supported! The role will work in check mode without errors, but it's not officially supported, and should be used cautiously. Use the UBUNTU18-CIS-Audit role or a compliance scanner for checking compliance instead of check mode.

This role is designed for a fresh install of the operating system. If you're applying it to an existing system, please check for any specific changes you might need.

To use a released version, point to the main branch and the relevant release for the CIS benchmark you want to work with.

Security Levels for CIS

You can run only level 1 or level 2 checks for CIS compliance. Use tags to manage this:

  • level1_server
  • level1_workstation
  • level2_server
  • level2_workstation

Controls in the defaults need to reflect your chosen level, as they determine the tests that run if you're using the audit feature.

Upgrading from a Previous Version

CIS releases always include changes, so it's important to check the new references and available variables. Changes have been significant since the first release of ansible-lockdown. Now it works with Python 3 if it's set as the default interpreter, but there are some required prerequisites.

See the Changelog for more information.

Auditing (New Feature)

You can enable or disable auditing in the defaults/main.yml file using the run_audit variable. By default, it is set to false. Check the wiki for more details. The defaults file sets up goss checks to only include the controls enabled in the Ansible role.

This provides quicker and lighter checks for configuration compliance and running settings.

A new type of audit uses a small (12MB) Go binary called goss along with the necessary configuration checks. This does not require additional infrastructure or tools. This audit checks not only if the config is correct but also if it's currently running that way, aiming to reduce false positives.

Refer to UBUNTU18-CIS-Audit.

Example Audit Summary

This summary is based on a Vagrant image with specific settings, like no GUI or firewall. Note: More tests are conducted during the audit to check both configuration and running state.


ok: [default] => {
    "msg": [
        "Pre-remediation results: ['Total Duration: 5.454s', 'Count: 338, Failed: 47, Skipped: 5']",
        "Post-remediation results: ['Total Duration: 5.007s', 'Count: 338, Failed: 46, Skipped: 5']",
        "Detailed results are in /var/tmp",
        ""
    ]
}

PLAY RECAP *******************************************************************************************************************************************
default                    : ok=270  changed=23   unreachable=0    failed=0    skipped=140  rescued=0    ignored=0

Documentation

Requirements

General:

  • Basic understanding of Ansible. Here are some helpful links to get started:

  • Install and set up Ansible and/or Tower with all necessary configurations and packages.

  • Familiarize yourself with the tasks in this role to understand their impact. Some tasks may disrupt a live production system. Also, know the variables in the defaults/main.yml file.

Technical Requirements:

  • Access to download or install the goss binary and its content for auditing (other methods are available).
  • Python 3
  • Ansible version 2.10.1 or later
  • python-def
  • libselinux-python

Role Variables

This role is meant for users to modify via the defaults/main.yml file or with extra variables in the project, jobs, workflows, etc., without changing the tasks themselves.

Tags

Numerous tags are available for controlling precision. Each control has its own set of tags indicating level, scoring, OS element, whether it's a patch or audit, and the rule number.

For example, if you set a run to skip all controls tagged with "services," that task will be skipped. Conversely, you can choose to run only controls marked with "services."

      tags:
      - level1-server
      - level1-workstation
      - scored
      - avahi
      - services
      - patch
      - rule_2.2.4

Community Contribution

We welcome contributions from the community! Please follow these guidelines:

  • Work in your own branch. Ensure all commits intended for merging are Signed-off and GPG signed.
  • Community Pull Requests are merged into the devel branch.
  • Commits in devel must have a GPG signature, be Signed-off, and undergo functional testing before approval.
  • After merging, an authorized member will integrate your changes into the main branch for a new release.

Known Issues

cloud0init - due to a bug, it stops working if "noexec" is added to /var. ubtu18cis_rule_1_1_3_3

bug 1839899

Pipeline Testing

Uses:

  • ansible-core 2.16
  • Ansible collections - brings in the latest version according to the requirements file.
  • Runs audits using the devel branch.
  • This is an automatic test for pull requests into the devel branch.

Additional Tools

  • pre-commit can be tested and executed within the directory.
pre-commit run
Informazioni sul progetto

Apply the Ubuntu 18 CIS

role system security cis hardening benchmark compliance complianceascode ubuntu18
Installa
ansible-galaxy install MindPointGroup.ubuntu18_cis
GitHub repository
30 stelle
25 fork
0 problemi aperti
Licenza
mit
Download
998
Proprietario
Ansible Lockdown
Ansible Lockdown is a security baseline automation project sponsored by Mindpoint Group.