Ubuntu 20 CIS

Setting Up Ubuntu 20 to Meet CIS Standards

Based on the CIS Ubuntu Linux 20.04 LTS Benchmark v2.0.1 Release

Need Help?

Lockdown Enterprise

Ansible Support

Community

Join our Discord Server to ask questions, discuss features, or chat with other Ansible-Lockdown users.

Important Notes

This role will change the system and might cause issues. It is not for auditing, but rather for fixing settings after an audit.

This role was built for a fresh Operating System install. If applying it to an existing system, please check for any needed adjustments.

Documentation

• Read The Docs
• Getting Started
• Customizing Roles
• Per-Host Configuration
• Using the Role Effectively

Requirements

General:

• Basic Ansible knowledge. Here are some useful links:
  • Main Ansible Documentation
  • Getting Started with Ansible
  • Tower User Guide
  • Ansible Community Info
• Ensure Ansible and/or Tower is installed and running, including all necessary packages and configurations.
• Review the tasks in this role to understand what each control does. Some tasks can disrupt a live system. Check the variables in defaults/main.yml as well.

Technical Dependencies:

• Running Ansible/Tower setup (tested with Ansible version 2.9.1 and newer)
• Python3 for the Ansible run environment

New Auditing Feature

This can be turned on or off in the defaults/main.yml file with the run_audit variable, which is false by default. More details can be found in the wiki.

This new auditing is quick and light, checking configurations and current settings when possible.

We've developed a new audit method using a small go binary called goss with relevant configurations. This works without needing any infrastructure or extra tools. It checks both configuration settings and whether they are currently applied to avoid false positives.

Check UBUNTU20-CIS-Audit for more information.

Further audit documentation can be found at Read The Docs.

Role Variables

Users should not need to edit the tasks directly. Customizations should be made via the defaults/main.yml file or using extra vars within the project, job, or workflow.

Branches

• devel - Default branch for development; community contributions go here.
• main - Release branch for stable versions.
• reports - A protected branch for scoring reports; no code should be placed here.
• gh-pages - Branch for GitHub Pages.
• other branches - Individual branches for community members.

Community Contributions

We welcome community contributions to this role. Here are some guidelines:

• Work in your own branch, signing off and GPG signing all commits you intend to merge.
• Community Pull Requests go into the devel branch.
• Pull Requests into devel must have GPG signatures and pass functional tests before approval.
• Once reviewed, authorized members will merge changes into the main branch for release.

Pipeline Testing

Uses:

• ansible-core 2.12
• upgrades Ansible collections to the latest version based on requirements.
• runs audits using the devel branch.
• Automated tests occur on pull requests into devel branch.

Additional Features

You can test and run pre-commit from within the directory:

pre-commit run