Ubuntu 22 CIS

Setting Up an Ubuntu 22 Machine to Meet CIS Standards

Based on the CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0

Need Help?

Lockdown Enterprise

Ansible Support

Community

Join our Discord Server to ask questions, discuss features, or chat with other users.

Important Notes

This tool will change your system and might cause some issues. It is not just for checking compliance; it's meant to fix issues found after an audit.

This tool was created for a fresh install of the operating system. If you're using it on an existing system, please check for any specific changes required.

Documentation

• Read The Docs
• Getting Started
• Customizing Roles
• Per-Host Configuration
• Maximizing Role Usage

Requirements

General:

• Basic knowledge of Ansible. Here are some helpful links:
  • Main Ansible Documentation
  • Getting Started with Ansible
  • Tower User Guide
  • Ansible Community Info
• You need a working Ansible and/or Tower setup. Make sure that all necessary configurations and packages are installed.
• Review the tasks in this role to understand what each control does. Some tasks may disrupt the system, so be cautious, especially on a live production system. Also, get familiar with the variables in the defaults/main.yml file or the Main Variables Wiki Page.

Technical Requirements:

• Ansible/Tower environment (this is tested with Ansible version 2.12.1 and later)
• Python3 environment for Ansible
• goss >= 0.4.4 (needed for auditing)

Auditing (New)

You can enable or disable auditing in the defaults/main.yml file by changing the run_audit variable. It is set to false by default. Check the wiki for more details.

This new audit method is faster and lightweight, checking for configuration compliance and current settings.

It uses a small tool called goss to perform checks without needing extra infrastructure or tools. This audit will verify not only the correct settings but also if they are actively running, aiming to reduce false positives.

Check out UBUNTU22-CIS-Audit for more information.

More audit documentation can be found at Read The Docs

Role Variables

This role is built so that users don’t need to edit tasks directly. Customization should be done through the defaults/main.yml file or with extra variables in the project, job, workflow, etc.

Branches

• devel - Default and development branch. Community pull requests go here.
• main - Release branch.
• reports - Protected branch for scoring reports; no code should be added here.
• gh-pages - GitHub Pages branch.
• other branches - Individual community member branches.

Community Contribution

We welcome community contributions to this role. Please follow these guidelines:

• Work in your own branch. Make sure to sign off and GPG sign all commits meant for merging.
• Community pull requests will go into the devel branch.
• Pull requests to devel must have a GPG signature and passes a functional test before approval.
• After merging your changes and reviewing them, an authorized member will merge into the main branch for a new release.

Pipeline Testing

Uses:

• ansible-core 2.12
• Ansible collections to get the latest version from the requirements file.
• Runs audits using the devel branch.
• This is an automated test performed on pull requests to devel.

Additional Features

• You can test and run pre-commit from within the directory using:

pre-commit run