florianutz.Ubuntu1604-CIS

Panoramica Versioni Approfondimenti

Ubuntu 16.04 CIS STIG

Build Status
Ansible Role

This guide helps you set up an Ubuntu 16.04 machine to follow CIS security standards. By default, the tool will address Level 1 and 2 issues.

Warning: This tool will change your system settings and could cause issues. It is for fixing problems found in audits, not for auditing.

Important Installation Step

To install this tool with the ansible-galaxy command, run:

ansible-galaxy install -p roles -r requirements.yml

Make sure your requirements.yml file contains:

- src: https://github.com/florianutz/Ubuntu1604-CIS.git

This tool is based on the CIS Ubuntu Benchmark v1.1.0 - 12-28-2017. It was created from work by MindPointGroup.

Requirements

Please review the tasks carefully to ensure they won't disrupt your systems before running this playbook.

Role Variables

The default settings are listed in defaults/main.yml. Here are important variables:

  • ubuntu1604cis_notauto: If true, skip automated checks that might break your system (Default: false)
  • ubuntu1604cis_section1 to 6: Control various CIS sections (Default: true for all)

To disable SELinux:

  • ubuntu1604cis_selinux_disable: Set to false

Service Control Variables

Control whether to keep certain services running:

ubuntu1604cis_avahi_server: false  
ubuntu1604cis_cups_server: false  
ubuntu1604cis_dhcp_server: false  
...

Mail Server Designation

  • ubuntu1604cis_is_mail_server: Set to false if not a mail server.

Network Settings

  • ubuntu1604cis_is_router: Set to false if not a router.

IPv6 Requirement

  • ubuntu1604cis_ipv6_required: Must be true.

AIDE Configuration

AIDE (Advanced Intrusion Detection Environment) settings:

ubuntu1604cis_config_aide: true
ubuntu1604cis_aide_cron:
  cron_user: root
  cron_file: /etc/crontab
  aide_job: '/usr/sbin/aide --check'
  aide_minute: 0
  aide_hour: 5

SELinux Policy

  • ubuntu1604cis_selinux_pol: Set to targeted.

X Windows Requirement

  • ubuntu1604cis_xwindows_required: Set to no if not needed.

Client Application Requirements

ubuntu1604cis_openldap_clients_required: false
ubuntu1604cis_telnet_required: false

Time Synchronization

Set up time synchronization servers:

ubuntu1604cis_time_synchronization: chrony
ubuntu1604cis_time_synchronization_servers:
    - 0.pool.ntp.org
...

Host Allow Configuration

Ensure /etc/hosts.allow is set up:

ubuntu1604cis_host_allow:
  - "10.0.0.0/255.0.0.0"  
  - "172.16.0.0/255.240.0.0"  
  - "192.168.0.0/255.255.0.0"

Firewall

Specify which firewall to use:

ubuntu1604cis_firewall: firewalld

Dependencies

Requires Ansible version greater than 2.2.

Example Playbook

Here's a quick example of how to use it:

- name: Harden Server
  hosts: servers
  become: yes

  roles:
    - Ubuntu1604-CIS

Tags

Use tags for precise control over what changes. For example:

# Audit and patch the site
ansible-playbook site.yml --tags="patch"

License

MIT

Informazioni sul progetto

Ansible role to apply Ubuntu 16.04 CIS Baseline

role cis hardening security system
Installa
ansible-galaxy install florianutz.Ubuntu1604-CIS
GitHub repository
89 stelle
49 fork
13 problemi aperti
Licenza
mit
Download
17.6k
Proprietario