Ubuntu 18.04 CIS STIG

This guide helps you configure an Ubuntu 18.04 machine to meet CIS compliance standards. It automatically fixes Level 1 and 2 issues.

Warning

This setup makes changes to your system. It is not just for checking compliance but actually fixes issues after an audit.

Important Installation Step

To install this using the ansible-galaxy command, run the following command:

ansible-galaxy install -p roles -r requirements.yml

Make sure your requirements.yml file contains:

- src: https://github.com/florianutz/Ubuntu1804-CIS.git

This guide is based on the CIS Ubuntu Benchmark v2.0.1 - 01-03-2020.

The repository is based on work by MindPointGroup.

Requirements

Before running this setup, read the tasks carefully to avoid breaking your system.

Role Variables

The main configurations are found in defaults/main.yml. Here are some important ones:

• CIS Settings: Set various sections to true or false, depending on what you need.
• Service Control: Decide which services should be disabled (e.g., Avahi, DHCP, etc.)
• Mail Server Configuration: Indicate if the server should be designated as a mail server.
• Network Settings: Configure if the server is a router or if IPv6 is needed.
• Time Synchronization: Choose between chrony and ntp for time syncing.
• Security Settings: Adjust password and authentication requirements.

Example Playbook

To apply these settings, create a playbook file as shown below:

- name: Harden Server
  hosts: servers
  become: yes

  roles:
    - Ubuntu1804-CIS

To run your playbook (assuming you named it site.yml), use:

ansible-playbook site.yml

Tags

Tags allow you to control what changes happen when you run the playbook. For example:

ansible-playbook site.yml --tags="patch"

License

This project is licensed under the MIT License.