florianutz.ubuntu2004_cis

Panoramica Versioni Approfondimenti

Ubuntu 20.04 CIS STIG

Build Status Ansible Role

This role is based on the migration from Ubuntu 18.04. While the content is correct, the tasks need reorganization to match the 20.04 Benchmark. Contributions are welcome!

This role configures an Ubuntu 20.04 system to comply with CIS benchmarks. By default, it addresses Level 1 and Level 2 issues.

Please note: This role will change your system, which could potentially break things. It is not an auditing tool but rather a tool for remediation after an audit.

The guidelines are based on the CIS Ubuntu Linux 20.04 LTS Benchmark - v1.0.0 - 07-21-2020.

Feedback

  • If you appreciate our work but cannot contribute code, please rate us on Ansible Galaxy. This helps developers receive positive feedback. Galaxy Community Score
  • If you discover a bug but cannot fix it, please create a ticket with as many details as possible. Remember, developers work on this project in their spare time, so it might take some time to respond. Issues Page

IMPORTANT INSTALL STEP

To install this using the ansible-galaxy command, run:

ansible-galaxy install -p roles -r requirements.yml

And ensure the requirements.yml file contains:

- src: https://github.com/florianutz/ubuntu2004_cis.git

Example Playbook

Here's an example playbook. Please read the documentation and check the settings for your case. The default settings will uninstall the X server!

- name: Harden Server
  hosts: servers
  become: yes

  roles:
    - ubuntu2004_cis

To execute tasks from this repository, first create a file level above the repository (the playbook .yml file and the ubuntu2004_cis directory should be at the same level). Then review defaults/main.yml, disabling any rules or sections you don't want to execute.

Assuming you named the file site.yml, run it with:

ansible-playbook site.yml

Requirements

Please review the tasks carefully to ensure changes won't disrupt your systems before running the playbook.

Role Variables

Several role variables are outlined in defaults/main.yml. Below are some key ones:

  • ubuntu2004cis_notauto: Run CIS checks that should not be automated. (Default: false)
  • ubuntu2004cis_section1: General settings (Default: true)
  • ubuntu2004cis_section2: Services settings (Default: true)
  • ubuntu2004cis_section3: Network settings (Default: true)
  • ubuntu2004cis_section4: Logging and auditing settings (Default: true)
  • ubuntu2004cis_section5: Access, authentication, and authorization settings (Default: true)
  • ubuntu2004cis_section6: System maintenance settings (Default: true)

Other Settings

  • Disable all SELinux functions: ubuntu2004cis_selinux_disable: false
  • Indicate if X Windows is needed: ubuntu2004cis_xwindows_required: no
  • Time synchronization method: 
    ubuntu2004cis_time_synchronization: chrony
ubuntu2004cis_time_confirmation: ntp

Dependencies

Developed and tested with Ansible 2.10.

Tags

Many tags allow precise control of what is changed.

Example to audit and patch the site:

ansible-playbook site.yml --tags="patch"

Recommendations

1. Initial Setup

Configure file systems, user permissions, and security enhancing features.

2. Services

Ensure only necessary services are enabled.

3. Network Configuration

Disable unused protocols and secure network settings.

4. Logging and Auditing

Set up audit systems and ensure logs are properly recorded.

5. Access, Authentication, and Authorization

Properly configure SSH and user account policies.

6. System Maintenance

Maintain updated system file permissions and manage user accounts.

License

MIT

Note

This repository is based on earlier work by MindPointGroup.

Informazioni sul progetto

Ansible role to apply Ubuntu 20.04 CIS Baseline

role cis hardening security system
Installa
ansible-galaxy install florianutz.ubuntu2004_cis
GitHub repository
110 stelle
67 fork
22 problemi aperti
Licenza
mit
Download
7.9k
Proprietario