ryezone_labs.ansible_cis_ubuntu_2004

Panoramica Versioni Approfondimenti

Ansible CIS Ubuntu 20.04 LTS Hardening

CIS Hardened Ubuntu: This is for protecting mission-critical systems from cyber attacks and malware. CIS benchmarks help secure your systems by removing non-secure programs, disabling unused filesystems, unnecessary ports or services, auditing privileged operations, and limiting administrative privileges.

Why Use CIS Benchmarks?

CIS benchmarks are useful for both public/private cloud virtual machines and on-premises deployments. In certain industries—like banking, telecommunications, and healthcare—they form a common standard that auditors look for to ensure compliance with security frameworks like PCI-DSS and HIPAA. To meet these standards, you must show that you’ve used documented hardening practices for all systems being evaluated.

Profiles:

CIS benchmarks for Ubuntu are divided into two profiles:

  • Level 1: Aimed at basic security with minimal performance impact.
  • Level 2: Focused on strong security, potentially affecting system performance.

Example for Level 1:

  • Disable unnecessary filesystems
  • Limit user permissions
  • Turn off unneeded services
  • Set up network firewalls

Example for Level 2:

  • Create separate disk partitions
  • Keep tabs on privileged operations

How to use:

You can choose your desired level of hardening (Level 1 or Level 2) and work environment (server or workstation) using Ansible. For instance:

ansible-playbook -i inventory cis-ubuntu-20.yaml --tags="level_1_server"

You can see all available tags by running:

ansible-playbook -i host run.yaml --list-tags

Requirements:

  1. Go through the tasks first to ensure the changes won’t break your systems.
  2. Download the CIS Benchmark book for free here.
  3. Install Ansible before getting started. Installation Guide.

Role Variables:

Review all default settings in defaults/main.yml before running the playbook. Make sure you understand how implementing these roles might impact your servers.

Examples to consider for exclusion:

  • Restricting cron jobs and SSH access can limit host access.

To modify template files, check files/templates/*.

Dependencies:

  • You need Ansible version 2.9 or higher.

Example Playbook:

Here’s a simple example:

---
- hosts: host1
  become: yes
  remote_user: root
  gather_facts: no
  roles:
    - { role: "CIS-Ubuntu-20.04-Ansible",}

Commands:

To run all tasks:

ansible-playbook -i [inventoryfile] [playbook].yaml

To run specific sections:

ansible-playbook -i host run.yaml -t section2

To run multiple sections:

ansible-playbook -i host run.yaml -t section2 -t 6.1.1

Note: Always check task dependencies before running individual tasks to avoid errors.

Troubleshooting:

  1. If running the playbook locally, specify this in the task:
    - hosts: 127.0.0.1
  connection: local
  2. If encountering issues, try running the playbook from a different directory like /srv/.
  3. For user-related errors, ensure the settings in defaults/main.yml are updated correctly.

License:

This project is licensed under the GNU General Public License.

Author:

The role was developed by Ali Saleh Baker. If you want to contribute or suggest changes, please reach out via a GitHub issue or email.

Informazioni sul progetto

DevOps

role ansible automation cis cisecurity cloud hardening security system ubuntu
Installa
ansible-galaxy install ryezone_labs.ansible_cis_ubuntu_2004
GitHub repository
0 stelle
1 fork
0 problemi aperti
Licenza
gpl-3.0
Download
152
Proprietario