smith193_cruk.cis_ubuntu_20_04_ansible
Ansible CIS Ubuntu 20.04 LTS
========= CIS (Center for Internet Security) has guidelines to secure Ubuntu: helping to prevent cyber attacks and malware on critical systems.
CIS Recommendations Include:
These benchmarks secure your systems by:
- Removing insecure programs.
- Disabling unused file systems.
- Disabling unnecessary ports or services.
- Auditing operations that require special privileges.
- Limiting administrative permissions.
CIS recommendations can be applied in both virtual machines and physical servers, whether in public/private clouds or on-premises. In some industries, showing compliance with these standards is important for audits. For example, organizations in banking, telecommunications, and healthcare often need to comply with regulations like PCI-DSS and HIPAA.
If you seek compliance with accepted security standards (such as PCI DSS, APRA, or ISO 27001), you must show that you've applied these standards to all relevant systems.
Profiles:
The Ubuntu CIS benchmarks are split into two profiles:
Level 1: Aimed at securing systems with minimal performance impact:
- Disable unnecessary file systems.
- Limit user access to files and directories.
- Turn off unneeded services.
- Configure firewalls.
Level 2: Used for high-security needs, possibly affecting performance:
- Create separate partitions.
- Perform audits of privileged operations.
The Ubuntu CIS hardening tool lets you choose between Level 1 or Level 2, based on your system type (server or workstation).
Example Command:
To run a playbook with Level 1 for a server:
ansible-playbook -i inventory cis-ubuntu-20.yaml --tags="level_1_server"
To see all available tags, use:
ansible-playbook -i host run.yaml --list-tags
Important Notes:
- Review all tasks in the playbook carefully to ensure they won’t disrupt your systems.
- You can download the free CIS Benchmark guide here.
- Install Ansible before starting with this role, follow the guide here.
Role Variables:
Check the default configurations in defaults/main.yml:
- If applying this role to servers, ensure you're familiar with the CIS Benchmark.
- Adjust any default settings based on your needs.
Important Settings to Check: For example, settings that may restrict access:
allowed_hosts: "ALL: 0.0.0.0/0.0.0.0, 192.168.2.0/255.255.255.0"
allowed_users: root # List users or None
If you need to modify file templates, they’re located in files/templates/*.
Dependencies:
- Ansible version > 2.9
Example Playbook:
Here's a simple playbook example:
---
- hosts: host1
become: yes
remote_user: root
gather_facts: no
roles:
- { role: "CIS-Ubuntu-20.04-Ansible",}
Running the Playbook:
- To run everything, use:
ansible-playbook -i [inventoryfile] [playbook].yaml
- To run a specific section:
ansible-playbook -i host run.yaml -t section2
- To run multiple sections:
ansible-playbook -i host run.yaml -t section2 -t 6.1.1
Note: Be aware of task dependencies. Running a task out of order may lead to errors.
Table of Roles:
1. Initial Setup
- Configuration for filesystems and software updates
- Configure sudo
- Check filesystem integrity
2. Services
- Management of network services and time synchronization
3. Network Configuration
- Disable unused protocols
- Configure firewalls
4. Logging and Auditing
- Ensure auditing settings are in place
5. Access, Authentication and Authorization
- Configure SSH and user accounts
- Security for sudo and password policies
6. System Maintenance
- Permissions and integrity settings
License:
- BSD
Author Information:
For contributions or questions, please discuss via GitHub issues, email, or other channels before making changes.
DevOps
ansible-galaxy install smith193_cruk.cis_ubuntu_20_04_ansible