CIS Ubuntu 18.04 Desktop Hardening

One of the most popular posts on my blog has been the Ubuntu 18.04 hardening posts that utilizes Florian Utz ansible playbook ( original post here ). I wanted to utilize this playbook for Ubuntu 18.04 desktop hardening.

I tried to run the CIS hardening on Ubuntu 18.04 desktop, but there were a few issues. It crashed gnome and failed to perform a few tasks like setting the login banner.

I have created a fork of Florian’s project to make a usable playbook on an Ubuntu desktop with gnome. You can see the github project here.

Install ansible

In order for our playbook to run, we need to install ansible as a pre-requisite. You can easily remove ansible after the hardening is completed, if you’d like.


sudo apt install -y ansible

Create a requirements file

This file will tell ansible where our playbook will be stored. We can point to github and run our playbook directly from there. In oder to do that we will send a echo command to create or append /etc/ansible/requirements.yml

sudo sh -c "echo '- src: https://github.com/joelradon/ubuntu1804-desktop-cis.git' >> /etc/ansible/requirements.yml"

Build hardening role

Now we must install the role so we can run our playbook. We are going to point to use the requirements.yml we just created to point ansible to github.

cd /etc/ansible/
sudo ansible-galaxy install -p roles -r /etc/ansible/requirements.yml

Set configuration for playbook

Now we need to create the playbook file that will fire off our Ubuntu 18.04 desktop hardening process. This tells ansible to use the role we just created and to run our playbook on the local host.


sudo sh -c "cat > /etc/ansible/harden.yml <<EOF
- name: Harden Server
  hosts: localhost
  connection: local
  become: yes
  roles:
    - Ubuntu1804-CIS
    
EOF
"

Run hardening playbook

sudo ansible-playbook /etc/ansible/harden.yml

This playbook generally takes 20-30 minutes to run. Sit back and relax. This has been tested on Ubuntu 18.04 desktops with gnome desktop environments.

Automate Ubuntu 18.04 Desktop Hardening

One click script for those intersted. Just run vi hardening.sh to create a new file called hardening.sh . Then copy and paste the text below into the file. Then all you need to do is run sudo sh hardening.sh and all the steps above will be automated. Enjoy!

#***********************************************************
# Install ansible
#***********************************************************

sudo apt install -y ansible


#***********************************************************
# Create or append ansible requirements file
#***********************************************************

sudo sh -c "echo '- src: https://github.com/joelradon/ubuntu1804-desktop-cis.git' >> /etc/ansible/requirements.yml"


#***********************************************************
# Install the role for CIS Ubuntu script from Github
#***********************************************************

cd /etc/ansible/
sudo ansible-galaxy install -p roles -r /etc/ansible/requirements.yml

#***********************************************************
# Create Ansible Playbook for CIS Ubuntu script
#***********************************************************

sudo sh -c "cat > /etc/ansible/harden.yml <<EOF
- name: Harden Server
  hosts: localhost
  connection: local
  become: yes
  roles:
    - Ubuntu1804-CIS
    
EOF
"


#***********************************************************
# Run ansible playbook file
# DO NOT RUN ON PRODUCTION!!!!
#***********************************************************

sudo ansible-playbook /etc/ansible/harden.yml
0 Points


Leave a Reply

Your email address will not be published. Required fields are marked *