CIS Ubuntu Script to Automate Server Hardening
Today we will leverage an awesome ansible playbook (CIS Ubuntu script) created by Florian Utz . This script leverages an free, open-source tool called ansible. Ansible allows you to automate tasks on linux servers. Big shout out for making this playbook 🙂 . I recommend that you view this project here for additional information.
I wrote this blog article because I think this is an awesome thing to run against any images you want to be CIS compliant. I would highly recommend against running this CIS Ubuntu script in production as it does make changes.
You dont need any ansible experience to run this script if you follow this blog entry.
Install Ansible
sudo apt install -y ansible
Create or append ansible requirements file
This step add the github repository to your reqirements.yml
file or creates a new one if you don’t have one.
sudo sh -c "echo '- src: https://github.com/florianutz/Ubuntu1804-CIS.git' >> /etc/ansible/requirements.yml"
Install the role for CIS Ubuntu script from Github
This points to your requirements.yml
file you made in the last step.
note: having issues on some servers when I do not run from /etc/ansible
directory. Use the command cd
to switch to /etc/ansible/
before installing the role.
cd /etc/ansible/ sudo ansible-galaxy install -p roles -r /etc/ansible/requirements.yml
Create Ansible Playbook for CIS Ubuntu script
Add a playbook file so we can run the playbook.
sudo sh -c "cat > /etc/ansible/harden.yml <<EOF - name: Harden Server hosts: localhost connection: local become: yes roles: - Ubuntu1804-CIS EOF "
Run ansible playbook file
DO NOT RUN ON PRODUCTION!!!!
This script can break many services . To see a list of services that will be affected, you can check `/etc/ansible/roles/Ubuntu1804-CIS/defaults/main.yml`
If you are doing this for testing or baselining, please continue below.
sudo ansible-playbook /etc/ansible/harden.yml
You wil now see the script running. It will look something like this:

Changes will be shown as they are being made

Some areas of the playbook will report the changes in more detail

Once completed we will get another status showing the number of changes made.

(Optional) Install Openscap scanner to check compliance
Openscap is a free tool which can help scan against compliance and vulnerabilities. We will scan against SSG Ubuntu 18.04 in this turorial using an update from March, 2019
See more about openscap and wazuh integration here.
sudo apt install -y libopenscap8 xsltproc
Grab version 0.1.43 of OVAL Openscap scan files
sudo wget https://github.com/ComplianceAsCode/content/releases/download/v0.1.43/scap-security-guide-0.1.43-oval-510.zip
Install Unzip
sudo apt install -y unzip
Unzip, move, and cleanup OVAL Openscap XML files
sudo unzip scap-security-guide-0.1.43-oval-510.zip sudo mkdir /etc/oscap sudo mkdir /etc/oscap/content sudo cp -r scap-security-guide-0.1.43-oval-5.10/* /etc/oscap/content/ sudo rm -r scap-security-guide-0.1.43-oval-5.10/ sudo rm scap-security-guide-0.1.43-oval-510.zip
Run Openscap scan
sudo oscap oval eval --report /etc/oscap/report.html /etc/oscap/content/ssg-ubuntu1804-ds.xml
Send out report.html via scp
sudo scp /etc/oscap/report.html user@server:report.html

Hi Joel,
There are multiple CIS rules that are not Implemented in this github source, which result it not being compatible with the CIS standard. (see task 6.1.12 for example. I have counted ~50 Not implmented rules). This should not be recommended as a CIS standard compatible ansible script.
you the man bro , the script from GitHub is here : https://github.com/florianutz/Ubuntu1804-CIS