CIS Ubuntu Script to Automate Server Hardening

Today we will leverage an awesome ansible playbook (CIS Ubuntu script) created by Florian Utz . This script leverages an free, open-source tool called ansible. Ansible allows you to automate tasks on linux servers. Big shout out for making this playbook 🙂 . I recommend that you view this project here for additional information.

I wrote this blog article because I think this is an awesome thing to run against any images you want to be CIS compliant. I would highly recommend against running this CIS Ubuntu script in production as it does make changes.

You dont need any ansible experience to run this script if you follow this blog entry.

Install Ansible

sudo apt install -y ansible

Create or append ansible requirements file

This step add the github repository to your reqirements.yml file or creates a new one if you don’t have one.

sudo sh -c "echo '- src: https://github.com/florianutz/Ubuntu1804-CIS.git' >> /etc/ansible/requirements.yml"

Install the role for CIS Ubuntu script from Github

This points to your requirements.yml file you made in the last step.

note: having issues on some servers when I do not run from /etc/ansible directory. Use the command cd to switch to /etc/ansible/ before installing the role.

cd /etc/ansible/
sudo ansible-galaxy install -p roles -r /etc/ansible/requirements.yml

Create Ansible Playbook for CIS Ubuntu script

Add a playbook file so we can run the playbook.

sudo sh -c "cat > /etc/ansible/harden.yml <<EOF
- name: Harden Server
  hosts: localhost
  connection: local
  become: yes

  roles:
    - Ubuntu1804-CIS
    
EOF
"

Run ansible playbook file

DO NOT RUN ON PRODUCTION!!!!
This script can break many services . To see a list of services that will be affected, you can check `/etc/ansible/roles/Ubuntu1804-CIS/defaults/main.yml`

If you are doing this for testing or baselining, please continue below.

sudo ansible-playbook /etc/ansible/harden.yml

You wil now see the script running. It will look something like this:

Changes will be shown as they are being made

Some areas of the playbook will report the changes in more detail

Once completed we will get another status showing the number of changes made.

(Optional) Install Openscap scanner to check compliance

Openscap is a free tool which can help scan against compliance and vulnerabilities. We will scan against SSG Ubuntu 18.04 in this turorial using an update from March, 2019

See more about openscap and wazuh integration here.

sudo apt install -y libopenscap8 xsltproc

Grab version 0.1.43 of OVAL Openscap scan files

sudo wget https://github.com/ComplianceAsCode/content/releases/download/v0.1.43/scap-security-guide-0.1.43-oval-510.zip

Install Unzip

sudo apt install -y unzip

Unzip, move, and cleanup OVAL Openscap XML files

sudo unzip scap-security-guide-0.1.43-oval-510.zip 
sudo mkdir /etc/oscap
sudo mkdir /etc/oscap/content
sudo cp -r scap-security-guide-0.1.43-oval-5.10/* /etc/oscap/content/
sudo rm -r scap-security-guide-0.1.43-oval-5.10/
sudo rm scap-security-guide-0.1.43-oval-510.zip 

Run Openscap scan

sudo oscap oval eval --report /etc/oscap/report.html /etc/oscap/content/ssg-ubuntu1804-ds.xml 

Send out report.html via scp

sudo scp /etc/oscap/report.html user@server:report.html