Today we will leverage an awesome ansible playbook (CIS Ubuntu script) created by Florian Utz . This script leverages an free, open-source tool called ansible. Ansible allows you to automate tasks on linux servers. Big shout out for making this playbook 🙂 . I recommend that you view this project here for additional information.
I wrote this blog article because I think this is an awesome thing to run against any images you want to be CIS compliant. I would highly recommend against running this CIS Ubuntu script in production as it does make changes.
You dont need any ansible experience to run this script if you follow this blog entry.
sudo apt install -y ansible
Create or append ansible requirements file
This step add the github repository to your
reqirements.yml file or creates a new one if you don’t have one.
sudo sh -c "echo '- src: https://github.com/florianutz/Ubuntu1804-CIS.git' >> /etc/ansible/requirements.yml"
Install the role for CIS Ubuntu script from Github
This points to your
requirements.yml file you made in the last step.
note: having issues on some servers when I do not run from
/etc/ansible directory. Use the command
cd to switch to
/etc/ansible/ before installing the role.
cd /etc/ansible/ sudo ansible-galaxy install -p roles -r /etc/ansible/requirements.yml
Create Ansible Playbook for CIS Ubuntu script
Add a playbook file so we can run the playbook.
sudo sh -c "cat > /etc/ansible/harden.yml <<EOF - name: Harden Server hosts: localhost connection: local become: yes roles: - Ubuntu1804-CIS EOF "
Run ansible playbook file
DO NOT RUN ON PRODUCTION!!!!
This script can break many services . To see a list of services that will be affected, you can check `/etc/ansible/roles/Ubuntu1804-CIS/defaults/main.yml`
If you are doing this for testing or baselining, please continue below.
sudo ansible-playbook /etc/ansible/harden.yml
You wil now see the script running. It will look something like this:
Changes will be shown as they are being made
Some areas of the playbook will report the changes in more detail
Once completed we will get another status showing the number of changes made.
(Optional) Install Openscap scanner to check compliance
Openscap is a free tool which can help scan against compliance and vulnerabilities. We will scan against SSG Ubuntu 18.04 in this turorial using an update from March, 2019
sudo apt install -y libopenscap8 xsltproc
Grab version 0.1.43 of OVAL Openscap scan files
sudo wget https://github.com/ComplianceAsCode/content/releases/download/v0.1.43/scap-security-guide-0.1.43-oval-510.zip
sudo apt install -y unzip
Unzip, move, and cleanup OVAL Openscap XML files
sudo unzip scap-security-guide-0.1.43-oval-510.zip sudo mkdir /etc/oscap sudo mkdir /etc/oscap/content sudo cp -r scap-security-guide-0.1.43-oval-5.10/* /etc/oscap/content/ sudo rm -r scap-security-guide-0.1.43-oval-5.10/ sudo rm scap-security-guide-0.1.43-oval-510.zip
Run Openscap scan
sudo oscap oval eval --report /etc/oscap/report.html /etc/oscap/content/ssg-ubuntu1804-ds.xml
Send out report.html via scp
sudo scp /etc/oscap/report.html user@server:report.html