Deploy CIS Benchmarks on Ubuntu 14.04 hosts using Ansible
This is an Ansible playbook for deploying CIS Security Benchmarks to system(s) running Ubuntu 14.04.
CIS Security Benchmarks
"The CIS Security Benchmarks program provides well-defined, unbiased & consensus-based industry best practices to help organizations assess and improve their security. Resources include secure configuration benchmarks, automated configuration assessment tools and content, security metrics and security software product certifications..."read more
CIS benchmarks & recommendations are grouped into two(2) level - Level 1 & Level 2.
Items in this profile intend to:
- be practical and prudent
- provide a clear security benefit
- have minimum effect on production workload
This is an extension of Level 1 but with the following characteristics:
- intended for environments or use cases where security is paramount
- acts as a defense in depth measure
- have great effect on production workload
CIS benchmarks are scored to indicate whether compliance with the given recommendation impacts the assessed target's benchmark score. A benchmark can either be scored or not scored:
- Failure to comply with "Scored" recommendations will decrease the final benchmark score
- Compliance with "Scored" recommendations will increase the final benchmark score
- Failure to comply with "Not Scored" recommendations will not decrease the final benchmark score
- Compliance with "Not Scored" recommendations will not increase the final benchmark score
This playbook will configure your system to meet at most all of the CIS Security benchmarks. Please note that some of the recommendations from CIS Benchmarks can not be automated & deployed via ansible playbooks. Therefore, you'll have to apply such recommendations manually.
Before, deploying CIS Security Benchmarks & recommendations to your server(s), please have a look at the documentation
Don't run this playbook blindly on an active production system! It will make modifications your systems that you may or may not intend to have.
clone this repo:
$ git clone https://github.com/oguya/cis-ubuntu-14-ansible.git $ cd cis-ubuntu-14-ansible
add your target host in the inventory
hostsfile, for example:
ubuntu01host as the target host belonging to the
create a host variable file in the
host_vars/directory for your target host. e.g.
host_vars/ubuntu01, whereby ansible_ssh_host is the ip address of the target host.
--- ansible_ssh_host: 172.26.23.225
dry run the playbook:
$ ansible-playbook cis.yml --ask-become-pass --check
dry run a particular section, e.g. section 8.1.8
$ ansible-playbook cis.yml --ask-become-pass --tags=section8.1.8 --check
run benchmarks listed in Level 1
$ ansible-playbook cis.yml --ask-become-pass --tags=level-1
run benchmarks listed in Level 2
$ ansible-playbook cis.yml --ask-become-pass --tags=level-2
run all scored benchmarks
$ ansible-playbook cis.yml --ask-become-pass --tags=scored
run all not scored benchmarks
$ ansible-playbook cis.yml --ask-become-pass --tags=notscored
run scored(i.e. ignore not scored) benchmarks listed in Level 1
$ ansible-playbook cis.yml --ask-become-pass --tags=level-1 --skip-tags=notscored
run not scored(i.e. ignore scored) benchmarks listed in Level 2
$ ansible-playbook cis.yml --ask-become-pass --tags=level-2 --skip-tags=scored
if you want to run Section 12, you will probably want to override the default variables
allowed_sgid_binarieswith a whitelist of binary paths that should be allowed.
I took into assumption, a few key items when running this playbook:
- you have a provisioning user account with passwordless SSH access to the target host
- the provisioning user has sudo privileges on the remote host
- Major Hayden's ansible playbooks for applying CIS Security Benchmarks to Red Hat Enterprise Linux 6 or CentOS 6 systems.
Copyright (C) 2015–2016 James Oguya
The contents of this repository are free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.