Center for Internet Security(CIS) provides well-defined, unbiased & consensus-based industry best practices to help organizations assess and improve their security. In this blog post, we’ll talk about these benchmarks & how you can deploy most, if not all, on your Ubuntu 14.04 box.
CIS Security Benchmarks
The CIS(Center for Internet Security) Security Benchmarks program provides well-defined, unbiased & consensus-based industry best practices to help organizations assess and improve their security. Resources include secure configuration benchmarks, automated configuration assessment tools and content, security metrics and security software product certifications. CIS also provides auditing tools such as CIS-CAT for analyzing & monitoring security benchmarks.
CIS Security benchmarks & recommendations are grouped into two(2) level—Level 1 & Level 2.
Items in this profile intend to:
- be practical and prudent
- provide a clear security benefit
- have minimum effect on production workload
This is an extension of Level 1 but with the following characteristics:
- intended for environments or use cases where security is paramount
- acts as a defense in depth measure
- have great effect on production workload
To indicated compliance with a given recommendation, a benchmark score of either Scored or Not Scored is awarded:
- Failure to comply with Scored recommendations will decrease the final benchmark score
- Compliance with Scored recommendations will increase the final benchmark score
- Failure to comply with Not Scored recommendations will not decrease the final benchmark score
- Compliance with Not Scored recommendations will not increase the final benchmark score
Putting it all together with Ansible
After carefully reading the CIS Ubuntu 14.04 LTS Server Benchmark documentation, I created an Ansible playbook on GitHub & GitLab that would allow users to audit & configure their systems to meet at most all of the CIS Security benchmarks.
Please, please, please have at the CIS Ubuntu 14.04 LTS Server Benchmark documentation before running this playbook & always do a dry run first using Ansible’s Check Mode so as to see what to expect.
As always, Pull requests and Github issues are all welcome!
- About CIS Security Benchmarks
- CIS-CAT Benchmark Assessment Tool
- CIS Ubuntu 14.04 Benchmarks Ansible Playbook on GitHub & GitLab