James Oguya

Linux nuggets

Deploying CIS Benchmarks on Ubuntu 14.04 hosts using Ansible

Posted on
#cis #ubuntu #ansible #audit

Center for Internet Security(CIS) provides well-defined, unbiased & consensus-based industry best practices to help organizations assess and improve their security. In this blog post, we’ll talk about these benchmarks & how you can deploy most, if not all, on your Ubuntu 14.04 box.

CIS Security Benchmarks

The CIS(Center for Internet Security)[1] Security Benchmarks program provides well-defined, unbiased & consensus-based industry best practices to help organizations assess and improve their security. Resources include secure configuration benchmarks, automated configuration assessment tools and content, security metrics and security software product certifications. CIS also provides auditing tools such as CIS-CAT[2] for analyzing & monitoring security benchmarks.

CIS Security benchmarks & recommendations are grouped into two(2) level—Level 1 & Level 2.

Level 1

Items in this profile intend to:

  • be practical and prudent
  • provide a clear security benefit
  • have minimum effect on production workload

Level 2

This is an extension of Level 1 but with the following characteristics:

  • intended for environments or use cases where security is paramount
  • acts as a defense in depth measure
  • have great effect on production workload

To indicated compliance with a given recommendation, a benchmark score of either Scored or Not Scored is awarded:

Scored

  • Failure to comply with Scored recommendations will decrease the final benchmark score
  • Compliance with Scored recommendations will increase the final benchmark score

Not Scored

  • Failure to comply with Not Scored recommendations will not decrease the final benchmark score
  • Compliance with Not Scored recommendations will not increase the final benchmark score

Putting it all together with Ansible

After carefully reading the CIS Ubuntu 14.04 LTS Server Benchmark documentation, I created an Ansible playbook on GitHub & GitLab that would allow users to audit & configure their systems to meet at most all of the CIS Security benchmarks.

Please, please, please have at the CIS Ubuntu 14.04 LTS Server Benchmark documentation before running this playbook & always do a dry run first using Ansible’s Check Mode so as to see what to expect.

Contribution

As always, Pull requests and Github issues are all welcome!

Further Reading

  1. About CIS Security Benchmarks
  2. CIS-CAT Benchmark Assessment Tool
  3. CIS Ubuntu 14.04 Benchmarks Ansible Playbook on GitHub & GitLab