Hardening is a process in which one reduces the vulnerability of resources to prevent it from cyber attacks like Denial of service, unauthorized data access, etc. So, in OS hardening, we configure the file system and directory structure, updates software packages, disable the unused filesystem and services, etc. according to the cis benchmark rules.
CIS Benchmarks are the best security measures that are created by the Centre of Internet Security to improve the security configuration of an organization. These are created by cybersecurity professionals and experts in the world every year. These benchmarks have 2 levels. Level 1 covers the basic security guidelines while level 2 is for advanced security and levels have Scored and Not scored criteria. Scores are mandatory while Not scored are optional.
CIS Controls provides a set of standard controls that should be checked on… anything. To be specific CIS also provides a benchmark (a sort of step-by-step guide) for many environments. Moreover, Lockdown Enterprise delivers a set of Ansible playbooks ready to be used.
In this post, we’ll see how to check CIS controls on Ubuntu 20.04 servers and remediate them.
Remediation Phase
- From your server, clone the Ansible repository:
git clone https://github.com/ansible-lockdown/UBUNTU20-CIS
cd UBUNTU20-CIS
2. Create inventory file
cat<<EOF >> inventory.ini
localhost
EOF
3. Apply Playbook
The following Ansible commands may vary depending on your Ansible infrastructure. We can remediate all controls with:
ansible-playbook -i inventory.ini site.yml
All controls should be remediated just after the OS installation. For production environments, we probably want to remediate single/multiple controls with:
ansible-playbook -i inventory.ini --tags "rule_2.1.5,rule_2.1.8,ssh" site.yml
Audit Phase
We know that Ansible playbooks are good to remediate, but sometimes reporting is not so good as well. Lockdown Enterprise used goss
to provide good audit reports.
Let’s install goss
and clone the Git repository into a Ubuntu Linux 20.04 system:
sudo curl -fsSL https://goss.rocks/install | sh
git clone https://github.com/ansible-lockdown/UBUNTU20-CIS-Audit /var/tmp/UBUNTU20-CIS-Audit
cd /var/tmp/UBUNTU20-CIS-Audit
We can audit the entire system using the provided script:
./run_audit.sh
## Pre-Checks Start
OK Audit binary /usr/local/bin/goss is available
OK /var/tmp/UBUNTU20-CIS-Audit/goss.yml is available
## Pre-checks Successful
#############
Audit Started
#############
"summary": {
"failed-count": 52,
"summary-line": "Count: 511, Failed: 52, Duration: 10.868s",
"test-count": 511,
"total-duration": 10867918606
Completed file can be found at /var/tmp/audit_rj-cis_1677048163.json
###############
Audit Completed
###############
We can also run goss
manually on a subset of controls:
sudo goss --vars /var/tmp/UBUNTU20-CIS-Audit/vars/CIS.yml -g /var/tmp/UBUNTU20-CIS-Audit/section_1/cis_1.1/cis_1.1.1.1_7.yml validate
sudo goss --vars /var/tmp/UBUNTU20-CIS-Audit/vars/CIS.yml -g /var/tmp/UBUNTU20-CIS-Audit/section_1/cis_1.1/cis_1.1.1.1_7.yml validate -f documentation