Advanced Server Hardening
If you want to speed through this guide, check out the TLDR version.
Full-on security compliance with sts_openscap.yml
This method for achieving a high security posture utilizes the OpenSCAP security compliance tool, as opposed to Ansible-Lockdown's purely-Ansible approach or Ubuntu Security Guide, which actually uses OpenSCAP under the hood but requires Ubuntu Pro.
Before performing the remdiation step, it's good practice to examine the evaluation report and see if there are any breaking changes to your server's use case.
1. Add host to playbook
Because we moved the host from the [baselines] group to its own group, we'll have to point this playbook to the right group. Edit the sts_openscap.yml file and add the appropriate host group.
- hosts: <add host group here>
name: Evaluate and apply CIS Benchmarks to Ubuntu Server with OpenSCAP
become: true
roles:
- 7_openscap
Why add host to playbook and not in the command?
If we were to mark the hosts as all and identify which hosts in the command, there would be a risk of applying the changes to ALL hosts if the intended host were omitted from the command. To avoid even the chance of an oversight like that from breaking things, we went to requiring an edit to the playbook file directly as it is a safer choice.
2. Choose benchmark profile
You can choose any one of these profiles to evaluate and apply. This variable is stored in roles/6_openscap/vars/main.yml.
- CIS Benchmark Level 1 Server
- CIS Benchmark Level 1 Workstation
- CIS Benchmark Level 2 Server
- CIS Benchmark Level 2 Workstation
- Standard
- Security Technical Implementation Guides (STIG)
The default profile is the one for CIS Benchmark Level 1 Server.
3. Run playbook to prepare machine, run first eval
The playbook first updates the OS and installs the required packages. Because the Ubuntu 24.04 software repositories don't contain the latest version of SCAP Security Guides (SSG), the playbook pulls more recent .deb files from another source and installs what's needed for Ubuntu 24.04.
Once the prerequisites are in place, you can run the command with only the eval tag to get a full report.
4. Run playbook to apply remediations
This command will have OpenSCAP initiate another scan, identify fixes, and perform remediations. Some part of this will take a long time without providing any feedback- about 15 minutes. Have a cup of tea and you should see the playbook finish soon after. Subsequent runs of the remediation will only take a couple minutes.
How do I find the reports?
This playbook makes use of the fetch module in Ansible to automatically download the reports to your home directory. What's more fetch than that!
Full-on security compliance with Ansible Lockdown
There is another wonderful set of playbooks called Ansible-Lockdown that will make your server worthy of a security audit.
We recommend running the script from the Audit repository first to see the kinds of changes that would be made when running the Remediate playbook. There is a great guide to the Audit script at https://www.adainese.it/blog/2022/07/15/automatic-cis-controls-check-with-ansible/.
1. Download ansible-lockdown repository
Download the repo for your OS from https://github.com/ansible-lockdown#cis-linux.
2. Copy configuration files
Copy your inventory.ini and ansible.cfg files to into the main directory.
3. Run playbook
Run:
Explanation:
- ansible-playbook - the command
- -l baselines - the group from then inventory we want to apply the playbook to
- site.yml - the main playbook file
- --tags="level1-server" - the security level to apply to the server
- --ask-become-pass - asks for the sudo password for the non-root user account (needed becuase we're not using the Ansible Vault here)
Other security automation playbooks
Here are some other great playbooks and guides you can use to automate your security remediations with Ansible.
-
GitHub Repo: ansible-collection-hardening by https://dev-sec.io
-
GitHub Repo: ComplianceAsCode