Advanced Server Hardening (TLDR version)
Click here for the full version of this page.
Full-on security compliance with sts_openscap.yml
Before performing the remdiation step, it's good practice to examine the evaluation report and see if there are any breaking changes to your server's use case.
1. Add host to playbook
- hosts: <add host group here>
name: Evaluate and apply CIS Benchmarks to Ubuntu Server with OpenSCAP
become: true
roles:
- 6_openscap
2. Choose benchmark profile
Edit roles/6_openscap/vars/main.yml to choose a profile other than the default of CIS Benchmark Level 1 Server.
The other profiles are:
- CIS Benchmark Level 1 Server
- CIS Benchmark Level 1 Workstation
- CIS Benchmark Level 2 Server
- CIS Benchmark Level 2 Workstation
- Standard
- Security Technical Implementation Guides (STIG)
3. Run playbook to prepare machine, run first eval
4. Run playbook to apply remediations
The first run will take about 15 minutes. Subsequent runs will only take a couple minutes.
How do I find the reports?
Reports are automatically downloaded to your home directory.
Full-on security compliance with CIS Benchmarks
To make your server worthy of a security audit, there is a wonderful set of playbooks called Ansible-Lockdown.
Run the script from the Audit repository first. Guide at https://www.adainese.it/blog/2022/07/15/automatic-cis-controls-check-with-ansible/.
1. Download ansible-lockdown repository
Download the repo for your OS from here
2. Copy configuration files
Copy your inventory.ini and ansible.cfg files to into the main directory.
3. Run playbook
Run:
Other security automation playbooks
Here are some other great playbooks and guides you can use to automate your security remediations with Ansible.
-
GitHub Repo: ansible-collection-hardening by https://dev-sec.io
-
GitHub Repo: ComplianceAsCode