122 lines
7.1 KiB
Markdown
122 lines
7.1 KiB
Markdown
# Ubuntu 24 CIS
|
|
|
|
## Configure a Ubuntu 24 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant
|
|
|
|
### Based on CIS Ubuntu Linux 24.04 LTS Benchmark v1.0.0 [Release](https://downloads.cisecurity.org/#/)
|
|
|
|
|
|
|
|
|
|
|
|
[](https://twitter.com/AnsibleLockdown)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[](https://github.com/ansible-lockdown/UBUNTU24-CIS/actions/workflows/main_pipeline_validation.yml)
|
|
|
|
[](https://github.com/ansible-lockdown/UBUNTU24-CIS/actions/workflows/devel_pipeline_validation.yml)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
## Looking for support?
|
|
|
|
[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_UB24_cis)
|
|
|
|
[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_UB24_cis)
|
|
|
|
### Community
|
|
|
|
Join us on our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users.
|
|
|
|
## Caution(s)
|
|
|
|
This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.
|
|
|
|
This role was developed against a clean install of the Operating System. If you are implementing on an existing system, please review this role for any site-specific changes that are needed.
|
|
|
|
## Documentation
|
|
|
|
- [Read The Docs](https://ansible-lockdown.readthedocs.io/en/latest/)
|
|
- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown#GH_AL_UB24_cis)
|
|
- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise#GH_AL_UB24_cis)
|
|
- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration#GH_AL_UB24_cis)
|
|
- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise#GH_AL_UB24_cis)
|
|
|
|
## Requirements
|
|
|
|
**General:**
|
|
|
|
- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible
|
|
- [Main Ansible documentation page](https://docs.ansible.com)
|
|
- [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html)
|
|
- [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html)
|
|
- [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html)
|
|
- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup.
|
|
- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also, familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/UBUNTU24-CIS/wiki/Main-Variables).
|
|
|
|
**Technical Dependencies:**
|
|
|
|
- Running Ansible/Tower setup (this role is tested against Ansible version 2.12.1 and newer)
|
|
- Python3 Ansible run environment
|
|
- goss >= 0.4.4 (If using for audit)
|
|
|
|
## Auditing (new)
|
|
|
|
This can be turned on or off within the defaults/main.yml file with the variable run_audit. The value is false by default, please refer to the wiki for more details.
|
|
|
|
This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings.
|
|
|
|
A new form of auditing has been developed, by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling.
|
|
This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also trying to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process.
|
|
|
|
Refer to [UBUNTU24-CIS-Audit](https://github.com/ansible-lockdown/UBUNTU24-CIS-Audit).
|
|
|
|
Further audit documentation can be found at [Read The Docs](https://ansible-lockdown.readthedocs.io/en/latest/)
|
|
|
|
## Role Variables
|
|
|
|
This role is designed so the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc.
|
|
|
|
## Branches
|
|
|
|
- **devel** - This is the default branch and the working development branch. Community pull requests will be pulled into this branch
|
|
- **main** - This is the release branch
|
|
- **all other branches** - Individual community member branches
|
|
|
|
## Community Contribution
|
|
|
|
We encourage you (the community) to contribute to this role. Please read the rules below.
|
|
|
|
- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge.
|
|
- All community Pull Requests are pulled into the devel branch
|
|
- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved
|
|
- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release
|
|
|
|
## Pipeline Testing
|
|
|
|
uses:
|
|
|
|
- ansible-core 2.16.6
|
|
- ansible collections - pulls in the latest version based on the requirements file
|
|
- runs the audit using the devel branch
|
|
- This is an automated test that occurs on pull requests into devel
|
|
|
|
## Added Extras
|
|
|
|
- [pre-commit](https://pre-commit.com) can be tested and can be run from within the directory
|
|
|
|
```sh
|
|
pre-commit run
|
|
```
|