Here you will find a quick overview on how to harden a linux OS (in this case, Ubuntu 20.04) using the “DevSec Hardening Framework” based on CIS benchmark controls and Ansible.

Take some time to read up on what dev-sec.io and Ansible have to offer below:

Setup & Hardening Steps

Install Dependencies & Ansible Galaxy DevSec Collection

sudo apt update && sudo apt install python3-pip openssh-server;
sudo pip3 install ansible==2.9.11;
sudo ansible-galaxy collection install devsec.hardening

Create Playbook

We need to create a playbook that uses the ansible galaxy collection previously installed. Let’s echo the simple playbook contents below to a yaml file, which includes both the “os_hardening” and “ssh_hardening” roles by dev-sec.io.

Now we can run the playbook in a “read only” mode using the “–check” option. Once ran, review the proposed changes/remediations to “harden” the OS.

echo "
- hosts: localhost
  collections:
    - devsec.hardening
  roles:
    - os_hardening
    - ssh_hardening
" > harden.yml && sudo ansible-playbook harden.yml --check

Run Playbook and Apply Remediations

Now let’s run the playbook without the ‘–check’ option to remediate out of compliance configurations.

sudo ansible-playbook harden.yml

Conclusion

Hardening your linux OS and apps doesn’t stop here, but this is a good start to make sure that a predefined set of controls are deployed in a declarative way to your system.

Take this a step further and you can see how this could easily be used to automate base hardening of your linux OS at deployment time through infrastructure as code.