Automated Security Hardening for Ubuntu Server
Today, I am looking at a set of security scripts, which harden Ubuntu Server (20.04 or 22.04). Hardening is the process to change the system configuration in order to meet the basic set of compliance standards. In this example we will receive our compliance information from lynis, CIS and the DISA STIG. There are several things to discuss before jumping into the video.
WARNING: Never try a new automation script on production servers without first testing it in a controlled lab on test equipment! – you have been warned
First, how do we know what we need to change on our systems in order to bring it into compliance with various agency and regulatory standards. The first is the tool set provided by:
https://github.com/konstruktoid/hardening
Second, Once we have applied the changes to our system, how do we know we have met the standards we are trying to comply with?
Security Content Automation Protocol (SCAP) is a method for using specific standards to help organizations automate vulnerability management and policy compliance evaluation. SCAP comprises numerous open security standards, as well as applications which use these standards to check systems for vulnerabilities and misconfigurations.
One of the compliance files is called a STIG or A Security Technical Implementation Guide is a configuration standard consisting of cybersecurity requirements for a specific product. These are usually crafted for a specific operating system and version such as Ubuntu 20.04, RedHat 8, etc.
One other method of security validation I did not show is CIS Ubuntu Security Benchmark and you can find more information here: https://www.cisecurity.org/benchmark/ubuntu_linux
00:00 – Intro
00:28 – Preparations
01:31 – Setup the Server
06:40 – Change ubuntu.cfg
08:56 – running the ubuntu.sh script
09:38 – validating the changes
11:17 – Running a few tests (768)
14:46 – OpenSCAP Run
16:19 – SCAP Analysis
21:17 – Final Thoughts
22:12 – Outro
Support me on Patreon: https://www.patreon.com/DJWare
Follow me:
Twitter @djware55
Facebook:https://www.facebook.com/don.ware.7758
Discord: https://discord.gg/hQcShnh
Gitlab: https://gitlab.com/djware27
“Tech Live” Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0
“Militaire Electronic” Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Werq by Kevin MacLeod
Link: https://incompetech.filmmusic.io/song/4616-werq
License: https://filmmusic.io/standard-license
Industrial Cinematic by Kevin MacLeod
Link: https://incompetech.filmmusic.io/song/3909-industrial-cinematic
License: https://filmmusic.io/standard-license
Music Used in this video
“NonStop” Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0 License
#Infosec #SCAP #STIG
A score of 92 with Lynis is pretty good (to my limited knowledge that is).
I'm not a system administrator or security expert by any stretch of the imagination. But still quite interesting to see these kind of video's about security.
Thank you for researching / testing and explaining these kind of security scripts / tools.
Even i don't understand a thing here i get an idea how secure it is..
Very good DJ 👍!
Give your thoughts on systemd? Maybe you have mentioned it but I have not come across it. I don't find it to be as evil as many claim but I get where they're coming from .
why is this not on odysee? :/
By the way, the importance of this video simply cannot be overstated
Would you consider doing videos about penetration testing? For example, using Kali?
Recently there was a cyber attack. The FBI is looking for the hacker, they think he ran some ware.
Of course this automation isnt meant for development machines, possibly not test machines (integration test). Possibly could be used on a system test machine and of course a production server.
This looks pretty interesting; I suppose it's a whole different matter doing this on a rolling release like Manjaro, though?