https://github.com/madetech/linux-compliance-playbook
An Ansible Playbook to assist with Cyber Essentials Plus compliance on Linux
https://github.com/madetech/linux-compliance-playbook
Last synced: about 1 month ago
JSON representation
An Ansible Playbook to assist with Cyber Essentials Plus compliance on Linux
- Host: GitHub
- URL: https://github.com/madetech/linux-compliance-playbook
- Owner: madetech
- Created: 2022-05-31T08:41:18.000Z (about 4 years ago)
- Default Branch: main
- Last Pushed: 2023-04-13T14:19:38.000Z (about 3 years ago)
- Last Synced: 2025-03-20T14:53:25.642Z (about 1 year ago)
- Size: 9.77 KB
- Stars: 0
- Watchers: 22
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Linux Compliance Playbook
This playbook (in development) is intended to set up our Linux workstations
for compliance with Cyber Essentials Plus (as detailed
[here](https://docs.google.com/document/d/13_Je82eCpPU2qZgYINxDYX9OxRrVemdixj8yD4IFH8s)
), as far as possible.
## Requirements
| Requirement | Ubuntu 20.04 | Ubuntu 22.04 | Fedora
|-|-|-|-
| Full Disk Encryption
| Automatic Updates (security) | D | D | D
| Password Policy
| Account Lockout
| Firewall
| Disable Autorun | | | D
| VPN
| Antivirus
| DriveStrike
|Level | Description | Code
|-|-|-
|Compliant by default | This item just needs you to not turn it off during install | D
|Verified | This item is verified to be compliant by the Ansible playbook | V
|Installed/Configured | This item is actually installed or configured by the Ansible playbook | C
|Planned | We plan to do this | [empty cell]
|Not Planned | We have decided this is too much trouble for now | NP
Ideally we should be able to fill the whole table with `VC`.
Practically : we presently have less than 20 Linux users. It would be best to
identify the most time-consuming and error prone aspects of the setup required,
and sort those out first.
Config changes should not be disturbed by package updates (if possible, avoid
touching config files provided as part of the package, e.g. use config.d/ folders
to supplment config, or where softlinks are used, supply new config and relink
to them).
## Priority
- Most of our users are on Ubuntu (Debian), so prioritise that first
- Prioritise things that are important
- Prioritise things that are fiddly to set up (and thus error prone)
### 1. Full Disk Encryption
Since this is "the most important step", and relatively easy to verify, this
should be done early.
### 2. Password Policy
Another important one that is relatively easy to configure.
### 3. Account Lockout
The instructions as presented in the guide will disable your system if you don't
have the (deprecated) `pam_tally2` module, so anyone upgrading from 20.04 or
following the instructions for 22.04 will find themselves unable to log in.
Fixing this would be nice.
### 4. Antivirus
Currently : SentinelOne