Securing a fresh Ubuntu 24.04 (Noble Numbat) server to meet CIS (Center for Internet Security) benchmarks is a critical step for production environments. While you can manually edit config files, using Infrastructure as Code (IaC) is faster, repeatable, and less prone to error.
In this guide, we will use the ComplianceAsCode project (the upstream source for SCAP content) to scan a server against the CIS Level 1 Server profile and automatically generate an Ansible remediation playbook to fix the findings.
What We Are Building
- Audit: A scan of your system identifying failures against the CIS Level 1 benchmark.
- Remediate: A custom Ansible playbook generated dynamically based only on your system’s failures.
- Verify: A final report proving your system is compliant.
Prerequisites
- A server running Ubuntu 24.04 LTS.
- Root or
sudoaccess. - Ansible installed on the control node (or locally if running a self-scan).
Step 1: Install OpenSCAP and Security Content
Ubuntu 24.04 includes OpenSCAP in its default repositories. However, because 24.04 is a newer release, the default SCAP Security Guide (SSG) package might not yet contain the finalized CIS profile. We will install the scanner and fetch the latest content directly from the ComplianceAsCode GitHub releases to ensuring we have the valid ubuntu2404 datastream.
1. Install the Scanner
Update your repositories and install the OpenSCAP scanner and utilities:
sudo apt update && sudo apt install -y openscap-scanner ansible2. Fetch the Latest Compliance Content
Download the latest compiled content release from the ComplianceAsCode repository. This ensures you have the latest CIS definitions for Noble Numbat.
SSG_VERSION=$(curl -s https://api.github.com/repos/ComplianceAsCode/content/releases/latest | jq -r .tag_name)
SSG_VERSION=${SSG_VERSION#v}
curl -LO "https://github.com/ComplianceAsCode/content/releases/download/v${SSG_VERSION}/scap-security-guide-${SSG_VERSION}.zip"
sudo unzip -j "scap-security-guide-${SSG_VERSION}.zip" "*/ssg-ubuntu2404-ds.xml" -d /usr/share/xml/scap/ssg/content/Note: If the ssg-ubuntu2404-ds.xml file is missing from the release zip, you may need to build it from source or wait for the next minor release. For this guide, we assume the datastream file ssg-ubuntu2404-ds.xml is present in the extracted folder.
Step 2: Identify the CIS Profile
SCAP datastreams contain multiple profiles (e.g., ANSSI, CIS Level 1, CIS Level 2, STIG). We need to find the exact ID for the CIS Level 1 Server profile.
Run the oscap info command to list available profiles:
# Verify File Integrity
oscap info /usr/share/xml/scap/ssg/content/ssg-ubuntu2404-ds.xml
# List Available Security Profiles (CIS, STIG, etc.)
oscap info --profiles /usr/share/xml/scap/ssg/content/ssg-ubuntu2404-ds.xmlLook for output similar to:
Title: CIS Ubuntu 24.04 Level 1 Server Benchmark
Id: xccdf_org.ssgproject.content_profile_cis_level1_server
Copy the Id string. We will use this for both scanning and remediation.
Step 3: Run the Initial Scan (Audit)
Before fixing anything, we need to know what is broken. We will run an evaluation scan that generates an ARF (Asset Reporting Format) XML file. This file contains the raw data needed to generate the fix.
sudo oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis_level1_server \
--results scan-results.xml \
--report scan-report.html \
--fetch-remote-resources \
/usr/share/xml/scap/ssg/content/ssg-ubuntu2404-ds.xml--profile: The specific CIS benchmark we selected in Step 2.--results: The machine-readable XML output (critical for the next step).--report: A human-readable HTML dashboard you can open in your browser to visualize failures.
Pro Tip: Download scan-report.html to your local machine and open it. You will likely see a low compliance score (often <50% on a fresh install). Don’t panic—this is what we are about to fix!
Step 4: Generate the Ansible Remediation Playbook
This is where the magic happens. Instead of writing Ansible tasks manually, we ask OpenSCAP to read our scan-results.xml and generate a playbook that fixes only the rules we failed.
oscap xccdf generate fix \
--fix-type ansible \
--profile xccdf_org.ssgproject.content_profile_cis_level1_server \
--output cis-remediation.yml \
scan-results.xmlReview the Playbook
It is crucial to review the generated cis-remediation.yml file before running it.
less cis-remediation.ymlYou will see standard Ansible tasks like ensure /tmp is a separate partition or ensure SSH root login is disabled.
⚠️ Critical Warning:
Some CIS rules can break production systems.
- Partitioning: Scripts often cannot re-partition a running drive. You may need to ignore partitioning rules or fix them manually during OS installation.
- Access: Ensure
PermitRootLogin nodoesn’t lock you out if you rely on root SSH.
If you find tasks you want to skip, you can simply comment them out in the YAML file or use a Tailoring File (advanced) to permanently exclude them from future scans.
Step 5: Apply the Remediation
Run the generated playbook using ansible-playbook. Since we are running this locally on the server itself, we use localhost.
ansible-playbook -i "localhost," -c local cis-remediation.yml-i "localhost,": Defines the inventory inline (note the comma).-c local: Tells Ansible to execute locally rather than over SSH.
Watch the output as Ansible turns the red “failed” checks into green “changed” states.
Step 6: Verify Compliance
Once the playbook finishes, we must prove the system is compliant. Run the scan command from Step 3 again, saving to a new report file.
sudo oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis_level1_server \
--report scan-report-post-fix.html \
/usr/share/xml/scap/ssg/content/ssg-ubuntu2404-ds.xmlOpen scan-report-post-fix.html. You should see your score jump significantly (often into the 90%+ range).
Why not 100%?
You likely won’t hit 100% automatically because:
- Manual Checks: Some CIS rules require human verification (e.g., “Verify interview with system admin”).
- Partitioning: As mentioned, filesystem structure is hard to change post-install.
- Kernel Parameters: Some require a reboot to take effect.
Discover more from Altgr Blog
Subscribe to get the latest posts sent to your email.
