Auditing a CIS-Hardened Ubuntu System

Installation and Hardening Process

Ubuntu Advantage provides access to tooling to harden and audit Ubuntu LTS systems. The rest of the instructions make the assumption that the tooling has been installed and used on the system(s) to be audited.

Auditing

An Ubuntu system can be audited for the Level 2 Server rules using the cis-audit command with the “level2_server” ruleset as the parameter.

$ sudo cis-audit <LEVEL>

where <LEVEL> is one of

  • level1_server
  • level2_server
  • level1_workstation
  • level2_workstation

If no level is specified, the tool will use the level1_server profile as default.

The cis-audit command will automatically create an HTML report, which will be located at /usr/share/ubuntu-scap-security-guides/cis-<VERSION>-report.html, where <VERSION> is the version of the Ubuntu LTS systems.

Subsequent runs will overwrite any previous report at this location; it is best to copy the report to another location if it is necessary to maintain an audit trail.

Auditing with OpenSCAP tool directly

Although using our help script above is sufficient for most users, there are often advanced cases where it is suitable to use the oscap tool directly. To assist in using oscap we provide the information below.

Ubuntu’s auditing content is based on Security Content Automation Protocol (SCAP) audit content and the OpenSCAP tool which are installed when installing Canonical’s CIS hardening tool.

For an Ubuntu Focal system, the profiles available are the following:

  • xccdf_com.ubuntu.focal.cis_profile_Level_1_Workstation (Level 1 Workstation)
  • xccdf_com.ubuntu.focal.cis_profile_Level_1_Server (Level 1 Server)
  • xccdf_com.ubuntu.focal.cis_profile_Level_2_Workstation (Level 2 Workstation)
  • xccdf_com.ubuntu.focal.cis_profile_Level_2_Server (Level 2 Server)

For an Ubuntu Bionic system, these values are the following:

  • xccdf_com.ubuntu.bionic.cis_profile_Level_1_Workstation (Level 1 Workstation)
  • xccdf_com.ubuntu.bionic.cis_profile_Level_1_Server (Level 1 Server)
  • xccdf_com.ubuntu.bionic.cis_profile_Level_2_Workstation (Level 2 Workstation)
  • xccdf_com.ubuntu.bionic.cis_profile_Level_2_Server (Level 2 Server)

For an Ubuntu Xenial system, these values are the following:

  • xccdf_com.ubuntu.xenial.cis_profile_Level_1_Workstation (Level 1 Workstation)
  • xccdf_com.ubuntu.xenial.cis_profile_Level_1_Server (Level 1 Server)
  • xccdf_com.ubuntu.xenial.cis_profile_Level_2_Workstation (Level 2 Workstation)
  • xccdf_com.ubuntu.xenial.cis_profile_Level_2_Server (Level 2 Server)

The Canonical-installed SCAP content is located at /usr/share/ubuntu-scap-security-guides.

Files 20.04 LTS 18.04 LTS 16.04 LTS
OVAL Canonical_Ubuntu_20.04_CIS_Benchmark-oval.xml Canonical_Ubuntu_18.04_CIS_Benchmark-oval.xml Canonical_Ubuntu_16.04_CIS_Benchmark-oval.xml
XCCDF Canonical_Ubuntu_20.04_CIS_Benchmark-xccdf.xml Canonical_Ubuntu_18.04_CIS_Benchmark-xccdf.xml Canonical_Ubuntu_16.04_CIS_Benchmark-xccdf.xml
CPE dictionary Ubuntu_20.04_LTS_Benchmark-cpe-dictionary.xml Ubuntu_18.04_LTS_Benchmark-cpe-dictionary.xml Ubuntu_16.04_LTS_Benchmark-cpe-dictionary.xml

By using the OpenSCAP tool with the above options, one can run an audit.

Additional notes

If using SELinux instead of AppArmor for Mandatory Access Control (MAC), rules 1.6.1.1 - 1.6.1.4 must be audited manually.