Installation and Hardening Process
Ubuntu Advantage provides access to tooling to harden and audit Ubuntu LTS systems. The rest of the instructions make the assumption that the tooling has been installed and used on the system(s) to be audited.
Auditing
An Ubuntu system can be audited for the Level 2 Server rules using the cis-audit
command with the “level2_server” ruleset as the parameter.
$ sudo cis-audit <LEVEL>
where <LEVEL>
is one of
level1_server
level2_server
level1_workstation
level2_workstation
If no level is specified, the tool will use the level1_server profile as default.
The cis-audit
command will automatically create an HTML report, which will be located at /usr/share/ubuntu-scap-security-guides/cis-<VERSION>-report.html
, where <VERSION>
is the version of the Ubuntu LTS systems.
Subsequent runs will overwrite any previous report at this location; it is best to copy the report to another location if it is necessary to maintain an audit trail.
Auditing with OpenSCAP tool directly
Although using our help script above is sufficient for most users, there are often advanced cases where it is suitable to use the oscap
tool directly. To assist in using oscap
we provide the information below.
Ubuntu’s auditing content is based on Security Content Automation Protocol (SCAP) audit content and the OpenSCAP tool which are installed when installing Canonical’s CIS hardening tool.
For an Ubuntu Focal system, the profiles available are the following:
- xccdf_com.ubuntu.focal.cis_profile_Level_1_Workstation (Level 1 Workstation)
- xccdf_com.ubuntu.focal.cis_profile_Level_1_Server (Level 1 Server)
- xccdf_com.ubuntu.focal.cis_profile_Level_2_Workstation (Level 2 Workstation)
- xccdf_com.ubuntu.focal.cis_profile_Level_2_Server (Level 2 Server)
For an Ubuntu Bionic system, these values are the following:
- xccdf_com.ubuntu.bionic.cis_profile_Level_1_Workstation (Level 1 Workstation)
- xccdf_com.ubuntu.bionic.cis_profile_Level_1_Server (Level 1 Server)
- xccdf_com.ubuntu.bionic.cis_profile_Level_2_Workstation (Level 2 Workstation)
- xccdf_com.ubuntu.bionic.cis_profile_Level_2_Server (Level 2 Server)
For an Ubuntu Xenial system, these values are the following:
- xccdf_com.ubuntu.xenial.cis_profile_Level_1_Workstation (Level 1 Workstation)
- xccdf_com.ubuntu.xenial.cis_profile_Level_1_Server (Level 1 Server)
- xccdf_com.ubuntu.xenial.cis_profile_Level_2_Workstation (Level 2 Workstation)
- xccdf_com.ubuntu.xenial.cis_profile_Level_2_Server (Level 2 Server)
The Canonical-installed SCAP content is located at /usr/share/ubuntu-scap-security-guides
.
Files | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|
OVAL | Canonical_Ubuntu_20.04_CIS_Benchmark-oval.xml |
Canonical_Ubuntu_18.04_CIS_Benchmark-oval.xml |
Canonical_Ubuntu_16.04_CIS_Benchmark-oval.xml |
XCCDF | Canonical_Ubuntu_20.04_CIS_Benchmark-xccdf.xml |
Canonical_Ubuntu_18.04_CIS_Benchmark-xccdf.xml |
Canonical_Ubuntu_16.04_CIS_Benchmark-xccdf.xml |
CPE dictionary | Ubuntu_20.04_LTS_Benchmark-cpe-dictionary.xml |
Ubuntu_18.04_LTS_Benchmark-cpe-dictionary.xml |
Ubuntu_16.04_LTS_Benchmark-cpe-dictionary.xml |
By using the OpenSCAP tool with the above options, one can run an audit.
Additional notes
If using SELinux instead of AppArmor for Mandatory Access Control (MAC), rules 1.6.1.1 - 1.6.1.4 must be audited manually.