Auditing a CIS-Hardened Ubuntu System

Auditing a CIS-Hardened Ubuntu System

Installation and Hardening Process

Canonical offers tooling to harden Ubuntu Xenial (16.04), Ubuntu Bionic (18.04), and Ubuntu Focal (20.04) systems. This article makes the assumption that the tooling have been installed and used on the system(s) to be audited.

Auditing Process Using OpenSCAP

Upon installing Canonical’s CIS hardening tool, Security Content Automation Protocol (SCAP) content is also installed. Before auditing, ensure that the libopenscap8 package is installed. This package was likely installed when installing Canonical’s CIS hardening tool.

sudo apt install libopenscap8

Four different profiles have been certified by CIS. When running the OpenSCAP auditing tool, the appropriate profile value, found below, will need to be passed as an argument.

For an Ubuntu Focal system, these values are the following:

  • xccdf_com.ubuntu.focal.cis_profile_Level_1_Workstation (Level 1 Workstation)
  • xccdf_com.ubuntu.focal.cis_profile_Level_1_Server (Level 1 Server)
  • xccdf_com.ubuntu.focal.cis_profile_Level_2_Workstation (Level 2 Workstation)
  • xccdf_com.ubuntu.focal.cis_profile_Level_2_Server (Level 2 Server)

For an Ubuntu Bionic system, these values are the following:

  • xccdf_com.ubuntu.bionic.cis_profile_Level_1_Workstation (Level 1 Workstation)
  • xccdf_com.ubuntu.bionic.cis_profile_Level_1_Server (Level 1 Server)
  • xccdf_com.ubuntu.bionic.cis_profile_Level_2_Workstation (Level 2 Workstation)
  • xccdf_com.ubuntu.bionic.cis_profile_Level_2_Server (Level 2 Server)

For an Ubuntu Xenial system, these values are the following:

  • xccdf_com.ubuntu.xenial.cis_profile_Level_1_Workstation (Level 1 Workstation)
  • xccdf_com.ubuntu.xenial.cis_profile_Level_1_Server (Level 1 Server)
  • xccdf_com.ubuntu.xenial.cis_profile_Level_2_Workstation (Level 2 Workstation)
  • xccdf_com.ubuntu.xenial.cis_profile_Level_2_Server (Level 2 Server)

The Canonical-installed SCAP content is located at /usr/share/ubuntu-scap-security-guides.

  • On an Ubuntu Focal system, the OVAL, XCCDF, and CPE Dictionary files are named Canonical_Ubuntu_20.04_CIS_Benchmark-oval.xml, Canonical_Ubuntu_20.04_CIS_Benchmark-xccdf.xml, and Ubuntu_20.04_LTS_Benchmark-cpe-dictionary.xml, respectively.
  • On an Ubuntu Bionic system, Canonical_Ubuntu_18.04_CIS_Benchmark-oval.xml, Canonical_Ubuntu_18.04_CIS_Benchmark-xccdf.xml, and Ubuntu_18.04_LTS_Benchmark-cpe-dictionary.xml, respectively.
  • On an Ubuntu Xenial system, Canonical_Ubuntu_16.04_CIS_Benchmark-oval.xml, Canonical_Ubuntu_16.04_CIS_Benchmark-xccdf.xml, and Ubuntu_16.04_LTS_Benchmark-cpe-dictionary.xml, respectively.

By using the OpenSCAP tool with the above options, one can run an audit.

Example Audit Process

An Ubuntu system can be audited for the Level 2 Server rules using the cis-audit command with the “level2_server” ruleset as the parameter.

sudo cis-audit level2_server

The cis-audit command will automatically create an HTML report, which will be located at /usr/share/ubuntu-scap-security-guides/cis-<VERSION>-report.html, where “” is the version of the Ubuntu systems (20.04, 18.04, 16.04).

Subsequent runs will overwrite any previous report at this location; it is best to copy the report to another location if it is necessary to maintain an audit trail.

NOTE: If using SELinux instead of AppArmor for Mandatory Access Control (MAC), rules 1.6.1.1 - 1.6.1.4 must be audited manually.