CIS Compliance for Ubuntu: Required Manual Configuration
While the provided CIS hardening scripts configure many CIS rules, some rules must be manually configured into compliance.
Rules addressed below are from the Ubuntu Xenial/16.04 Benchmark v1.1.0, Ubuntu Bionic/18.04 Benchmark v2.0.1, and Ubuntu Focal/20.04 Benchmark v1.0.0. These are the Benchmark versions covered by the present hardening tools.
Rules marked as “N/A” are not necessarily non-existent rules in the Benchmarks, but only that the rules are not marked as needing manual configuration in the hardening tool.
CIS Level 1 (Server and Workstation Profiles)
Root Password Rule
The Bionic and Focal hardening tools include a
root\_hash optional parameter to help with this configuration.
- Xenial 1.4.3; Bionic 1.4.4; Focal 1.5.3: Ensure authentication required for single user mode
This rule requires BIOS a configuration change.
- Xenial N/A; Bionic 1.6.1; Focal 1.6.1: Ensure XD/NX support is enabled
Hosts.allow and Hosts.deny Rules
Rules provided by these scripts only provide a generic version of those files. Configure these specifically for your network.
- Xenial 3.4.2; Bionic N/A; Focal N/A: Ensure /etc/hosts.allow is configured
- Xenial 3.4.3; Bionic N/A; Focal N/A: Ensure /etc/hosts.deny is configured
Configure these specifically for your network.
- Xenial 3.6.2; Bionic 188.8.131.52.1/184.108.40.206.1; Focal 220.127.116.11: Ensure default deny firewall policy
- Xenial 3.6.5; Bionic 18.104.22.168.4/22.214.171.124.4; Focal 126.96.36.199: Ensure firewall rules exist for all open ports
- Xenial N/A; Bionic 188.8.131.52.1; Focal N/A - Ensure default deny firewall policy
- Xenial N/A; Bionic N/A; Focal 184.108.40.206.3 - Ensure outbound and established connections are configured
- Xenial N/A; Bionic 220.127.116.11.4; Focal 18.104.22.168.4 - Ensure firewall rules exist for all open ports
- Xenial N/A; Bionic N/A; Focal 22.214.171.124.3 - Ensure IPv6 outbound and established connections are configured
- Xenial N/A; Bionic 126.96.36.199.1; Focal 188.8.131.52.4 - Ensure IPv6 default deny firewall policy
- Xenial N/A; Bionic 4.2.3; Focal 4.2.3 - Ensure permissions on all logfiles are configured
User Password Creation Time Audit Rule
In order to enforce this rule, one must ensure that a user doesn’t have a password change time in the future.
- Xenial 184.108.40.206; Bionic 220.127.116.11; Focal 18.104.22.168: Ensure all users last password change date is in the past
User and Group Rules
- Xenial 6.2.6; Bionic 6.2.7; Focal 6.2.7: Ensure root PATH Integrity
- Xenial 6.2.16; Bionic 6.2.16; Focal 6.2.13: Ensure no duplicate UIDs exist
- Xenial 6.2.17; Bionic 6.2.17; Focal 6.2.14: Ensure no duplicate GIDs exist
- Xenial 6.2.18; Bionic 6.2.18; Focal 6.2.15: Ensure no duplicate user names exist
- Xenial 6.2.19; Bionic 6.2.19; Focal 6.2.16: Ensure no duplicate group names exist
- Xenial 6.2.20; Bionic 6.2.20; Focal 6.2.17: Ensure shadow group is empty
CIS Level 2 (Server and Workstation Profiles)
In addition to the CIS Level 1 configured rules above.
Separate Partition Rules
- Xenial 1.1.2; Bionic 1.1.2; Focal 1.1.2: Ensure separate partition exists for /tmp; Ensure /tmp is configured
- Xenial N/A; Bionic N/A; Focal 1.1.6: Ensure /dev/shm is configured
- Xenial N/A; Bionic 1.1.15; Focal 1.1.7: Ensure nodev option set on /dev/shm partition
- Xenial 1.1.5; Bionic 1.1.6; Focal 1.1.10: Ensure separate partition exists for /var
- Xenial 1.1.6; Bionic 1.1.7; Focal 1.1.11: Ensure separate partition exists for /var/tmp
- Xenial N/A; Bionic 1.1.8; Focal 1.1.12: Ensure /var/tmp partition includes the nodev option
- Xenial N/A; Bionic 1.1.9; Focal 1.1.13: Ensure /var/tmp partition includes the nosuid option
- Xenial 1.1.10; Bionic 1.1.15; Focal 1.1.15: Ensure separate partition exists for /var/log
- Xenial 1.1.11; Bionic 1.1.16; Focal 1.1.16: Ensure separate partition exists for /var/log/audit
- Xenial 1.1.12; Bionic 1.1.17; Focal 1.1.17: Ensure separate partition exists for /home
Regarding Postfix Configuration
Xenial rule 1.3.1 / Bionic rule 1.3.1 / Focal rule 1.4.1 (“Ensure AIDE is installed”) does a basic PostFix configuration, which is installed as a dependency from AIDE. After the script execution, it’s recommended to properly configure the Postfix server. This includes changing the /etc/mailname file which is set to a default value of