Parameter configuration: ruleset-params.conf
Some rules can be fine-tuned by changing parameters in the ruleset-params.conf file. It’s a simple text file with the following format:
<param_name>=<param_value>
E.g.: unowned_users=root
Comments are allowed in the file. Lines starting with the “#” character are ignored by the script.
Below you will find a brief explanation of the parameters for each Ubuntu flavour, what rules they are related to, and how to set them.
Xenial Tool
grub_hash, grub_user
CIS rule 1.4.2 - grub_user sets the user which will be authenticated when editing bootloader entries, at boot time. grub_hash is the hash generated by the command grub-mkpasswd-pbkdf2. If either parameter is empty, this rules is not applied and a message requiring manual configuration is printed. Note: The Impact of this rule has been noted, the --restricted option will be set such that system can boot without authenticating, but editing grub menu items must be authenticated.
time_sync_svc, time_sync_addr
CIS rules 2.2.1.1 to 2.2.1.3 - time_sync_svc chooses which service will take care of time synchronization (NTP service). time_sync_addr states the address of the server used for time synchronization.
max_log_file
CIS rule 4.1.1.1 - Sets a cap limit to the audit log file. Log is rotated after the cap is reached. More information about this parameter can be found in the auditd.conf man page.
remote_log_server
CIS rule 4.2.2.4 - sets the host address and port of the remote log server which will receive the log messages generated by the host. Use the format <host/ip>: to set a port number.
AllowUsers, AllowGroups
CIS rule 5.2.15 - The parameters AllowUsers and AllowGroups, respectively set which users or groups of users may use ssh to login into the machine. This will set the “AllowUsers” and “AllowGroups” options in the /etc/ssh/sshd_config file. Value for these parameters is a space-separated list of users. If a value is not provided to a parameter, that corresponding parameter is not added to the /etc/ssh/sshd_config file.
DenyUsers, DenyGroups
CIS rule 5.2.15 - The parameters DenyUsers and DenyGroups, deny access to users or groups of users. This will set the “DenyUsers” and “DenyGroups” options in the /etc/ssh/sshd_config file. Value for these parameters is a space-separated list of users. If a value is not provided to a parameter, that corresponding parameter is not added to the /etc/ssh/sshd_config file.
minlen, dcredit, ucredit, ocredit, lcredit
CIS rule 5.3.1 - Password quality parameters. They are passed to the PAM module to enforce restrictions when changing passwords. Information about them can be found in the pwquality.conf manpage.
wheel_member
CIS rule 5.6 - The wheel_member parameter lets you specify a space-separated list of users who are added to the wheel group, allowing them to use su to change the current user.
unowned_user
CIS rule 6.1.11 - The unowned_user parameter allows you to specify which user a file without owners will be set to. unowned_group parameter does the same, but for file without group owners.
delete_user_files
CIS rules 6.2.11, 6.2.12, 6.2.14 - if set to true, then script will delete files (for the list, refer to the aforementioned rules) inside the user directory. Otherwise, only warning messages will be printed for each file violating the policy.
Bionic Tool
sudo_log
CIS rule 1.3.3 - sudo_log sets the path to the sudo log file. More information about this parameter can be found in the sudoers man page.
grub_hash, grub_user
CIS rule 1.5.2 - grub_user sets the user which will be authenticated when editing bootloader entries, at boot time. grub_hash is the hash generated by the command grub-mkpasswd-pbkdf2. If either parameter is empty, this rules is not applied and a message requiring manual configuration is printed. Note: The Impact of this rule has been noted, the --restricted option will be set such that system can boot without authenticating, but editing grub menu items must be authenticated.
root_hash
CIS rule 1.5.3 - root_hash contains the hashed password for the root user, which will be set into the /etc/shadow file. In order to generate the hash, use the command “openssl passwd -6”, type the password twice. Set the root_user parameter to the resulting hash. If the root_hash parameter is empty, then the root password is not changed.
lvl1_apparmor_enforce
CIS rule 1.7.1.3 - if lvl1_apparmor_enforce contains the value “true”, then AppArmor Profiles will be set into enforce mode even on CIS level 1 profiles. Otherwise, AppArmor Profiles will be set into complain mode on CIS level 1 profiles.
time_sync_svc, time_sync_addr
CIS rules 2.2.1.1 to 2.2.1.4 - time_sync_svc chooses which service will take care of time synchronization (NTP service). time_sync_addr states the address of the server used for time synchronization.
max_log_file
CIS rule 4.1.2.1 - Sets a cap limit to the audit log file. Log is rotated after the cap is reached. More information about this parameter can be found in the auditd.conf man page.
remote_log_server
CIS rule 4.2.1.5 - sets the host address and port of the remote log server which will receive the log messages generated by the host. Use the format <host/ip>: to set a port number.
AllowUsers, AllowGroups
CIS rule 5.2.18 - The parameters AllowUsers and AllowGroups, respectively set which users or groups of users may use ssh to login into the machine. This will set the “AllowUsers” and “AllowGroups” options in the /etc/ssh/sshd_config file. Value for these parameters is a space-separated list of users. If a value is not provided to a parameter, that corresponding parameter is not added to the /etc/ssh/sshd_config file.
DenyUsers, DenyGroups
CIS rule 5.2.18 - The parameters DenyUsers and DenyGroups, deny access to users or groups of users. This will set the “DenyUsers” and “DenyGroups” options in the /etc/ssh/sshd_config file. Value for these parameters is a space-separated list of users. If a value is not provided to a parameter, that corresponding parameter is not added to the /etc/ssh/sshd_config file.
minlen, minclass, dcredit, ucredit, ocredit, lcredit
CIS rule 5.3.1 - Password quality parameters. They are passed to the PAM module to enforce restrictions when changing passwords. Information about them can be found in the pwquality.conf manpage.
unowned_user
CIS rule 6.1.11 - The unowned_user parameter allows you to specify which user a file without owners will be set to. unowned_group parameter does the same, but for file without group owners.
delete_user_files
CIS rules 6.2.11, 6.2.12, 6.2.14 - if set to true, then script will delete files (for the list, refer to the aforementioned rules) inside the user directory. Otherwise, only warning messages will be printed for each file violating the policy.
Focal Tool
sudo_log
CIS rule 1.3.3 - sudo_log sets the path to the sudo log file. More information about this parameter can be found in the sudoers man page.
grub_hash, grub_user
CIS rule 1.5.2 - grub_user sets the user which will be authenticated when editing bootloader entries, at boot time. grub_hash is the hash generated by the command grub-mkpasswd-pbkdf2. If either parameter is empty, this rules is not applied and a message requiring manual configuration is printed. Note: The Impact of this rule has been noted, the --restricted option will be set such that system can boot without authenticating, but editing grub menu items must be authenticated.
root_hash
CIS rule 1.5.3 - root_hash contains the hashed password for the root user, which will be set into the /etc/shadow file. In order to generate the hash, use the command “openssl passwd -6”, type the password twice. Set the root_user parameter to the resulting hash. If the root_hash parameter is empty, then the root password is not changed.
lvl1_apparmor_enforce
CIS rule 1.7.1.3 - if lvl1_apparmor_enforce contains the value “true”, then AppArmor Profiles will be set into enforce mode even on CIS level 1 profiles. Otherwise, AppArmor Profiles will be set into complain mode on CIS level 1 profiles.
time_sync_svc, time_sync_addr
CIS rules 2.2.1.1 to 2.2.1.4 - time_sync_svc chooses which service will take care of time synchronization (NTP service). time_sync_addr states the address of the server used for time synchronization.
max_log_file
CIS rule 4.1.2.1 - Sets a cap limit to the audit log file. Log is rotated after the cap is reached. More information about this parameter can be found in the auditd.conf man page.
remote_log_server
CIS rule 4.2.1.5 - sets the host address and port of the remote log server which will receive the log messages generated by the host. Use the format <host/ip>: to set a port number.
AllowUsers, AllowGroups
CIS rule 5.2.18 - The parameters AllowUsers and AllowGroups, respectively set which users or groups of users may use ssh to login into the machine. This will set the “AllowUsers” and “AllowGroups” options in the /etc/ssh/sshd_config file. Value for these parameters is a space-separated list of users. If a value is not provided to a parameter, that corresponding parameter is not added to the /etc/ssh/sshd_config file.
DenyUsers, DenyGroups
CIS rule 5.2.18 - The parameters DenyUsers and DenyGroups, deny access to users or groups of users. This will set the “DenyUsers” and “DenyGroups” options in the /etc/ssh/sshd_config file. Value for these parameters is a space-separated list of users. If a value is not provided to a parameter, that corresponding parameter is not added to the /etc/ssh/sshd_config file.
minlen, minclass, dcredit, ucredit, ocredit, lcredit
CIS rule 5.3.1 - Password quality parameters. They are passed to the PAM module to enforce restrictions when changing passwords. Information about them can be found in the pwquality.conf manpage.
unowned_user
CIS rule 6.1.11 - The unowned_user parameter allows you to specify which user a file without owners will be set to. unowned_group parameter does the same, but for file without group owners.
delete_user_files
CIS rules 6.2.11, 6.2.12, 6.2.14 - if set to true, then script will delete files (for the list, refer to the aforementioned rules) inside the user directory. Otherwise, only warning messages will be printed for each file violating the policy.