CIS Compliance for Ubuntu

CIS Compliance for Ubuntu

Compliance information

The Center for Internet Security (CIS), develops the CIS benchmark documents for Ubuntu 20.04, 18.04 and 16.04.

Ubuntu Advantage provides software to automate both hardening and auditing Ubuntu 20.04, 18.04 and 16.04 systems based off of the published CIS benchmarks.

Ubuntu-Advantage Tool Installation

CIS configuration can be enabled automatically via the Ubuntu Advantage Tool (also known as “UA tool” or “UA client”) on bare metal, virtual, and cloud environments.
Version 27.1 or higher of the UA tool is required to use this method.
If the UA tool is installed, the UA tool can provide its version.

ua version

If necessary, apt can be used to install or update the latest version.

sudo apt update && sudo apt install ubuntu-advantage-tools

Access to the CIS repository is controlled by a token associated with an Ubuntu Advantage subscription.

Obtaining UA Token

Ubuntu PRO instances on AWS, Azure, and GCP may skip these steps and the ua attach step. A UA token has already been attached to the system.

  1. Login at ubuntu.com/advantage using the Ubuntu One account tied to your UA-I subscription.
  2. Under the “Your paid subscriptions” header, click on the down-arrow in the “machines” column for the row of your subscription. This may already be expanded.
  3. Find your token from within the provided attach command in the format of sudo ua attach <TOKEN>. Save this token to complete the process below.

Setting up the CIS packages with the UA tool

  1. Attach the system to the Ubuntu Advantage service.

sudo ua attach <TOKEN>

  1. Enable the CIS configuration.

sudo ua enable cis

  1. Verify that the system is attached to UA and has the CIS repository enabled.

sudo ua status

Configure and run CIS Benchmark rules

Upon successful installation of the Canonical CIS Benchmark compliance tools, some parameters should be checked and configured correctly (according to technical and institutional policies) in the /usr/share/ubuntu-scap-security-guides/cis-hardening/ruleset-params.conf file. This file is divided into sections of variables with comments illustrating which variables affect which CIS rule. For more information about parameters in ruleset-params.conf, please see this page.

The hardening scripts now must be run. Please note that these hardening scripts, as released, were designed for fresh installations of Ubuntu before any additional, non-core services have been installed to the system.

The installed tool is located at “/usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh” for an Ubuntu Focal system, “/usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_18.04_CIS-harden.sh” for an Ubuntu Bionic system, and “/usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_16.04_CIS_v1.1.0-harden.sh” for an Ubuntu Xenial system.

Furthermore, the tool has four different profiles that it can apply using one of the following command line options, relating to a Level 1 Workstation profile, a Level 1 Server profile, a Level 2 Workstation profile, and a Level 2 Server profile, respectively:

  • lvl1_workstation
  • lvl1_server
  • lvl2_workstation
  • lvl2_server

The command below is an example of applying the Level 2 Workstation profile on an Ubuntu Bionic system:

Ubuntu 20.04

/usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh lvl2_workstation

Note: By running the tool to configure a Level 2 profile, the appropriate Level 1 profile rules are automatically applied, as well.

Ubuntu 18.04

/usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_18.04_CIS-harden.sh lvl1_server

Ubuntu 16.04

/usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_16.04_CIS_v1.1.0-harden.sh lvl1_server

Necessary manual steps for completion

Some rules must be manually configured into compliance. Please refer to this page to see the rules that must still be applied to reach compliance with the CIS Benchmark.

Get the latest updates

A mailing list is used to announce patches and news related to the CIS packages and certifications.
To request to join the mailing list, please send “join” in the email body to ubuntu-certs-announce-request@lists.canonical.com.
Announcements will be sent to the email address ubuntu-certs-announce@lists.canonical.com from an “@canonical.com” email address.