CIS Compliance with Ubuntu 16.04 and 18.04

Upon successful installation of the CIS Benchmark compliance tools, you need to setup certain parameters for the benchmark (according to technical and institutional policies) in the /usr/share/ubuntu-scap-security-guides/cis-hardening/ruleset-params.conf file. This file is divided into sections of variables with comments illustrating which variables affect which CIS rule. For more information about parameters in ruleset-params.conf, please see this page.

The compliance tool is located at the following locations depending on the system:

Ubuntu version Script name
20.04 LTS /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh
18.04 LTS /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_18.04_CIS-harden.sh
16.04 LTS /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_16.04_CIS_v1.1.0-harden.sh

Furthermore, the tool has four different profiles that it can apply using one of the following command line options, relating to a Level 1 Workstation profile, a Level 1 Server profile, a Level 2 Workstation profile, and a Level 2 Server profile, respectively:

Tool profile name Corresponding CIS profile
lvl1_workstation Level 1 Workstation profile
lvl1_server Level 1 Server profile
lvl2_workstation Level 2 Workstation profile
lvl2_server Level 2 Server profile

Example

The following example will configure an Ubuntu 20.04 LTS server to the Level 2 profile.

$ sudo /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh lvl2_server

NOTE

By running the tool to configure a Level 2 profile, the appropriate Level 1 profile rules are automatically applied, as well.


Manual steps for completion

Note that not everything in the CIS profiles can be automated. There is a small set of rules that need to be manually configured into compliance. Please refer to this page to see more information on these rules.