Upon successful installation of the CIS Benchmark compliance tools, you need to setup certain parameters for the benchmark (according to technical and institutional policies) in the /usr/share/ubuntu-scap-security-guides/cis-hardening/ruleset-params.conf file. This file is divided into sections of variables with comments illustrating which variables affect which CIS rule. For more information about parameters in ruleset-params.conf, please see this page.
The compliance tool is located at the following locations depending on the system:
| Ubuntu version | Script name |
|---|---|
| 20.04 LTS | /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh |
| 18.04 LTS | /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_18.04_CIS-harden.sh |
| 16.04 LTS | /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_16.04_CIS_v1.1.0-harden.sh |
Furthermore, the tool has four different profiles that it can apply using one of the following command line options, relating to a Level 1 Workstation profile, a Level 1 Server profile, a Level 2 Workstation profile, and a Level 2 Server profile, respectively:
| Tool profile name | Corresponding CIS profile |
|---|---|
| lvl1_workstation | Level 1 Workstation profile |
| lvl1_server | Level 1 Server profile |
| lvl2_workstation | Level 2 Workstation profile |
| lvl2_server | Level 2 Server profile |
Example
The following example will configure an Ubuntu 20.04 LTS server to the Level 2 profile.
$ sudo /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh lvl2_server
NOTE
By running the tool to configure a Level 2 profile, the appropriate Level 1 profile rules are automatically applied, as well.
Manual steps for completion
Note that not everything in the CIS profiles can be automated. There is a small set of rules that need to be manually configured into compliance. Please refer to this page to see more information on these rules.