Upon successful installation of the CIS Benchmark compliance tools, you need to setup certain parameters for the benchmark (according to technical and institutional policies) in the /usr/share/ubuntu-scap-security-guides/cis-hardening/ruleset-params.conf
file. This file is divided into sections of variables with comments illustrating which variables affect which CIS rule. For more information about parameters in ruleset-params.conf, please see this page.
The compliance tool is located at the following locations depending on the system:
Ubuntu version | Script name |
---|---|
20.04 LTS | /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh |
18.04 LTS | /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_18.04_CIS-harden.sh |
16.04 LTS | /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_16.04_CIS_v1.1.0-harden.sh |
Furthermore, the tool has four different profiles that it can apply using one of the following command line options, relating to a Level 1 Workstation profile, a Level 1 Server profile, a Level 2 Workstation profile, and a Level 2 Server profile, respectively:
Tool profile name | Corresponding CIS profile |
---|---|
lvl1_workstation | Level 1 Workstation profile |
lvl1_server | Level 1 Server profile |
lvl2_workstation | Level 2 Workstation profile |
lvl2_server | Level 2 Server profile |
Example
The following example will configure an Ubuntu 20.04 LTS server to the Level 2 profile.
$ sudo /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh lvl2_server
NOTE
By running the tool to configure a Level 2 profile, the appropriate Level 1 profile rules are automatically applied, as well.
Manual steps for completion
Note that not everything in the CIS profiles can be automated. There is a small set of rules that need to be manually configured into compliance. Please refer to this page to see more information on these rules.