CIS compliance with Ubuntu 20.04 LTS and 22.04 LTS

Applying the CIS rules to the current system

Modifying a system to comply with the CIS benchmark with USG is as simple as the following command:

$ sudo usg fix <PROFILE>

where profile is one of the following.

Profile name Corresponding CIS profile
cis_level1_workstation Level 1 Workstation profile
cis_level1_server Level 1 Server profile
cis_level2_workstation Level 2 Workstation profile
cis_level2_server Level 2 Server profile

After running the command the system is modified to comply with the provided profile.

Applying the CIS rules to a set of systems

It is not always practical to install the Ubuntu Security Guide to the systems that need to comply. For these systems you can generate a bash script that will apply the necessary changes. The following command generates that script.

$ sudo usg generate-fix <PROFILE> --output

Customizing the rules

Compliance with the CIS benchmark is not an all-or-nothing task. Each environment is different and options that are considered as niche in one place can be essential in another. As such, it is possible to tailor the CIS benchmark to the necessary rules, as well as customize the rules that have multiple options available. See more on the customizing the profile section.

1 Like

Please include the installation instructions for usg on 22.04

Howdy! I think it might be beneficial to maybe link to some documentation that discerns between the two levels. Specifically the official docs, but maybe also something from Canonical that describes the technical differences?

1 Like