Applying the CIS rules to the current system
Modifying a system to comply with the CIS benchmark with USG is as simple as the following command:
$ sudo usg fix <PROFILE>
where profile is one of the following.
| Profile name | Corresponding CIS profile |
|---|---|
| cis_level1_workstation | Level 1 Workstation profile |
| cis_level1_server | Level 1 Server profile |
| cis_level2_workstation | Level 2 Workstation profile |
| cis_level2_server | Level 2 Server profile |
After running the command the system is modified to comply with the provided profile.
Applying the CIS rules to a set of systems
It is not always practical to install the Ubuntu Security Guide to the systems that need to comply. For these systems you can generate a bash script that will apply the necessary changes. The following command generates that script.
$ sudo usg generate-fix <PROFILE> --output fix.sh
Customizing the rules
Compliance with the CIS benchmark is not an all-or-nothing task. Each environment is different and options that are considered as niche in one place can be essential in another. As such, it is possible to tailor the CIS benchmark to the necessary rules, as well as customize the rules that have multiple options available. See more on the customizing the profile section.