Upon successful installation of the Canonical CIS Benchmark compliance tools, you need to setup certain parameters for the benchmark (according to technical and institutional policies) in the /usr/share/ubuntu-scap-security-guides/cis-hardening/ruleset-params.conf file. This file is divided into sections of variables with comments illustrating which variables affect which CIS rule. For more information about parameters in ruleset-params.conf, please see this page.

WARNING

Always run the hardening scripts on fresh installations of Ubuntu. As the hardening scripts adjust the system configuration, if additional non-core services have been installed to the system, the compliance scripts may break them by modifying essential configuration.

The compliance tool is located at the following locations depending on the system:

Furthermore, the tool has four different profiles that it can apply using one of the following command line options, relating to a Level 1 Workstation profile, a Level 1 Server profile, a Level 2 Workstation profile, and a Level 2 Server profile, respectively:

Example

The following example will configure an Ubuntu 20.04 LTS server to the Level 2 profile.

$ sudo /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh lvl2_server

NOTE

By running the tool to configure a Level 2 profile, the appropriate Level 1 profile rules are automatically applied, as well.

Manual steps for completion

Note that not everything in the CIS profiles can be automated. There is a small set of rules that need to be manually configured into compliance. Please refer to this page to see more information on these rules.