Configure and run the CIS Benchmark rules
Upon successful installation of the Canonical CIS Benchmark compliance tools, you need to setup certain parameters for the benchmark (according to technical and institutional policies) in the
/usr/share/ubuntu-scap-security-guides/cis-hardening/ruleset-params.conf file. This file is divided into sections of variables with comments illustrating which variables affect which CIS rule. For more information about parameters in ruleset-params.conf, please see this page.
Always run the hardening scripts on fresh installations of Ubuntu. As the hardening scripts adjust the system configuration, if additional non-core services have been installed to the system, the compliance scripts may break them by modifying essential configuration.
The compliance tool is located at the following locations depending on the system:
|Ubuntu version||Script name|
Furthermore, the tool has four different profiles that it can apply using one of the following command line options, relating to a Level 1 Workstation profile, a Level 1 Server profile, a Level 2 Workstation profile, and a Level 2 Server profile, respectively:
|Tool profile name||Corresponding CIS profile|
|lvl1_workstation||Level 1 Workstation profile|
|lvl1_server||Level 1 Server profile|
|lvl2_workstation||Level 2 Workstation profile|
|lvl2_server||Level 2 Server profile|
The following example will configure an Ubuntu 20.04 LTS server to the Level 2 profile.
$ sudo /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh lvl2_server
By running the tool to configure a Level 2 profile, the appropriate Level 1 profile rules are automatically applied, as well.
Manual steps for completion
Note that not everything in the CIS profiles can be automated. There is a small set of rules that need to be manually configured into compliance. Please refer to this page to see more information on these rules.
The CIS benchmarks on each Ubuntu LTS release are versioned. For example, at the time of writing, these profiles apply to Ubuntu.
|Ubuntu release||CIS profile version|
The version of the profiles is tied to the specific release they apply and are not related, nor can be compared across releases.