Configure and run the CIS Benchmark rules

Configure and run the CIS Benchmark rules

Upon successful installation of the Canonical CIS Benchmark compliance tools, you need to setup certain parameters for the benchmark (according to technical and institutional policies) in the /usr/share/ubuntu-scap-security-guides/cis-hardening/ruleset-params.conf file. This file is divided into sections of variables with comments illustrating which variables affect which CIS rule. For more information about parameters in ruleset-params.conf, please see this page.


WARNING

Always run the hardening scripts on fresh installations of Ubuntu. As the hardening scripts adjust the system configuration, if additional non-core services have been installed to the system, the compliance scripts may break them by modifying essential configuration.


The compliance tool is located at the following locations depending on the system:

Ubuntu version Script name
20.04 LTS /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh
18.04 LTS /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_18.04_CIS-harden.sh
16.04 LTS /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_16.04_CIS_v1.1.0-harden.sh

Furthermore, the tool has four different profiles that it can apply using one of the following command line options, relating to a Level 1 Workstation profile, a Level 1 Server profile, a Level 2 Workstation profile, and a Level 2 Server profile, respectively:

Tool profile name Corresponding CIS profile
lvl1_workstation Level 1 Workstation profile
lvl1_server Level 1 Server profile
lvl2_workstation Level 2 Workstation profile
lvl2_server Level 2 Server profile

Example

The following example will configure an Ubuntu 20.04 LTS server to the Level 2 profile.

$ sudo /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh lvl2_server

NOTE

By running the tool to configure a Level 2 profile, the appropriate Level 1 profile rules are automatically applied, as well.


Manual steps for completion

Note that not everything in the CIS profiles can be automated. There is a small set of rules that need to be manually configured into compliance. Please refer to this page to see more information on these rules.

CIS versions

The CIS benchmarks on each Ubuntu LTS release are versioned. For example, at the time of writing, these profiles apply to Ubuntu.

Ubuntu release CIS profile version
20.04 LTS 1.0.0
18.04 LTS 2.0.1
16.04 LTS 1.1.0

The version of the profiles is tied to the specific release they apply and are not related, nor can be compared across releases.