Manual Configuration for CIS

Security Certification Documentation
1

While the provided CIS hardening scripts configure many CIS rules, some rules must be manually configured into compliance.

Rules addressed below are from the Ubuntu Xenial/16.04 Benchmark v1.1.0, Ubuntu Bionic/18.04 Benchmark v2.0.1, and Ubuntu Focal/20.04 Benchmark v1.0.0. These are the Benchmark versions covered by the present hardening tools.

Rules marked as “N/A” are not necessarily non-existent rules in the Benchmarks, but only that the rules are not marked as needing manual configuration in the hardening tool.

CIS Level 1 (Server and Workstation Profiles)

Root Password Rule

The Bionic and Focal hardening tools include a root_hash optional parameter to help with this configuration.

  • Xenial 1.4.3; Bionic 1.4.4; Focal 1.5.3: Ensure authentication required for single user mode

XD/NX Support

This rule requires BIOS a configuration change.

  • Xenial N/A; Bionic 1.6.1; Focal 1.6.1: Ensure XD/NX support is enabled

Hosts.allow and Hosts.deny Rules

Rules provided by these scripts only provide a generic version of those files. Configure these specifically for your network.

  • Xenial 3.4.2; Bionic N/A; Focal N/A: Ensure /etc/hosts.allow is configured
  • Xenial 3.4.3; Bionic N/A; Focal N/A: Ensure /etc/hosts.deny is configured

Firewall Rules

Configure these specifically for your network.

  • Xenial 3.6.2; Bionic 3.5.3.2.1/3.5.3.3.1; Focal 3.5.1.7: Ensure default deny firewall policy
  • Xenial 3.6.5; Bionic 3.5.3.2.4/3.5.3.3.4; Focal 3.5.1.6: Ensure firewall rules exist for all open ports
  • Xenial N/A; Bionic 3.5.4.1.1; Focal N/A - Ensure default deny firewall policy
  • Xenial N/A; Bionic N/A; Focal 3.5.3.2.3 - Ensure outbound and established connections are configured
  • Xenial N/A; Bionic 3.5.4.1.4; Focal 3.5.3.2.4 - Ensure firewall rules exist for all open ports
  • Xenial N/A; Bionic N/A; Focal 3.5.3.3.3 - Ensure IPv6 outbound and established connections are configured
  • Xenial N/A; Bionic 3.5.4.2.1; Focal 3.5.3.3.4 - Ensure IPv6 default deny firewall policy

Logfile Permissions

  • Xenial N/A; Bionic 4.2.3; Focal 4.2.3 - Ensure permissions on all logfiles are configured

User Password Creation Time Audit Rule

In order to enforce this rule, one must ensure that a user doesn’t have a password change time in the future.

  • Xenial 5.4.1.5; Bionic 5.5.1.5; Focal 5.4.1.5: Ensure all users last password change date is in the past

User and Group Rules

  • Xenial 6.2.6; Bionic 6.2.7; Focal 6.2.7: Ensure root PATH Integrity
  • Xenial 6.2.16; Bionic 6.2.16; Focal 6.2.13: Ensure no duplicate UIDs exist
  • Xenial 6.2.17; Bionic 6.2.17; Focal 6.2.14: Ensure no duplicate GIDs exist
  • Xenial 6.2.18; Bionic 6.2.18; Focal 6.2.15: Ensure no duplicate user names exist
  • Xenial 6.2.19; Bionic 6.2.19; Focal 6.2.16: Ensure no duplicate group names exist
  • Xenial 6.2.20; Bionic 6.2.20; Focal 6.2.17: Ensure shadow group is empty

CIS Level 2 (Server and Workstation Profiles)

In addition to the CIS Level 1 configured rules above.

Separate Partition Rules

  • Xenial 1.1.2; Bionic 1.1.2; Focal 1.1.2: Ensure separate partition exists for /tmp; Ensure /tmp is configured
  • Xenial N/A; Bionic N/A; Focal 1.1.6: Ensure /dev/shm is configured
  • Xenial N/A; Bionic 1.1.15; Focal 1.1.7: Ensure nodev option set on /dev/shm partition
  • Xenial 1.1.5; Bionic 1.1.6; Focal 1.1.10: Ensure separate partition exists for /var
  • Xenial 1.1.6; Bionic 1.1.7; Focal 1.1.11: Ensure separate partition exists for /var/tmp
  • Xenial N/A; Bionic 1.1.8; Focal 1.1.12: Ensure /var/tmp partition includes the nodev option
  • Xenial N/A; Bionic 1.1.9; Focal 1.1.13: Ensure /var/tmp partition includes the nosuid option
  • Xenial 1.1.10; Bionic 1.1.15; Focal 1.1.15: Ensure separate partition exists for /var/log
  • Xenial 1.1.11; Bionic 1.1.16; Focal 1.1.16: Ensure separate partition exists for /var/log/audit
  • Xenial 1.1.12; Bionic 1.1.17; Focal 1.1.17: Ensure separate partition exists for /home

Regarding Postfix Configuration

Xenial rule 1.3.1 / Bionic rule 1.3.1 / Focal rule 1.4.1 (“Ensure AIDE is installed”) does a basic PostFix configuration, which is installed as a dependency from AIDE. After the script execution, it’s recommended to properly configure the Postfix server. This includes changing the /etc/mailname file which is set to a default value of your.hostname.com.