Manual Configuration for CIS

Manual Configuration for CIS

While the provided CIS hardening scripts configure many CIS rules, some rules must be manually configured into compliance.

Rules addressed below are from the Ubuntu Xenial/16.04 Benchmark v1.1.0, Ubuntu Bionic/18.04 Benchmark v2.0.1, and Ubuntu Focal/20.04 Benchmark v1.0.0. These are the Benchmark versions covered by the present hardening tools.

Rules marked as “N/A” are not necessarily non-existent rules in the Benchmarks, but only that the rules are not marked as needing manual configuration in the hardening tool.

CIS Level 1 (Server and Workstation Profiles)

Root Password Rule

The Bionic and Focal hardening tools include a root_hash optional parameter to help with this configuration.

  • Xenial 1.4.3; Bionic 1.4.4; Focal 1.5.3: Ensure authentication required for single user mode

XD/NX Support

This rule requires BIOS a configuration change.

  • Xenial N/A; Bionic 1.6.1; Focal 1.6.1: Ensure XD/NX support is enabled

Hosts.allow and Hosts.deny Rules

Rules provided by these scripts only provide a generic version of those files. Configure these specifically for your network.

  • Xenial 3.4.2; Bionic N/A; Focal N/A: Ensure /etc/hosts.allow is configured
  • Xenial 3.4.3; Bionic N/A; Focal N/A: Ensure /etc/hosts.deny is configured

Firewall Rules

Configure these specifically for your network.

  • Xenial 3.6.2; Bionic 3.5.3.2.1/3.5.3.3.1; Focal 3.5.1.7: Ensure default deny firewall policy
  • Xenial 3.6.5; Bionic 3.5.3.2.4/3.5.3.3.4; Focal 3.5.1.6: Ensure firewall rules exist for all open ports
  • Xenial N/A; Bionic 3.5.4.1.1; Focal N/A - Ensure default deny firewall policy
  • Xenial N/A; Bionic N/A; Focal 3.5.3.2.3 - Ensure outbound and established connections are configured
  • Xenial N/A; Bionic 3.5.4.1.4; Focal 3.5.3.2.4 - Ensure firewall rules exist for all open ports
  • Xenial N/A; Bionic N/A; Focal 3.5.3.3.3 - Ensure IPv6 outbound and established connections are configured
  • Xenial N/A; Bionic 3.5.4.2.1; Focal 3.5.3.3.4 - Ensure IPv6 default deny firewall policy

Logfile Permissions

  • Xenial N/A; Bionic 4.2.3; Focal 4.2.3 - Ensure permissions on all logfiles are configured

User Password Creation Time Audit Rule

In order to enforce this rule, one must ensure that a user doesn’t have a password change time in the future.

  • Xenial 5.4.1.5; Bionic 5.5.1.5; Focal 5.4.1.5: Ensure all users last password change date is in the past

User and Group Rules

  • Xenial 6.2.6; Bionic 6.2.7; Focal 6.2.7: Ensure root PATH Integrity
  • Xenial 6.2.16; Bionic 6.2.16; Focal 6.2.13: Ensure no duplicate UIDs exist
  • Xenial 6.2.17; Bionic 6.2.17; Focal 6.2.14: Ensure no duplicate GIDs exist
  • Xenial 6.2.18; Bionic 6.2.18; Focal 6.2.15: Ensure no duplicate user names exist
  • Xenial 6.2.19; Bionic 6.2.19; Focal 6.2.16: Ensure no duplicate group names exist
  • Xenial 6.2.20; Bionic 6.2.20; Focal 6.2.17: Ensure shadow group is empty

CIS Level 2 (Server and Workstation Profiles)

In addition to the CIS Level 1 configured rules above.

Separate Partition Rules

  • Xenial 1.1.2; Bionic 1.1.2; Focal 1.1.2: Ensure separate partition exists for /tmp; Ensure /tmp is configured
  • Xenial N/A; Bionic N/A; Focal 1.1.6: Ensure /dev/shm is configured
  • Xenial N/A; Bionic 1.1.15; Focal 1.1.7: Ensure nodev option set on /dev/shm partition
  • Xenial 1.1.5; Bionic 1.1.6; Focal 1.1.10: Ensure separate partition exists for /var
  • Xenial 1.1.6; Bionic 1.1.7; Focal 1.1.11: Ensure separate partition exists for /var/tmp
  • Xenial N/A; Bionic 1.1.8; Focal 1.1.12: Ensure /var/tmp partition includes the nodev option
  • Xenial N/A; Bionic 1.1.9; Focal 1.1.13: Ensure /var/tmp partition includes the nosuid option
  • Xenial 1.1.10; Bionic 1.1.15; Focal 1.1.15: Ensure separate partition exists for /var/log
  • Xenial 1.1.11; Bionic 1.1.16; Focal 1.1.16: Ensure separate partition exists for /var/log/audit
  • Xenial 1.1.12; Bionic 1.1.17; Focal 1.1.17: Ensure separate partition exists for /home

Regarding Postfix Configuration

Xenial rule 1.3.1 / Bionic rule 1.3.1 / Focal rule 1.4.1 (“Ensure AIDE is installed”) does a basic PostFix configuration, which is installed as a dependency from AIDE. After the script execution, it’s recommended to properly configure the Postfix server. This includes changing the /etc/mailname file which is set to a default value of your.hostname.com.