CIS Compliance with Ubuntu 16.04 and 18.04
Upon successful installation of the CIS Benchmark compliance tools, you need to setup certain parameters for the benchmark (according to technical and institutional policies) in the /usr/share/ubuntu-scap-security-guides/cis-hardening/ruleset-params.conf file. This file is divided into sections of variables with comments illustrating which variables affect which CIS rule. For more information about parameters in ruleset-params.conf, please see this page.
The compliance tool is located at the following locations depending on the system:
| Ubuntu version | Script name |
|---|---|
| 20.04 LTS | /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh |
| 18.04 LTS | /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_18.04_CIS-harden.sh |
| 16.04 LTS | /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_16.04_CIS_v1.1.0-harden.sh |
Furthermore, the tool has four different profiles that it can apply using one of the following command line options, relating to a Level 1 Workstation profile, a Level 1 Server profile, a Level 2 Workstation profile, and a Level 2 Server profile, respectively:
| Tool profile name | Corresponding CIS profile |
|---|---|
| lvl1_workstation | Level 1 Workstation profile |
| lvl1_server | Level 1 Server profile |
| lvl2_workstation | Level 2 Workstation profile |
| lvl2_server | Level 2 Server profile |
Example
The following example will configure an Ubuntu 20.04 LTS server to the Level 2 profile.
$ sudo /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh lvl2_server
NOTE
By running the tool to configure a Level 2 profile, the appropriate Level 1 profile rules are automatically applied, as well.
Manual steps for completion
Note that not everything in the CIS profiles can be automated. There is a small set of rules that need to be manually configured into compliance. Please refer to this page to see more information on these rules.