CIS Compliance for Ubuntu

Compliance information

Ubuntu 20.04, Ubuntu 18.04, Ubuntu 16.04 have compliance benchmark documents developed by the Center for Internet Security (CIS), available on their website. Canonical has developed a tool to assist both in hardening and in auditing Ubuntu 20.04 systems, Ubuntu 18.04 systems, and Ubuntu 16.04 systems based off of the published CIS benchmarks.

Announcement Mailing List

A mailing list is used to announce patches and news related to the CIS packages and certifications. To request to join the mailing list, please send "join" in the email body to ubuntu-certs-announce-request@lists.canonical.com. Announcements will be sent to the email address ubuntu-certs-announce@lists.canonical.com from an "@canonical.com" email address.

Obtaining the CIS Compliance Tools from Canonical

Canonical’s CIS Compliance Tools are available to customers who have purchased qualifying Ubuntu Advantage products. The tools are available as packages in a private Launchpad PPA. Each package in the PPA is signed with a unique PGP key to ensure authenticity.

  1. Determine your Launchpad username by going to launchpad.net/~
  2. Request access to the CIS Benchmark tool's PPA by logging in to support.canonical.com and following the instructions on the Contact Us tab to create a new case. Please include your Launchpad username in the support case.
  3. It may take up to 48 hours, but you will be notified once your access has been granted.
  4. Click this link to view your Private PPA subscriptions.
  5. Under Archive locate the "Security Benchmarks" (ppa:ubuntu-advantage/security-benchmarks) line and click "View" to the right.
  6. Locate the line starting with deb https://<your-launchpad-id>:<PPA-password>@, where <your-launchpad-id>:<PPA-password> represent your personal Launchpad username and the encoded password created for this PPA.
  7. Select and copy the portion comprising of <your-launchpad-id>:<PPA-password>

Currently, there is only a manual method to use Canonical's CIS Benchmark hardening tool. The steps below will guide you through the installation and use of this tool.

Manual Installation

Setting up the CIS Benchmark tool's repository

  1. Add the unique PPA PGP key onto the system.

    sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys A166877412DAC26E73CEBF3FF6C280178D13028C

  2. Add the file /etc/apt/auth.conf.d/cis-harden.conf with the private PPA credentials that were acquired above.

    # Credentials to allow the connection for the CIS benchmarks private PPA machine private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu login <your-launchpad-id> password <PPA-password>

  3. Add the CIS Benchmark tool's PPA repository to the system which will have the hardening tool installed (this is for Bionic).

    sudo add-apt-repository -u 'deb https://private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu bionic main'

  4. Update the permissions of the file so that general access to the file is not possible.

    chmod 0600 /etc/apt/auth.conf.d/cis-harden.conf

  5. Now that a new repository and signing key has been added, apt's cache needs to be updated.

    sudo apt update

Note: "bionic" in the line above refers to Ubuntu 18.04 LTS. Please replace "bionic" above with "focal" if you are installing these packages for Ubuntu 20.04 LTS; "xenial" if for Ubuntu 16.04 LTS.

Install the packages

Install the Canonical CIS Benchmark compliance tools by installing the "usg-cisbenchmark" and "usg-common" packages:

sudo apt install usg-cisbenchmark usg-common

Configure and run CIS Benchmark rules

Upon successful installation of the Canonical CIS Benchmark compliance tools, some parameters should be checked and configured correctly (according to technical and institutional policies) in the /usr/share/ubuntu-scap-security-guides/cis-hardening/ruleset-params.conf file. This file is divided into sections of variables with comments illustrating which variables affect which CIS rule. For more information about parameters in ruleset-params.conf, please see this page.

The hardening scripts now must be run. The installed tool is located at /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_18.04_CIS-harden.sh" for an Ubuntu Bionic system and "/usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_16.04_CIS_v1.1.0-harden.sh" for an Ubuntu Xenial system.

Furthermore, the tool has four different profiles that it can apply using one of the following command line options, relating to a Level 1 Workstation profile, a Level 1 Server profile, a Level 2 Workstation profile, and a Level 2 Server profile, respectively:

  • lvl1_workstation
  • lvl1_server
  • lvl2_workstation
  • lvl2_server

The command below is an example of applying the Level 2 Workstation profile on an Ubuntu Bionic system:

/usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_18.04_CIS-harden.sh lvl2_workstation

Another example of applying the Level 1 Server profile on an Ubuntu Xenial system:

/usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_16.04_CIS_v1.1.0-harden.sh lvl1_server

Note: By running the tool to configure a Level 2 profile, the appropriate Level 1 profile rules are automatically applied, as well.

Necessary manual steps for completion

Some rules must be manually configured into compliance. Please refer to this page to see the rules that must still be applied to reach compliance with the CIS Benchmark.

© 2018 Canonical Ltd. Ubuntu and Canonical are registered trademarks of Canonical Ltd.