CIS Compliance for Ubuntu

Compliance information

Ubuntu 20.04, Ubuntu 18.04, Ubuntu 16.04 have compliance benchmark documents developed by the Center for Internet Security (CIS), available on their website. Canonical has developed a tool to assist both in hardening and in auditing Ubuntu 20.04 systems, Ubuntu 18.04 systems, and Ubuntu 16.04 systems based off of the published CIS benchmarks.

Announcement Mailing List

A mailing list is used to announce patches and news related to the CIS packages and certifications. To request to join the mailing list, please send "join" in the email body to ubuntu-certs-announce-request@lists.canonical.com. Announcements will be sent to the email address ubuntu-certs-announce@lists.canonical.com from an "@canonical.com" email address.

Ubuntu-Advantage Tool Installation

CIS configuration can be enabled automatically via the Ubuntu Advantage Tool (also known as "UA tool" or "UA client") on bare metal, virtual, and cloud environments. Version 27.1 or higher of the UA tool is required to use this method. If the UA tool is installed, the UA tool can provide its version.

ua version

If necessary, apt can be used to install or update the latest version.

sudo apt update && sudo apt install ubuntu-advantage-tools

Access to the CIS repository is controlled by a token associated with an Ubuntu Advantage subscription.

Obtaining UA Token

Ubuntu PRO instances on AWS, Azure, and GCP may skip these steps and the ua attach step. A UA token has already been attached to the system.

  1. Login at ubuntu.com/advantage using the Ubuntu One account tied to your UA-I subscription.
  2. Under the "Your paid subscriptions" header, click on the down-arrow in the "machines" column for the row of your subscription. This may already be expanded.
  3. Find your token from within the provided attach command in the format of sudo ua attach <TOKEN>. Save this token to complete the process below.

Setting up the CIS packages with the UA tool

  1. Attach the system to the Ubuntu Advantage service.

    sudo ua attach <TOKEN>

  2. Enable the CIS configuration.

    sudo ua enable cis

  3. Verify that the system is attached to UA and has the CIS repository enabled.

    sudo ua status

Configure and run CIS Benchmark rules

Upon successful installation of the Canonical CIS Benchmark compliance tools, some parameters should be checked and configured correctly (according to technical and institutional policies) in the /usr/share/ubuntu-scap-security-guides/cis-hardening/ruleset-params.conf file. This file is divided into sections of variables with comments illustrating which variables affect which CIS rule. For more information about parameters in ruleset-params.conf, please see this page.

The hardening scripts now must be run. The installed tool is located at "/usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh" for an Ubuntu Focal system, "/usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_18.04_CIS-harden.sh" for an Ubuntu Bionic system, and "/usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_16.04_CIS_v1.1.0-harden.sh" for an Ubuntu Xenial system.

Furthermore, the tool has four different profiles that it can apply using one of the following command line options, relating to a Level 1 Workstation profile, a Level 1 Server profile, a Level 2 Workstation profile, and a Level 2 Server profile, respectively:

  • lvl1_workstation
  • lvl1_server
  • lvl2_workstation
  • lvl2_server

The command below is an example of applying the Level 2 Workstation profile on an Ubuntu Bionic system:

/usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_18.04_CIS-harden.sh lvl2_workstation

Another example of applying the Level 1 Server profile on an Ubuntu Xenial system:

/usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_16.04_CIS_v1.1.0-harden.sh lvl1_server

Note: By running the tool to configure a Level 2 profile, the appropriate Level 1 profile rules are automatically applied, as well.

Necessary manual steps for completion

Some rules must be manually configured into compliance. Please refer to this page to see the rules that must still be applied to reach compliance with the CIS Benchmark.

© 2018 Canonical Ltd. Ubuntu and Canonical are registered trademarks of Canonical Ltd.