We’re pleased to release Ubuntu Security Guide profiles for CIS benchmarks. These profiles will allow customers to automatically harden and audit their Ubuntu 2.04 LTS systems, in conformance with the benchmarks.
System hardening is an essential preventative security measure for production systems and critical workloads. It is especially important for regulated industries such as healthcare, finance, telecommunications and the public sector.
Hardening provides defense in depth by establishing safe default and configuration settings. Examples of these include allowing least privileges, enabling robust logging and auditing, and enforcing encryption, in line with security industry best practices such as The Center for Internet Security (CIS) benchmarks. CIS uses a consensus process to develop benchmarks which safeguard organisations against cyber attacks.
CIS defines several different profiles for hardening an operating system, based on its intended use. There are two categories of profiles for Ubuntu: one for workstations (i.e. Desktop environments), and one for servers without a GUI. Each category has two hardening levels.
Level 1 is designed to be practical and not impact the operation or performance of the system where possible. Level 2 goes further, for situations where security is paramount, though this might negatively impact the operation of the system, for instance by increasing the logging levels which could make it run slower or consume more storage space . For most uses, level 1 should provide a very good security posture.
There are hundreds of individual rules within the benchmarks and this makes it prohibitively time-consuming for anyone to implement them from scratch. We’ve made the Ubuntu Security Guide (USG) tool to automate both the hardening (also known as remediation), as well as the auditing aspects of the benchmarks, to simplify and streamline the compliance process.
We have created individual hardening profiles for the four combinations of server and workstation benchmark at levels 1 & 2.
USG is included with Ubuntu Pro, the enterprise-ready security and compliance subscription that sits on top of regular Ubuntu. You can enable and install USG with these commands:
$ sudo pro enable usg
$ sudo apt install usg
The CIS profiles are included in the latest version (24.04.1) of USG.
To check the status of your system and see how it stacks up against the benchmark, run USG in audit mode:
$ sudo usg audit cis_level1_server
Then, to fix any issues that the audit highlighted and bring the system into compliance with the benchmark, run USG in fix mode:
$ sudo usg fix cis_level1_server
Every IT system is different, and each has its own purpose. As such, the CIS benchmarks are guides that provide a baseline set of general recommendations and best practices that can be broadly applied, which means that there will likely be some rules within the profile that don’t align with your own particular system setup.
This is fine – the benchmarks are meant to be a guide, and you can tailor the profile to your specific needs.
To generate a tailoring file for customization, run:
$ sudo usg generate-tailoring cis_level1_server tailoringfile.xml
Edit the tailoring file to select which rules to enable or customise, then use the tailoring file to audit or fix the system:
$ sudo usg audit --tailoring-file tailoringfile.xml
The CIS benchmarks allow you to choose from 3 different firewall configuration tools, all of which are available within Ubuntu: nftables (the default for Ubuntu 24.04), iptables & ufw. Indicate your preference in the tailoring file by setting the XCCDF variable var_network_filtering_service to choose which firewall tool to install and configure.
You can also choose which NTP time synchronization tool to use, either systemd-timesyncd (the default for Ubuntu 24.04) or chronyd. Set the variable var_timesync_service in the tailoring file to select which timesync daemon to install and configure.
Several rules within the CIS profiles need to be adjusted according to your individual setup. These include details of remote logging and auditing servers, Grub passwords and various other customizations. We’ve provided detailed help and information in the “man page”:
$ man usg-cis
This release of the CIS benchmarks for USG will make deploying and hardening Ubuntu 24.04 LTS (Noble Numbat) much easier and faster. You can learn more about it by joining the webinar.
If you want to take advantage of USG, you will need to get an Ubuntu Pro subscription. Along with CIS benchmarks, Pro includes our comprehensive 10+ years of security vulnerability fixes, along with rebootless kernel patching and FIPS compliance out of the box.
If you’d like to learn more about USG or Ubuntu Pro, please contact us.
The landscape of artificial intelligence is rapidly evolving, demanding robust and scalable infrastructure. To meet…
Memory leaks are among the most frustrating bugs to track down in C and C++…
Have you ever encountered issues starting a server or application because the required port is…
When upgrading to Ubuntu 22.04 LTS (Jammy Jellyfish), many users encounter the error message: “Although…
The landscape of generative AI is rapidly evolving, and building robust, scalable large language model…
The world of edge AI is rapidly transforming how devices and data centers work together.…