CIS hardened Ubuntu: cyber attack and malware prevention for mission-critical systems

This article was last updated 2 years ago.


The Center for Internet Security (CIS) is a nonprofit organisation that uses a community-driven process to release benchmarks to safeguard enterprises against cyber attacks. It is one of the most recognised industry standards that provides comprehensive secure configuration and configuration hardening checklists in a computing environment.

The CIS benchmark has hundreds of configuration recommendations, so hardening a system manually can be very tedious. For large deployments and clouds that may not be practically viable. To drastically improve this process for enterprises, Canonical has made CIS automation tooling available to its Ubuntu Advantage for Infrastructure customers. The compliance tooling has two objectives: it lets our customers harden their Ubuntu systems effortlessly and then quickly audit those systems against the published CIS Ubuntu benchmarks. The SCAP content for audit tooling that scans the system for compliance is CIS certified.

Applying CIS benchmarks

CIS benchmarks locks down your systems by removing non-secure programs, disabling unused filesystems, disabling unnecessary ports or services, auditing privileged operations and restricting administrative privileges. CIS benchmark recommendations are adopted in virtual machines in public and private clouds. They are also used to secure on-premises deployments. For some industries, hardening a system against a publicly known standard is a criteria auditors look for. CIS benchmarks are often a system hardening choice recommended by auditors for industries requiring PCI-DSS and HIPPA compliance, such as banking, telecommunications and healthcare.

Hardening and auditing done right

Canonical has actively worked with the CIS to draft operating system benchmarks for Ubuntu 16.04 LTS, 18.04 LTS and 20.04 LTS releases. The Ubuntu CIS benchmarks are organised into different profiles, namely ‘Level 1’ and ‘Level 2’ intended for server and workstation environments.  A Level 1 profile is intended to be a practical and prudent way to secure a system without too much performance impact. Disabling unneeded filesystems, restricting user permissions to files and directories, disabling unneeded services, configuring network firewalls are some examples of configuration changes recommended in a Level 1 profile. A Level 2 profile is used where security is considered very important and it may have a negative impact on the performance of the system.  Creating separate partitions, auditing privileged operations are some examples of configuration changes recommended in a Level 2 profile.

The Ubuntu CIS hardening tool allows customers to select the desired level of hardening against a profile (Level1 or Level 2) and the work environment (server or workstation) for a system. The audit tooling uses OpenSCAP libraries to do a scan of the system. Both audit scanning and hardening are executed using a profile. The tool provides options to generate a report in XML or a html format. The report shows compliance for all the rules against the profile selected during the scan. 

Start using the Ubuntu CIS automation tooling today

CIS automation tooling can be used in virtual machines, private and public clouds as well as on-premises and desktops. The tooling is available for Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS with  Ubuntu Advantage for Infrastructure. To start using it now check out the CIS tooling instructions.

Talk to us today

Interested in running Ubuntu in your organisation?

Newsletter signup

Get the latest Ubuntu news and updates in your inbox.

By submitting this form, I confirm that I have read and agree to Canonical's Privacy Policy.

Related posts

6 facts for CentOS users who are holding on

Considering migrating to Ubuntu from other Linux platforms, such as CentOS? Find six useful facts to get started!

Why is Ubuntu Linux the leading choice to replace CentOS for financial services?

Financial services are powered by technology. The customer experience is increasingly driven by data, with tailoring of products and services to reflect...

How Canonical enables PCI-DSS compliance

Anyone who deals with online payments will have heard of PCI-DSS. The Payment Card Industry Data Security Standard is a comprehensive security control...