Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CIS hardened Ubuntu: cyber attack and malware prevention for mission-critical systems

This article was last updated 2 years ago.


The Center for Internet Security (CIS) is a nonprofit organisation that uses a community-driven process to release benchmarks to safeguard enterprises against cyber attacks. It is one of the most recognised industry standards that provides comprehensive secure configuration and configuration hardening checklists in a computing environment.

The CIS benchmark has hundreds of configuration recommendations, so hardening a system manually can be very tedious. For large deployments and clouds that may not be practically viable. To drastically improve this process for enterprises, Canonical has made CIS automation tooling available to its Ubuntu Advantage for Infrastructure customers. The compliance tooling has two objectives: it lets our customers harden their Ubuntu systems effortlessly and then quickly audit those systems against the published CIS Ubuntu benchmarks. The SCAP content for audit tooling that scans the system for compliance is CIS certified.

Applying CIS benchmarks

CIS benchmarks locks down your systems by removing non-secure programs, disabling unused filesystems, disabling unnecessary ports or services, auditing privileged operations and restricting administrative privileges. CIS benchmark recommendations are adopted in virtual machines in public and private clouds. They are also used to secure on-premises deployments. For some industries, hardening a system against a publicly known standard is a criteria auditors look for. CIS benchmarks are often a system hardening choice recommended by auditors for industries requiring PCI-DSS and HIPPA compliance, such as banking, telecommunications and healthcare.

Hardening and auditing done right

Canonical has actively worked with the CIS to draft operating system benchmarks for Ubuntu 16.04 LTS, 18.04 LTS and 20.04 LTS releases. The Ubuntu CIS benchmarks are organised into different profiles, namely ‘Level 1’ and ‘Level 2’ intended for server and workstation environments.  A Level 1 profile is intended to be a practical and prudent way to secure a system without too much performance impact. Disabling unneeded filesystems, restricting user permissions to files and directories, disabling unneeded services, configuring network firewalls are some examples of configuration changes recommended in a Level 1 profile. A Level 2 profile is used where security is considered very important and it may have a negative impact on the performance of the system.  Creating separate partitions, auditing privileged operations are some examples of configuration changes recommended in a Level 2 profile.

The Ubuntu CIS hardening tool allows customers to select the desired level of hardening against a profile (Level1 or Level 2) and the work environment (server or workstation) for a system. The audit tooling uses OpenSCAP libraries to do a scan of the system. Both audit scanning and hardening are executed using a profile. The tool provides options to generate a report in XML or a html format. The report shows compliance for all the rules against the profile selected during the scan. 

Start using the Ubuntu CIS automation tooling today

CIS automation tooling can be used in virtual machines, private and public clouds as well as on-premises and desktops. The tooling is available for Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS with  Ubuntu Advantage for Infrastructure. To start using it now check out the CIS tooling instructions.

Talk to us today

Interested in running Ubuntu in your organisation?

Newsletter signup

Get the latest Ubuntu news and updates in your inbox.

By submitting this form, I confirm that I have read and agree to Canonical's Privacy Policy.

Related posts

Running OpenSSL 1.1.1 after EOL? Stay secure with Ubuntu Pro.

A few months ago, the OpenSSL Project announced the end of life of OpenSSL 1.1.1. It is used by thousands of software components included in Ubuntu 18.04 LTS...

Empowering Australian government innovation: a secure path to open source excellence

The Australian Federal Government is not alone in dealing with challenges like natural disasters, global pandemics and economic uncertainty. Like many...

Securing open source through CVE prioritisation

According to a recent study, 96% of applications in the enterprise market use open-source software. As the open source landscape becomes more and more...