Your submission was sent successfully! Close

CIS hardened Ubuntu: cyber attack and malware prevention for mission-critical systems

The Center for Internet Security (CIS) is a nonprofit organisation that uses a community-driven process to release benchmarks to safeguard enterprises against cyber attacks. It is one of the most recognised industry standards that provides comprehensive configuration checklists to identify and remediate security vulnerabilities in a computing environment.

The CIS benchmark has hundreds of configuration recommendations, so hardening a system manually can be very tedious. For large deployments and clouds that may not be practically viable. To drastically improve this process for enterprises, Canonical has made CIS automation tooling available to its Ubuntu Advantage for Infrastructure customers. The compliance tooling has two objectives: it lets our customers harden their Ubuntu systems effortlessly and then quickly audit those systems against the published CIS Ubuntu benchmarks. The SCAP content for audit tooling that scans the system for compliance is CIS certified.

Applying CIS benchmarks

CIS benchmarks locks down your systems by removing non-secure programs, disabling unused filesystems, disabling unnecessary ports or services, auditing privileged operations and restricting administrative privileges. CIS benchmark recommendations are adopted in virtual machines in public and private clouds. They are also used to secure on-premises deployments. For some industries, hardening a system against a publicly known standard is a criteria auditors look for. CIS benchmarks are often a system hardening choice recommended by auditors for industries requiring PCI-DSS and HIPPA compliance, such as banking, telecommunications and healthcare.

Hardening and auditing done right

Canonical has actively worked with the CIS to draft operating system benchmarks for Ubuntu 16.04 LTS, 18.04 LTS and 20.04 LTS releases. The Ubuntu CIS benchmarks are organised into different profiles, namely ‘Level 1’ and ‘Level 2’ intended for server and workstation environments.  A Level 1 profile is intended to be a practical and prudent way to secure a system without too much performance impact. Disabling unneeded filesystems, restricting user permissions to files and directories, disabling unneeded services, configuring network firewalls are some examples of configuration changes recommended in a Level 1 profile. A Level 2 profile is used where security is considered very important and it may have a negative impact on the performance of the system.  Creating separate partitions, auditing privileged operations are some examples of configuration changes recommended in a Level 2 profile.

The Ubuntu CIS hardening tool allows customers to select the desired level of hardening against a profile (Level1 or Level 2) and the work environment (server or workstation) for a system. The audit tooling uses OpenSCAP libraries to do a scan of the system. Both audit scanning and hardening are executed using a profile. The tool provides options to generate a report in XML or a html format. The report shows compliance for all the rules against the profile selected during the scan. 

Start using the Ubuntu CIS automation tooling today

CIS automation tooling can be used in virtual machines, private and public clouds as well as on-premises and desktops. The tooling is available for Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS with  Ubuntu Advantage for Infrastructure. To start using it now check out the CIS tooling instructions.

Talk to us today

Interested in running Ubuntu in your organisation?

Newsletter signup

Select topics you're
interested in

In submitting this form, I confirm that I have read and agree to Canonical's Privacy Notice and Privacy Policy.

Related posts

FIPS 140-2 certification for Ubuntu 20.04 LTS!

Ubuntu, the world’s most popular operating system across private and public clouds has received the FIPS 140-2, Level 1 certification for its cryptographic...

Enhance the security of your open-source applications and share feedback

Are you spending time on high-impact, high-value activities, or are you constantly derailed by maintenance, support, and deployment challenges? Does your...

Enterprise Open Source Summit: A Business Perspective on Open Source

November 10, 2021 Canonical, Nextcloud, Collabora, Linbit, OpenNebula and Factor Group will present business perspectives on the use of open source in...