This article will go through the basics of hardening a Ubuntu Pro 22.04 server using the CIS Benchmarks. As per Ubuntu documentation: Security Technical Implementation Guides like the CIS benchmark or DISA-STIG have hundreds of configuration recommendations, so hardening and auditing a Linux system manually can be very tedious. Ubuntu Security Guide (USG) is a new tool available with Ubuntu 20.04 LTS that greatly improves the usability of hardening and auditing, and allows for environment-specific customizations.
Ubuntu Pro is a requirement obviously, and if you don’t have it already, you can get it for free for private use from the Ubuntu site. For the current example, we are already running on a Ubuntu Pro image on AWS EC2.
Install the UA client
You need to install the UA client if missing. On the AWS EC2 instance, this is already installed.
sudo apt update sudo apt install ubuntu-advantage-tools
Attach your UA token to the server
You need to run the following command to check if your subscription is active.
sudo ua status
If not, you need to add your Ubuntu Advantage Token from the Advantage Dashboard to your server. In the case of EC2 instance of Ubuntu Pro, this is already active.
sudo ua attach <your_ua_token>
Run the following command to see the USG service and its status:
ua status --all
You should see something similar to:
Enable the CIS benchmarks:
sudo ua enable cis
Install the USG client:
sudo apt install usg
Run your CIS security audit
The following command will run the security audit and generate the relevant output file:
sudo usg audit cis_level1_server
In addition to “cis_level1_server” you have the following profiles available: cis_level1_workstation, cis_level2_workstation, and cis_level2_server. See this page for details.
Open the generated HTML file to see the results of the audit and individual recommendations for the items that are marked as failed.
You can find here a sample report just to see how it looks like. Be nice and don’t hack the server.
I would suggest that each item needs to be considered on its own merit and the remedy applied accordingly. Applying the remedies as a all-in-one solution is possible but may have critical consequences which may result in breaking your system or disabling your access to it.
However, according to Ubuntu, you can generate a bash script that will apply the necessary changes. The following command generates that script, which you can then run to apply the changes.
sudo usg generate-fix <PROFILE> --output fix.sh
See the Ubuntu Security Guide.