Hardening Ubuntu with CIS benchmarks

Hardening Ubuntu Pro 22.04 with CIS Benchmarks

This article will go through the basics of hardening a Ubuntu Pro 22.04 server using the CIS Benchmarks. As per Ubuntu documentation: Security Technical Implementation Guides like the CIS benchmark or DISA-STIG have hundreds of configuration recommendations, so hardening and auditing a Linux system manually can be very tedious. Ubuntu Security Guide (USG) is a new tool available with Ubuntu 20.04 LTS that greatly improves the usability of hardening and auditing, and allows for environment-specific customizations. 

Ubuntu Pro is a requirement obviously, and if you don’t have it already, you can get it for free for private use from the Ubuntu site. For the current example, we are already running on a Ubuntu Pro image on AWS EC2.

Install the UA client

You need to install the UA client if missing. On the AWS EC2 instance, this is already installed.

sudo apt update
sudo apt install ubuntu-advantage-tools

Attach your UA token to the server

You need to run the following command to check if your subscription is active.

sudo ua status

If not, you need to add your Ubuntu Advantage Token from the Advantage Dashboard to your server. In the case of EC2 instance of Ubuntu Pro, this is already active.

sudo ua attach <your_ua_token>

Enable USG

Run the following command to see the USG service and its status:

ua status --all

You should see something similar to:

Enable the CIS benchmarks:

sudo ua enable cis

Install the USG client:

sudo apt install usg

Run your CIS security audit

The following command will run the security audit and generate the relevant output file:

sudo usg audit cis_level1_server

In addition to “cis_level1_server” you have the following profiles available: cis_level1_workstation, cis_level2_workstation, and cis_level2_server. See this page for details.

Open the generated HTML file to see the results of the audit and individual recommendations for the items that are marked as failed.

You can find here a sample report just to see how it looks like. Be nice and don’t hack the server.


I would suggest that each item needs to be considered on its own merit and the remedy applied accordingly. Applying the remedies as a all-in-one solution is possible but may have critical consequences which may result in breaking your system or disabling your access to it.

However, according to Ubuntu, you can generate a bash script that will apply the necessary changes. The following command generates that script, which you can then run to apply the changes.

sudo usg generate-fix <PROFILE> --output fix.sh

Additional resources

See the Ubuntu Security Guide.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share to...