Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting our team. We will be in touch shortly.Close

  1. Blog
  2. Article

Vineetha Kamath
on 9 April 2020

CIS hardened Ubuntu: cyber attack and malware prevention for mission-critical systems


The Center for Internet Security (CIS) is a nonprofit organisation that uses a community-driven process to release benchmarks to safeguard enterprises against cyber attacks. It is one of the most recognised industry standards that provides comprehensive secure configuration and configuration hardening checklists in a computing environment.

The CIS benchmark has hundreds of configuration recommendations, so hardening a system manually can be very tedious. For large deployments and clouds that may not be practically viable. To drastically improve this process for enterprises, Canonical has made CIS automation tooling available to its Ubuntu Advantage for Infrastructure customers. The compliance tooling has two objectives: it lets our customers harden their Ubuntu systems effortlessly and then quickly audit those systems against the published CIS Ubuntu benchmarks. The SCAP content for audit tooling that scans the system for compliance is CIS certified.

Applying CIS benchmarks

CIS benchmarks locks down your systems by removing non-secure programs, disabling unused filesystems, disabling unnecessary ports or services, auditing privileged operations and restricting administrative privileges. CIS benchmark recommendations are adopted in virtual machines in public and private clouds. They are also used to secure on-premises deployments. For some industries, hardening a system against a publicly known standard is a criteria auditors look for. CIS benchmarks are often a system hardening choice recommended by auditors for industries requiring PCI-DSS and HIPPA compliance, such as banking, telecommunications and healthcare.

Hardening and auditing done right

Canonical has actively worked with the CIS to draft operating system benchmarks for Ubuntu 16.04 LTS, 18.04 LTS and 20.04 LTS releases. The Ubuntu CIS benchmarks are organised into different profiles, namely ‘Level 1’ and ‘Level 2’ intended for server and workstation environments.  A Level 1 profile is intended to be a practical and prudent way to secure a system without too much performance impact. Disabling unneeded filesystems, restricting user permissions to files and directories, disabling unneeded services, configuring network firewalls are some examples of configuration changes recommended in a Level 1 profile. A Level 2 profile is used where security is considered very important and it may have a negative impact on the performance of the system.  Creating separate partitions, auditing privileged operations are some examples of configuration changes recommended in a Level 2 profile.

The Ubuntu CIS hardening tool allows customers to select the desired level of hardening against a profile (Level1 or Level 2) and the work environment (server or workstation) for a system. The audit tooling uses OpenSCAP libraries to do a scan of the system. Both audit scanning and hardening are executed using a profile. The tool provides options to generate a report in XML or a html format. The report shows compliance for all the rules against the profile selected during the scan. 

Start using the Ubuntu CIS automation tooling today

CIS automation tooling can be used in virtual machines, private and public clouds as well as on-premises and desktops. The tooling is available for Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS with  Ubuntu Advantage for Infrastructure. To start using it now check out the CIS tooling instructions.

Related posts


Henry Coggill
2 August 2024

How Canonical enables PCI-DSS compliance

Security Article

Anyone who deals with online payments will have heard of PCI-DSS. The Payment Card Industry Data Security Standard is a comprehensive security control framework that is designed to keep payment card data safe from hackers and misuse. Merchants who accept debit or credit card payments (and service providers who process this information) wi ...


Lech Sandecki
26 October 2023

Running OpenSSL 1.1.1 after EOL? Stay secure with Ubuntu Pro.

Ubuntu Article

A few months ago, the OpenSSL Project announced the end of life of OpenSSL 1.1.1. It is used by thousands of software components included in Ubuntu 18.04 LTS and Ubuntu 20.04 LTS, with many organisations relying on version 1.1.1. Rest assured that the Ubuntu security team will continue to maintain important security fixes in OpenSSL ...


Canonical
26 September 2023

CVE 우선순위 지정을 통한 오픈 소스 보안

Security Security

최근 연구에 따르면 엔터프라이즈 시장의 애플리케이션 중 96%가 오픈 소스 소프트웨어를 사용합니다. 오픈 소스 환경이 점점 더 세분화됨에 따라 조직에 대한 잠재적인 보안 취약점의 영향을 평가하는 작업이 엄청날 수 있습니다. 우분투는 가장 안전한 운영 체제 중 하나로 알려져 있습니다. 하지만 그 이유는 무엇일까요? 우분투 보안팀은 매일 알려진 취약점에 대해 업데이트된 소프트웨어 패키지를 수정하고 릴리스하기 때문에 ...