Docs / Security / How to Use CIS Benchmarks to Harden Ubuntu

How to Use CIS Benchmarks to Harden Ubuntu

By Admin · Mar 15, 2026 · Updated Apr 23, 2026 · 294 views · 2 min read

CIS (Center for Internet Security) Benchmarks provide detailed, consensus-based security configuration guidelines. Following CIS benchmarks ensures your Ubuntu server meets industry-standard security hardening practices.

What Are CIS Benchmarks?

  • Comprehensive security configuration guides maintained by security experts
  • Two levels: Level 1 (essential, minimal impact) and Level 2 (defense in depth, may affect functionality)
  • Available for Ubuntu, RHEL, Debian, and most major platforms
  • Used as a baseline for compliance (PCI-DSS, SOC 2, HIPAA)

Automated Auditing with Lynis

# Lynis checks many CIS benchmark items automatically
sudo apt install lynis
sudo lynis audit system

# Review the hardening index (0-100)
# Typical fresh Ubuntu install: 55-65
# After hardening: 80-90+

# View specific suggestions
grep "suggestion" /var/log/lynis-report.dat

Key CIS Benchmark Categories

1. Filesystem Configuration

# 1.1 Disable unused filesystems
echo "install cramfs /bin/true" | sudo tee /etc/modprobe.d/cramfs.conf
echo "install squashfs /bin/true" | sudo tee /etc/modprobe.d/squashfs.conf
echo "install udf /bin/true" | sudo tee /etc/modprobe.d/udf.conf

# 1.2 Set nodev, nosuid, noexec on /tmp
# In /etc/fstab:
# tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec 0 0

# 1.3 Set sticky bit on world-writable directories
find / -xdev -type d -perm -0002 ! -perm -1000 -exec chmod a+t {} \;

2. Services

# Disable unnecessary services
sudo systemctl disable --now avahi-daemon
sudo systemctl disable --now cups
sudo systemctl disable --now rpcbind

# Remove unnecessary packages
sudo apt purge telnet rsh-client talk

3. Network Configuration

# Disable IP forwarding (unless needed)
echo "net.ipv4.ip_forward=0" | sudo tee /etc/sysctl.d/60-cis-network.conf

# Disable ICMP redirects
echo "net.ipv4.conf.all.accept_redirects=0" | sudo tee -a /etc/sysctl.d/60-cis-network.conf
echo "net.ipv4.conf.default.accept_redirects=0" | sudo tee -a /etc/sysctl.d/60-cis-network.conf

# Enable SYN cookies
echo "net.ipv4.tcp_syncookies=1" | sudo tee -a /etc/sysctl.d/60-cis-network.conf

# Log suspicious packets
echo "net.ipv4.conf.all.log_martians=1" | sudo tee -a /etc/sysctl.d/60-cis-network.conf

sudo sysctl -p /etc/sysctl.d/60-cis-network.conf

4. Logging and Auditing

# Install and configure auditd
sudo apt install auditd audispd-plugins
sudo systemctl enable --now auditd

# Add key audit rules
sudo cat >> /etc/audit/rules.d/cis.rules

Was this article helpful?

Related Articles