CIS Level 2 - Linux Guidelines

For more details about Center for Internet Security (CIS) please refer to this document.

Instruction steps

Install the UA client

bash
    
 
sudo apt updatesudo apt install ubuntu-advantage-tools
Copy

Set up the Ubuntu Security Guide

Bash
    
 
sudo ua enable usgsudo apt install usg
Copy

Check SCAP Content Overview (Security Content Automation Protocol)

Bash
    
 
sudo oscap info /usr/share/ubuntu-scap-security-guides/1/benchmarks/ssg-ubuntu2204-ds.xml
Copy

Auditing an Ubuntu System for DISA-STIG Compliance

Bash
    
 
sudo usg audit cis_level2_server
Copy

The report is generated in /var/lib/usg/

Applying the CIS rules to a set of systems

There are 2 ways to apply CIS rules.

Method 1: directly using usg command - recommend

Bash
    
 
sudo usg fix cis_level2_server
Copy

Method 2: using usg to generate a script and then run the script

Bash
    
 
sudo usg generate-fix cis_level2_server --output fix.sh#And then run./fix.sh
Copy

Notes:

A reboot is required to take effect after applying the fix.
CIS Level 2 requires /tmp folder to be mounted in a separate partition. Please ensure that the new partition has enough disk space for MetaDefender Core to run.

Running fix for Ubuntu 24.04

When generating the fix script in Ubuntu 24.04, there will be 2 rules (in the generated script - fix.sh) that change the permission and owner of the folder /var/log:

#240: xccdf_org.ssgproject.content_rule_file_groupownerships_var_log

#255: xccdf_org.ssgproject.content_rule_file_ownerships_var_log

These 2 rules will change the permission and owner of the product log also var/log/ometascan .

To prevent this, before running the fix script, the user needs to add metascan group, for example, with rule #240.

Bash
    
 
group="root"find -L /var/log/ -type f -regextype posix-extended \    ! -group root ! -group adm ! -group metascan  \    ! -name 'gdm' ! -name 'gdm3' \    ! -name 'sssd' ! -name 'SSSD' \    ! -name 'auth.log' \    ! -name 'messages' \    ! -name 'syslog' \    ! -path '/var/log/apt/*' \    ! -path '/var/log/gdm/*' \    ! -path '/var/log/gdm3/*' \    ! -path '/var/log/sssd/*' \    ! -path '/var/log/[bw]tmp*' \    ! -path '/var/log/cloud-init.log*' \    ! -regex '.*\.journal[~]?' \    ! -regex '.*/lastlog(\.[^\/]+)?$' \    ! -regex '.*/localmessages(.*)' \    ! -regex '.*/secure(.*)' \    ! -regex '.*/waagent.log(.*)' \    -regex '.*' -exec chgrp $group {} \;
Copy

Also do the same with rule #255 to prevent update permission and the owner of var/log/ometascan

Last updated on

Was this page helpful?