CIS Level 2 Guidelines

Support Ubuntu Pro 22.04, 24.04

For more details about Center for Internet Security (CIS) please refer to this document.

Instruction steps

Install the UA client

sudo apt update sudo apt install ubuntu-advantage-tools

Set up the Ubuntu Security Guide

sudo ua enable usg sudo apt install usg

Check SCAP Content Overview (Security Content Automation Protocol)

sudo oscap info /usr/share/ubuntu-scap-security-guides/1/benchmarks/ssg-ubuntu2204-ds.xml

Auditing an Ubuntu System for DISA-STIG compliance

sudo usg audit cis_level2_server

The report is generated in /var/lib/usg/

Applying the CIS rules to a set of systems

There are 2 ways that apply CIS rules

Method 1: directly using usg command - recommend

sudo usg fix cis_level2_server

Method 2: using usg to generate script and then run the script

sudo usg generate-fix cis_level2_server --output fix.sh #And the run ./fix.sh

A reboot is require to take the effect after apply the fix.

Notes

  • CIS Level 2 requires /tmp folder to be mounted in a separate partition. Please ensure that that new partition have enough disk space for MetaDefender Core to run.

Running fix for Ubuntu 24.04

When generate the fix script in Ubuntu 24.04, there will be 2 rules (in the generated script - fix.sh) that change permission and owner of the folder /var/log:

#240: xccdf_org.ssgproject.content_rule_file_groupownerships_var_log

#255: xccdf_org.ssgproject.content_rule_file_ownerships_var_log

These 2 rules will change the permission and owner of product log also var/log/ometascan

So to prevent this, before running the fix script, user need to add metascan group, for example with rule #240

group="root" find -L /var/log/ -type f -regextype posix-extended \ ! -group root ! -group adm ! -group metascan \ ! -name 'gdm' ! -name 'gdm3' \ ! -name 'sssd' ! -name 'SSSD' \ ! -name 'auth.log' \ ! -name 'messages' \ ! -name 'syslog' \ ! -path '/var/log/apt/*' \ ! -path '/var/log/gdm/*' \ ! -path '/var/log/gdm3/*' \ ! -path '/var/log/sssd/*' \ ! -path '/var/log/[bw]tmp*' \ ! -path '/var/log/cloud-init.log*' \ ! -regex '.*\.journal[~]?' \ ! -regex '.*/lastlog(\.[^\/]+)?$' \ ! -regex '.*/localmessages(.*)' \ ! -regex '.*/secure(.*)' \ ! -regex '.*/waagent.log(.*)' \ -regex '.*' -exec chgrp $group {} \;
  • Please also do the same with rule #255 to prevent update permission and owner of var/log/ometascan