Installation
v5.15.1
Search this version
Installation
Installation
Title
Message
Create new category
What is the title of your new category?
Edit page index title
What is the title of the page index?
Edit category
What is the new title of your category?
Edit link
What is the new title and URL of your link?
CIS Level 2 Guidelines
Copy Markdown
Open in ChatGPT
Open in Claude
For more details about Center for Internet Security (CIS) please refer to this document.
Instruction steps
Install the UA client
bash
sudo apt updatesudo apt install ubuntu-advantage-toolsSet up the Ubuntu Security Guide
Bash
sudo ua enable usgsudo apt install usgCheck SCAP Content Overview (Security Content Automation Protocol)
Bash
sudo oscap info /usr/share/ubuntu-scap-security-guides/1/benchmarks/ssg-ubuntu2204-ds.xmlAuditing an Ubuntu System for DISA-STIG compliance
Bash
sudo usg audit cis_level2_serverThe report is generated in /var/lib/usg/
Applying the CIS rules to a set of systems
There are 2 ways that apply CIS rules
Method 1: directly using usg command - recommend
Bash
sudo usg fix cis_level2_serverMethod 2: using usg to generate script and then run the script
Bash
sudo usg generate-fix cis_level2_server --output fix.sh#And the run./fix.shA reboot is require to take the effect after apply the fix.
Notes
- CIS Level 2 requires
/tmpfolder to be mounted in a separate partition. Please ensure that that new partition have enough disk space for MetaDefender Core to run.
Running fix for Ubuntu 24.04
When generate the fix script in Ubuntu 24.04, there will be 2 rules (in the generated script - fix.sh) that change permission and owner of the folder /var/log:
#240: xccdf_org.ssgproject.content_rule_file_groupownerships_var_log
#255: xccdf_org.ssgproject.content_rule_file_ownerships_var_log
These 2 rules will change the permission and owner of product log also var/log/ometascan
So to prevent this, before running the fix script, user need to add metascan group, for example with rule #240
Bash
group="root"find -L /var/log/ -type f -regextype posix-extended \ ! -group root ! -group adm ! -group metascan \ ! -name 'gdm' ! -name 'gdm3' \ ! -name 'sssd' ! -name 'SSSD' \ ! -name 'auth.log' \ ! -name 'messages' \ ! -name 'syslog' \ ! -path '/var/log/apt/*' \ ! -path '/var/log/gdm/*' \ ! -path '/var/log/gdm3/*' \ ! -path '/var/log/sssd/*' \ ! -path '/var/log/[bw]tmp*' \ ! -path '/var/log/cloud-init.log*' \ ! -regex '.*\.journal[~]?' \ ! -regex '.*/lastlog(\.[^\/]+)?$' \ ! -regex '.*/localmessages(.*)' \ ! -regex '.*/secure(.*)' \ ! -regex '.*/waagent.log(.*)' \ -regex '.*' -exec chgrp $group {} \;- Please also do the same with rule #255 to prevent update permission and owner of
var/log/ometascan
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Last updated on
Was this page helpful?
Next to read:
Wizard SetupDiscard Changes
Do you want to discard your current changes and overwrite with the template?
Archive Synced Block
Message
Create new Template
What is this template's title?
Delete Template
Message
On This Page
CIS Level 2 GuidelinesInstruction stepsInstall the UA clientSet up the Ubuntu Security GuideCheck SCAP Content Overview (Security Content Automation Protocol)Auditing an Ubuntu System for DISA-STIG complianceApplying the CIS rules to a set of systemsMethod 1: directly using usg command - recommendA reboot is require to take the effect after apply the fix.NotesRunning fix for Ubuntu 24.04
