Skip to content

Hardened Ubuntu

Updated: 2024, May 11th

Connecting to the system

The default user is ubuntu (for the SSH key, use ecdsa and not rsa algorithm which is deprecated in almost all linux distributions)

Protection / Security profile

The following CIS rules are applied on the system (you can look at the audit file (post scan) in /opt/):

  • 1.1.1.1 | Ensure mounting of cramfs filesystems is disabled
  • 1.1.1.3 | Ensure mounting of squashfs filesystems is disabled
  • 1.1.1.3 | Ensure mounting of udf filesystems is disabled
  • 1.1.10 | Ensure mounting of usb-storage is disabled
  • 1.1.8.1 | Ensure nodev option set on /dev/shm partition | fstab config
  • 1.1.8.1 | Ensure nodev option set on /var/log/audit partition\n1.1.8.2 | Ensure noexec option set on /var/log/audit partition\n1.1.8.3 | Ensure nosuid option set on /var/log/audit partition\n
  • 1.1.8.2 | Ensure noexec option set on /dev/shm partition | fstab config
  • 1.1.8.3 | Ensure nosuid option set on /dev/shm partition | fstab config
  • 1.1.9 | Disable Automounting
  • 1.3.1 | Ensure AIDE is installed | aide pkg
  • 1.3.1 | Ensure AIDE is installed | aide-common pkg
  • 1.3.2 | L1 | Ensure filesystem integrity is regularly checked | aide cron
  • 1.4.2 | Ensure permissions on bootloader config are configured
  • 1.5.1 | Ensure address space layout randomization (ASLR) is enabled | sysctl_configured
  • 1.5.1 | Ensure address space layout randomization (ASLR) is enabled | sysctl_live
  • 1.5.2 | Ensure prelink is not installed
  • 1.5.3 | Ensure Automatic Error Reporting is not enabled | Package
  • 1.5.3 | Ensure Automatic Error Reporting is not enabled | disabled
  • 1.6.1.1 | Ensure AppArmor is installed
  • 1.6.1.2 | Ensure AppArmor is enabled in the bootloader configuration | default grub
  • 1.6.1.2 | Ensure AppArmor is enabled in the bootloader configuration | running grub
  • 1.6.1.3 | Ensure all AppArmor Profiles are in enforce or complain mode | profile
  • 1.7.2 | Ensure local login warning banner is configured properly
  • 1.7.3 | Ensure remote login warning banner is configured properly
  • 1.7.5 | Ensure permissions on /etc/issue are configured
  • 1.7.6 | Ensure permissions on /etc/issue.net are configured
  • 1.8.1 | Ensure GNOME Display Manager is removed
  • 2.1.1.1 | Ensure a single time synchronization daemon is in use
  • 2.1.1.1 | Ensure time synchronization is in use | timesyncd masked
  • 2.1.4.1 | Ensure ntp access control is configured
  • 2.1.4.2 | Ensure ntp is configured with authorized timeserver
  • 2.1.4.4 | Ensure ntp is enabled and running
  • 2.2.1 | Ensure X Window System is not installed
  • 2.2.10 | Ensure IMAP and POP3 server are not installed | imap
  • 2.2.10 | Ensure IMAP and POP3 server are not installed | pop3d
  • 2.2.11 | Ensure samba Server is not installed
  • 2.2.12 | Ensure HTTP Proxy Server is not installed
  • 2.2.13 | Ensure SNMP Server is not installed
  • 2.2.14 | Ensure NIS Server is not installed
  • 2.2.15 | Ensure mail transfer agent is configured for local-only mode | port listening
  • 2.2.2 | Ensure Avahi Server is not installed
  • 2.2.3 | Ensure CUPS Server is not installed
  • 2.2.4 | Ensure DHCP Server is not installed
  • 2.2.5 | Ensure LDAP Server is not installed
  • 2.2.6 | Ensure NFS is not installed
  • 2.2.7 | Ensure DNS Server is not installed
  • 2.2.8 | Ensure FTP Server is not installed
  • 2.2.9 | Ensure HTTP Server is not installed
  • 2.3.1 | Ensure NIS Client is not installed
  • 2.3.2 | Ensure rsh client is not installed
  • 2.3.3 | Ensure talk client is not installed
  • 2.3.4 | Ensure telnet client is not installed
  • 2.3.5 | Ensure LDAP client is not installed
  • 2.3.6 | Ensure RPC is not installed
  • 2.4 | Ensure nonessential services are removed or masked
  • 3.1.1 | Disable IPv6 | default grub
  • 3.1.1 | Disable IPv6 | via grub boot
  • 3.1.2 | Ensure wireless interfaces are disabled
  • 3.2.1 | Ensure packet redirect sending is disabled | all send_redirect config
  • 3.2.1 | Ensure packet redirect sending is disabled | all send_redirect
  • 3.2.1 | Ensure packet redirect sending is disabled | default send_redirect config
  • 3.2.1 | Ensure packet redirect sending is disabled | default send_redirects
  • 3.2.2 | Ensure IP forwarding is disabled | IPv4 config
  • 3.2.2 | Ensure IP forwarding is disabled | IPv4
  • 3.3.1 | Ensure source routed packets are not accepted | IPv4 all source routed conf
  • 3.3.1 | Ensure source routed packets are not accepted | IPv4 all source routed
  • 3.3.1 | Ensure source routed packets are not accepted | IPv4 default source routed conf
  • 3.3.1 | Ensure source routed packets are not accepted | IPv4 default source routed
  • 3.3.2 | Ensure ICMP redirects are not accepted | ipv4 all icmp redirects conf
  • 3.3.2 | Ensure ICMP redirects are not accepted | ipv4 all icmp redirects
  • 3.3.2 | Ensure ICMP redirects are not accepted | ipv4 def icmp redirects conf
  • 3.3.2 | Ensure ICMP redirects are not accepted | ipv4 default icmp redirects
  • 3.3.3 | Ensure secure ICMP redirects are not accepted | ipv4 all def redirects conf
  • 3.3.3 | Ensure secure ICMP redirects are not accepted | ipv4 all sec redirects conf
  • 3.3.3 | Ensure secure ICMP redirects are not accepted | ipv4 all sec redirects
  • 3.3.3 | Ensure secure ICMP redirects are not accepted | ipv4 def sec redirects
  • 3.3.4 | Ensure suspicious packets are logged | ipv4 all martians conf
  • 3.3.4 | Ensure suspicious packets are logged | ipv4 all martians
  • 3.3.4 | Ensure suspicious packets are logged | ipv4 default martians conf
  • 3.3.4 | Ensure suspicious packets are logged | ipv4 default martians
  • 3.3.5 | Ensure broadcast ICMP requests are ignored | ipv4 ignore broadcast icmp conf
  • 3.3.5 | Ensure broadcast ICMP requests are ignored | ipv4 ignore broadcast icmp
  • 3.3.6 | Ensure bogus ICMP responses are ignored | ignore bogus icmp conf
  • 3.3.6 | Ensure bogus ICMP responses are ignored | ignore bogus icmp
  • 3.3.7 | Ensure Reverse Path Filtering is enabled | ipv4 all rp_filter conf
  • 3.3.7 | Ensure Reverse Path Filtering is enabled | ipv4 all rp_filter
  • 3.3.7 | Ensure Reverse Path Filtering is enabled | ipv4 def rp_filter conf
  • 3.3.7 | Ensure Reverse Path Filtering is enabled | ipv4 default rp_filter
  • 3.3.8 | Ensure TCP SYN Cookies is enabled | ipv4 syncookies conf
  • 3.3.8 | Ensure TCP SYN Cookies is enabled | ipv4 syncookies
  • 3.4.1 | Ensure DCCP is disabled | DCCP config
  • 3.4.1 | Ensure DCCP is disabled | running dccp
  • 3.4.2 | Ensure SCTP is disabled | running sctp
  • 3.4.2 | Ensure SCTP is disabled | sctp config
  • 3.4.3 | Ensure RDS is disabled | rds config
  • 3.4.3 | Ensure RDS is disabled | running rds
  • 3.4.4 | Ensure TIPC is disabled | running tipc
  • 3.4.4 | Ensure TIPC is disabled | tipc config
  • 3.5.1.1 | Ensure ufw is installed
  • 3.5.1.2 | Ensure iptables-persistent is not installed with ufw
  • 3.5.1.3 | Ensure ufw service is enabled
  • 3.5.1.5 | Ensure ufw outbound connections are configured | Manual
  • 3.5.1.7 | Ensure ufw default deny firewall policy
  • 4.1.1.1 | Ensure auditd is installed | audispd-plugins pkg
  • 4.1.1.1 | Ensure auditd is installed | auditd pkg
  • 4.1.1.2 | Ensure auditd service is enabled and running
  • 4.1.1.3 | Ensure auditing for processes that start prior to auditd is enabled | bootloader file
  • 4.1.1.3 | Ensure auditing for processes that start prior to auditd is enabled | default grub
  • 4.1.1.4 | Ensure audit_backlog_limit is sufficient | bootloader file
  • 4.1.1.4 | Ensure audit_backlog_limit is sufficient | default grub
  • 4.1.2.1 | Ensure audit log storage size is configured
  • 4.1.2.2 | Ensure audit logs are not automatically deleted
  • 4.1.2.3 | Ensure system is disabled when audit logs are full
  • 4.1.3.1 | Ensure changes to system administration scope (sudoers) is collected | Config
  • 4.1.3.1 | Ensure changes to system administration scope (sudoers) is collected | Live
  • 4.1.3.1 | Ensure successful file system mounts are collected | Config
  • 4.1.3.10 | Ensure successful file system mounts are collected | Live
  • 4.1.3.11 | Ensure session initiation information is collected | Config
  • 4.1.3.11 | Ensure session initiation information is collected | Live
  • 4.1.3.13 | Ensure file deletion events by users are collected | Conf
  • 4.1.3.13 | Ensure file deletion events by users are collected | Live
  • 4.1.3.14 | Ensure events that modify the system's Mandatory Access Controls are collected | Config
  • 4.1.3.15 | Ensure successful and unsuccessful attempts to use the chcon command are recorded | Config
  • 4.1.3.15 | Ensure successful and unsuccessful attempts to use the chcon command are recorded | Live
  • 4.1.3.16 | Ensure successful and unsuccessful attempts to use the setfacl command are recorded | Config
  • 4.1.3.16 | Ensure successful and unsuccessful attempts to use the setfacl command are recorded | Live
  • 4.1.3.17 | Ensure successful and unsuccessful attempts to use the chacl command are recorded | Config
  • 4.1.3.17 | Ensure successful and unsuccessful attempts to use the chacl command are recorded | Live
  • 4.1.3.18 | Ensure successful and unsuccessful attempts to use the usermod command are recorded | Config
  • 4.1.3.18 | Ensure successful and unsuccessful attempts to use the usermod command are recorded | Live
  • 4.1.3.19 | Ensure kernel module loading and unloading is collected | Config
  • 4.1.3.19 | Ensure kernel module loading and unloading is collected | Live
  • 4.1.3.20 | Ensure the audit configuration is immutable
  • 4.1.3.21 | Ensure the audit configuration is immutable
  • 4.1.3.4 | Ensure events that modify date and time information are collected | Config
  • 4.1.3.4 | Ensure events that modify date and time information are collected | Live
  • 4.1.3.5 | Ensure events that modify the system's network environment are collected | Config
  • 4.1.3.5 | Ensure events that modify the system's network environment are collected | Live
  • 4.1.3.6 | Ensure use of privileged commands is collected | Config
  • 4.1.3.7 | Ensure unsuccessful unauthorized file access attempts are collected | Conf
  • 4.1.3.7 |Ensure unsuccessful unauthorized file access attempts are collected | Live
  • 4.1.3.8 | Ensure events that modify user/group information are collected | Config
  • 4.1.3.8 | Ensure events that modify user/group information are collected | Live
  • 4.1.3.9 | Ensure discretionary access control permission modification events are collected | Config
  • 4.1.3.9 | Ensure discretionary access control permission modification events are collected | Live
  • 4.1.4.1 | Ensure audit log files are mode 0640 or less permissive
  • 4.1.4.10 | Ensure audit tools belong to group root
  • 4.1.4.11 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools
  • 4.1.4.2 | Ensure only authorized users own audit log files
  • 4.1.4.3 | Ensure only authorized groups are assigned ownership of audit log files
  • 4.1.4.4 | Ensure the audit log directory is 0750 or more restrictive
  • 4.1.4.5 | Ensure audit configuration files are 640 or more restrictive
  • 4.1.4.6 | Ensure audit configuration files are owned by root
  • 4.1.4.7 | Ensure audit configuration files belong to group root
  • 4.1.4.8 | Ensure audit tools are 755 or more restrictive
  • 4.1.4.9 | Ensure audit tools are owned by root
  • 4.1.6 | Ensure events that modify the system's Mandatory Access Controls are collected | Live
  • 4.2.2.1 | Ensure rsyslog is installed
  • 4.2.2.2 | Ensure rsyslog Service is enabled
  • 4.2.2.3 | Ensure journald is configured to send logs to rsyslog
  • 4.2.2.4 | Ensure rsyslog default file permissions configured
  • 4.2.2.6 | Ensure rsyslog is configured to send logs to a remote host
  • 5.1.1 | Ensure cron daemon is enabled and running | pkg
  • 5.1.1 | Ensure cron daemon is enabled and running | service
  • 5.1.2 | Ensure permissions on /etc/crontab are configured
  • 5.1.3 | Ensure permissions on /etc/cron.hourly are configured
  • 5.1.4 | Ensure permissions on /etc/cron.daily are configured
  • 5.1.5 | Ensure permissions on /etc/cron.weekly are configured
  • 5.1.6 | Ensure permissions on /etc/cron.monthly are configured
  • 5.1.7 | Ensure permissions on /etc/cron.d are configured
  • 5.1.8 | Ensure cron is restricted to authorized users
  • 5.1.9 | Ensure at is restricted to authorized users
  • 5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured
  • 5.2.10 | Ensure SSH PermitUserEnvironment is disabled
  • 5.2.11 | Ensure SSH IgnoreRhosts is enabled
  • 5.2.12 | Ensure SSH X11 forwarding is disabled
  • 5.2.13 | Ensure only strong Ciphers are used
  • 5.2.14 | Ensure only strong MACs are used
  • 5.2.15 | Ensure only strong Key Exchange algorithms are used
  • 5.2.16 | Ensure SSH AllowTcpForwarding is disabled
  • 5.2.17 | Ensure SSH warning banner configured | conf.d banner settings
  • 5.2.17 | Ensure SSH warning banner configured | sshd_default
  • 5.2.18 | Ensure SSH MaxAuthTries is set to 4 or less
  • 5.2.19 | Ensure SSH MaxStartups is configured
  • 5.2.2 | Ensure permissions on SSH private host key files are configured | group
  • 5.2.2 | Ensure permissions on SSH private host key files are configured | perms
  • 5.2.2 | Ensure permissions on SSH private host key files are configured | user
  • 5.2.20 | Ensure SSH MaxSessions is limited
  • 5.2.21 | Ensure SSH LoginGraceTime is set to one minute or less
  • 5.2.22 | Ensure SSH Idle Timeout Interval is configured
  • 5.2.3 | Ensure permissions on SSH private host key files are configured | group
  • 5.2.3 | Ensure permissions on SSH private host key files are configured | perms
  • 5.2.3 | Ensure permissions on SSH pub host key files are configured | user
  • 5.2.5 | Ensure SSH LogLevel is appropriate
  • 5.2.6 | Ensure SSH PAM is enabled
  • 5.2.7 | Ensure SSH root login is disabled
  • 5.2.8 | Ensure SSH HostbasedAuthentication is disabled
  • 5.2.9 | Ensure SSH PermitEmptyPasswords is disabled
  • 5.3.1 | Ensure sudo is installed
  • 5.3.2 | Ensure sudo commands use pty | Config
  • 5.3.2 | Ensure sudo commands use pty | sudoers.d
  • 5.3.3 | Ensure sudo log file exists | sudoers.d
  • 5.3.5 | Ensure re-authentication for privilege escalation is not disabled globally
  • 5.4.4 | Ensure password hashing algorithm is up to date with the latest standards | common password
  • 5.5.1.1 | Ensure minimum days between password changes is configured
  • 5.5.1.2 | Ensure password expiration is 365 days or less | logins.def
  • 5.5.1.2 | Ensure password expiration is 365 days or less | user_check
  • 5.5.1.5 | Ensure all users last password change date is in the past
  • 5.5.2 | Ensure system accounts are secured
  • 5.5.3 | Ensure default group for the root account is GID 0
  • 5.5.4 | Ensure default user umask is 027 or more restrictive | /etc/pam.d/common-session
  • 5.5.4 | Ensure default user umask is 027 or more restrictive | profile_files
  • 5.5.5 | Ensure default user shell timeout is 900 seconds or less | profile.d
  • 6.1.1 | Ensure permissions on /etc/passwd are configured
  • 6.1.10 | Ensure no unowned files or directories exist
  • 6.1.11 | Ensure no ungrouped files or directories exist
  • 6.1.2 | Ensure permissions on /etc/passwd- are configured
  • 6.1.3 | Ensure permissions on /etc/group are configured
  • 6.1.4 | Ensure permissions on /etc/group- are configured
  • 6.1.5 | Ensure permissions on /etc/shadow are configured
  • 6.1.6 | Ensure permissions on /etc/shadow- are configured
  • 6.1.7 | Ensure permissions on /etc/gshadow are configured
  • 6.1.8 | Ensure permissions on /etc/gshadow- are configured
  • 6.1.9 | Ensure no world writable files exist
  • 6.2.1 | Ensure accounts in /etc/passwd use shadowed passwords
  • 6.2.10 | Ensure root is the only UID 0 account
  • 6.2.11 | Ensure all local interactive user home directories exist
  • 6.2.12 | Ensure local interactive users own their home directories
  • 6.2.13 | Ensure all local interactive user home directories permissions are 750 or more restrictive
  • 6.2.14 | Ensure no local interactive user has .netrc files
  • 6.2.15 | Ensure no users have .forward files
  • 6.2.16 | Ensure no users have .rhosts files
  • 6.2.17 | Ensure users dot files are not group or world writable
  • 6.2.2 | Ensure password fields are not empty
  • 6.2.3 | Ensure all groups in /etc/passwd exist in /etc/group
  • 6.2.4 | Ensure shadow group is empty
  • 6.2.5 | Ensure no duplicate UIDs exist
  • 6.2.6 | Ensure no duplicate GIDs exist
  • 6.2.7 | Ensure no duplicate user names exist
  • 6.2.8 | Ensure no duplicate group names exist
  • 6.2.9 | Ensure root PATH Integrity