Hardened Ubuntu
Updated: 2024, May 11th
Connecting to the system
The default user is ubuntu
(for the SSH key, use ecdsa and not rsa algorithm which is deprecated in almost all linux distributions)
Protection / Security profile
The following CIS rules are applied on the system (you can look at the audit file (post scan) in /opt/
):
- 1.1.1.1 | Ensure mounting of cramfs filesystems is disabled
- 1.1.1.3 | Ensure mounting of squashfs filesystems is disabled
- 1.1.1.3 | Ensure mounting of udf filesystems is disabled
- 1.1.10 | Ensure mounting of usb-storage is disabled
- 1.1.8.1 | Ensure nodev option set on /dev/shm partition | fstab config
- 1.1.8.1 | Ensure nodev option set on /var/log/audit partition\n1.1.8.2 | Ensure noexec option set on /var/log/audit partition\n1.1.8.3 | Ensure nosuid option set on /var/log/audit partition\n
- 1.1.8.2 | Ensure noexec option set on /dev/shm partition | fstab config
- 1.1.8.3 | Ensure nosuid option set on /dev/shm partition | fstab config
- 1.1.9 | Disable Automounting
- 1.3.1 | Ensure AIDE is installed | aide pkg
- 1.3.1 | Ensure AIDE is installed | aide-common pkg
- 1.3.2 | L1 | Ensure filesystem integrity is regularly checked | aide cron
- 1.4.2 | Ensure permissions on bootloader config are configured
- 1.5.1 | Ensure address space layout randomization (ASLR) is enabled | sysctl_configured
- 1.5.1 | Ensure address space layout randomization (ASLR) is enabled | sysctl_live
- 1.5.2 | Ensure prelink is not installed
- 1.5.3 | Ensure Automatic Error Reporting is not enabled | Package
- 1.5.3 | Ensure Automatic Error Reporting is not enabled | disabled
- 1.6.1.1 | Ensure AppArmor is installed
- 1.6.1.2 | Ensure AppArmor is enabled in the bootloader configuration | default grub
- 1.6.1.2 | Ensure AppArmor is enabled in the bootloader configuration | running grub
- 1.6.1.3 | Ensure all AppArmor Profiles are in enforce or complain mode | profile
- 1.7.2 | Ensure local login warning banner is configured properly
- 1.7.3 | Ensure remote login warning banner is configured properly
- 1.7.5 | Ensure permissions on /etc/issue are configured
- 1.7.6 | Ensure permissions on /etc/issue.net are configured
- 1.8.1 | Ensure GNOME Display Manager is removed
- 2.1.1.1 | Ensure a single time synchronization daemon is in use
- 2.1.1.1 | Ensure time synchronization is in use | timesyncd masked
- 2.1.4.1 | Ensure ntp access control is configured
- 2.1.4.2 | Ensure ntp is configured with authorized timeserver
- 2.1.4.4 | Ensure ntp is enabled and running
- 2.2.1 | Ensure X Window System is not installed
- 2.2.10 | Ensure IMAP and POP3 server are not installed | imap
- 2.2.10 | Ensure IMAP and POP3 server are not installed | pop3d
- 2.2.11 | Ensure samba Server is not installed
- 2.2.12 | Ensure HTTP Proxy Server is not installed
- 2.2.13 | Ensure SNMP Server is not installed
- 2.2.14 | Ensure NIS Server is not installed
- 2.2.15 | Ensure mail transfer agent is configured for local-only mode | port listening
- 2.2.2 | Ensure Avahi Server is not installed
- 2.2.3 | Ensure CUPS Server is not installed
- 2.2.4 | Ensure DHCP Server is not installed
- 2.2.5 | Ensure LDAP Server is not installed
- 2.2.6 | Ensure NFS is not installed
- 2.2.7 | Ensure DNS Server is not installed
- 2.2.8 | Ensure FTP Server is not installed
- 2.2.9 | Ensure HTTP Server is not installed
- 2.3.1 | Ensure NIS Client is not installed
- 2.3.2 | Ensure rsh client is not installed
- 2.3.3 | Ensure talk client is not installed
- 2.3.4 | Ensure telnet client is not installed
- 2.3.5 | Ensure LDAP client is not installed
- 2.3.6 | Ensure RPC is not installed
- 2.4 | Ensure nonessential services are removed or masked
- 3.1.1 | Disable IPv6 | default grub
- 3.1.1 | Disable IPv6 | via grub boot
- 3.1.2 | Ensure wireless interfaces are disabled
- 3.2.1 | Ensure packet redirect sending is disabled | all send_redirect config
- 3.2.1 | Ensure packet redirect sending is disabled | all send_redirect
- 3.2.1 | Ensure packet redirect sending is disabled | default send_redirect config
- 3.2.1 | Ensure packet redirect sending is disabled | default send_redirects
- 3.2.2 | Ensure IP forwarding is disabled | IPv4 config
- 3.2.2 | Ensure IP forwarding is disabled | IPv4
- 3.3.1 | Ensure source routed packets are not accepted | IPv4 all source routed conf
- 3.3.1 | Ensure source routed packets are not accepted | IPv4 all source routed
- 3.3.1 | Ensure source routed packets are not accepted | IPv4 default source routed conf
- 3.3.1 | Ensure source routed packets are not accepted | IPv4 default source routed
- 3.3.2 | Ensure ICMP redirects are not accepted | ipv4 all icmp redirects conf
- 3.3.2 | Ensure ICMP redirects are not accepted | ipv4 all icmp redirects
- 3.3.2 | Ensure ICMP redirects are not accepted | ipv4 def icmp redirects conf
- 3.3.2 | Ensure ICMP redirects are not accepted | ipv4 default icmp redirects
- 3.3.3 | Ensure secure ICMP redirects are not accepted | ipv4 all def redirects conf
- 3.3.3 | Ensure secure ICMP redirects are not accepted | ipv4 all sec redirects conf
- 3.3.3 | Ensure secure ICMP redirects are not accepted | ipv4 all sec redirects
- 3.3.3 | Ensure secure ICMP redirects are not accepted | ipv4 def sec redirects
- 3.3.4 | Ensure suspicious packets are logged | ipv4 all martians conf
- 3.3.4 | Ensure suspicious packets are logged | ipv4 all martians
- 3.3.4 | Ensure suspicious packets are logged | ipv4 default martians conf
- 3.3.4 | Ensure suspicious packets are logged | ipv4 default martians
- 3.3.5 | Ensure broadcast ICMP requests are ignored | ipv4 ignore broadcast icmp conf
- 3.3.5 | Ensure broadcast ICMP requests are ignored | ipv4 ignore broadcast icmp
- 3.3.6 | Ensure bogus ICMP responses are ignored | ignore bogus icmp conf
- 3.3.6 | Ensure bogus ICMP responses are ignored | ignore bogus icmp
- 3.3.7 | Ensure Reverse Path Filtering is enabled | ipv4 all rp_filter conf
- 3.3.7 | Ensure Reverse Path Filtering is enabled | ipv4 all rp_filter
- 3.3.7 | Ensure Reverse Path Filtering is enabled | ipv4 def rp_filter conf
- 3.3.7 | Ensure Reverse Path Filtering is enabled | ipv4 default rp_filter
- 3.3.8 | Ensure TCP SYN Cookies is enabled | ipv4 syncookies conf
- 3.3.8 | Ensure TCP SYN Cookies is enabled | ipv4 syncookies
- 3.4.1 | Ensure DCCP is disabled | DCCP config
- 3.4.1 | Ensure DCCP is disabled | running dccp
- 3.4.2 | Ensure SCTP is disabled | running sctp
- 3.4.2 | Ensure SCTP is disabled | sctp config
- 3.4.3 | Ensure RDS is disabled | rds config
- 3.4.3 | Ensure RDS is disabled | running rds
- 3.4.4 | Ensure TIPC is disabled | running tipc
- 3.4.4 | Ensure TIPC is disabled | tipc config
- 3.5.1.1 | Ensure ufw is installed
- 3.5.1.2 | Ensure iptables-persistent is not installed with ufw
- 3.5.1.3 | Ensure ufw service is enabled
- 3.5.1.5 | Ensure ufw outbound connections are configured | Manual
- 3.5.1.7 | Ensure ufw default deny firewall policy
- 4.1.1.1 | Ensure auditd is installed | audispd-plugins pkg
- 4.1.1.1 | Ensure auditd is installed | auditd pkg
- 4.1.1.2 | Ensure auditd service is enabled and running
- 4.1.1.3 | Ensure auditing for processes that start prior to auditd is enabled | bootloader file
- 4.1.1.3 | Ensure auditing for processes that start prior to auditd is enabled | default grub
- 4.1.1.4 | Ensure audit_backlog_limit is sufficient | bootloader file
- 4.1.1.4 | Ensure audit_backlog_limit is sufficient | default grub
- 4.1.2.1 | Ensure audit log storage size is configured
- 4.1.2.2 | Ensure audit logs are not automatically deleted
- 4.1.2.3 | Ensure system is disabled when audit logs are full
- 4.1.3.1 | Ensure changes to system administration scope (sudoers) is collected | Config
- 4.1.3.1 | Ensure changes to system administration scope (sudoers) is collected | Live
- 4.1.3.1 | Ensure successful file system mounts are collected | Config
- 4.1.3.10 | Ensure successful file system mounts are collected | Live
- 4.1.3.11 | Ensure session initiation information is collected | Config
- 4.1.3.11 | Ensure session initiation information is collected | Live
- 4.1.3.13 | Ensure file deletion events by users are collected | Conf
- 4.1.3.13 | Ensure file deletion events by users are collected | Live
- 4.1.3.14 | Ensure events that modify the system's Mandatory Access Controls are collected | Config
- 4.1.3.15 | Ensure successful and unsuccessful attempts to use the chcon command are recorded | Config
- 4.1.3.15 | Ensure successful and unsuccessful attempts to use the chcon command are recorded | Live
- 4.1.3.16 | Ensure successful and unsuccessful attempts to use the setfacl command are recorded | Config
- 4.1.3.16 | Ensure successful and unsuccessful attempts to use the setfacl command are recorded | Live
- 4.1.3.17 | Ensure successful and unsuccessful attempts to use the chacl command are recorded | Config
- 4.1.3.17 | Ensure successful and unsuccessful attempts to use the chacl command are recorded | Live
- 4.1.3.18 | Ensure successful and unsuccessful attempts to use the usermod command are recorded | Config
- 4.1.3.18 | Ensure successful and unsuccessful attempts to use the usermod command are recorded | Live
- 4.1.3.19 | Ensure kernel module loading and unloading is collected | Config
- 4.1.3.19 | Ensure kernel module loading and unloading is collected | Live
- 4.1.3.20 | Ensure the audit configuration is immutable
- 4.1.3.21 | Ensure the audit configuration is immutable
- 4.1.3.4 | Ensure events that modify date and time information are collected | Config
- 4.1.3.4 | Ensure events that modify date and time information are collected | Live
- 4.1.3.5 | Ensure events that modify the system's network environment are collected | Config
- 4.1.3.5 | Ensure events that modify the system's network environment are collected | Live
- 4.1.3.6 | Ensure use of privileged commands is collected | Config
- 4.1.3.7 | Ensure unsuccessful unauthorized file access attempts are collected | Conf
- 4.1.3.7 |Ensure unsuccessful unauthorized file access attempts are collected | Live
- 4.1.3.8 | Ensure events that modify user/group information are collected | Config
- 4.1.3.8 | Ensure events that modify user/group information are collected | Live
- 4.1.3.9 | Ensure discretionary access control permission modification events are collected | Config
- 4.1.3.9 | Ensure discretionary access control permission modification events are collected | Live
- 4.1.4.1 | Ensure audit log files are mode 0640 or less permissive
- 4.1.4.10 | Ensure audit tools belong to group root
- 4.1.4.11 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools
- 4.1.4.2 | Ensure only authorized users own audit log files
- 4.1.4.3 | Ensure only authorized groups are assigned ownership of audit log files
- 4.1.4.4 | Ensure the audit log directory is 0750 or more restrictive
- 4.1.4.5 | Ensure audit configuration files are 640 or more restrictive
- 4.1.4.6 | Ensure audit configuration files are owned by root
- 4.1.4.7 | Ensure audit configuration files belong to group root
- 4.1.4.8 | Ensure audit tools are 755 or more restrictive
- 4.1.4.9 | Ensure audit tools are owned by root
- 4.1.6 | Ensure events that modify the system's Mandatory Access Controls are collected | Live
- 4.2.2.1 | Ensure rsyslog is installed
- 4.2.2.2 | Ensure rsyslog Service is enabled
- 4.2.2.3 | Ensure journald is configured to send logs to rsyslog
- 4.2.2.4 | Ensure rsyslog default file permissions configured
- 4.2.2.6 | Ensure rsyslog is configured to send logs to a remote host
- 5.1.1 | Ensure cron daemon is enabled and running | pkg
- 5.1.1 | Ensure cron daemon is enabled and running | service
- 5.1.2 | Ensure permissions on /etc/crontab are configured
- 5.1.3 | Ensure permissions on /etc/cron.hourly are configured
- 5.1.4 | Ensure permissions on /etc/cron.daily are configured
- 5.1.5 | Ensure permissions on /etc/cron.weekly are configured
- 5.1.6 | Ensure permissions on /etc/cron.monthly are configured
- 5.1.7 | Ensure permissions on /etc/cron.d are configured
- 5.1.8 | Ensure cron is restricted to authorized users
- 5.1.9 | Ensure at is restricted to authorized users
- 5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured
- 5.2.10 | Ensure SSH PermitUserEnvironment is disabled
- 5.2.11 | Ensure SSH IgnoreRhosts is enabled
- 5.2.12 | Ensure SSH X11 forwarding is disabled
- 5.2.13 | Ensure only strong Ciphers are used
- 5.2.14 | Ensure only strong MACs are used
- 5.2.15 | Ensure only strong Key Exchange algorithms are used
- 5.2.16 | Ensure SSH AllowTcpForwarding is disabled
- 5.2.17 | Ensure SSH warning banner configured | conf.d banner settings
- 5.2.17 | Ensure SSH warning banner configured | sshd_default
- 5.2.18 | Ensure SSH MaxAuthTries is set to 4 or less
- 5.2.19 | Ensure SSH MaxStartups is configured
- 5.2.2 | Ensure permissions on SSH private host key files are configured | group
- 5.2.2 | Ensure permissions on SSH private host key files are configured | perms
- 5.2.2 | Ensure permissions on SSH private host key files are configured | user
- 5.2.20 | Ensure SSH MaxSessions is limited
- 5.2.21 | Ensure SSH LoginGraceTime is set to one minute or less
- 5.2.22 | Ensure SSH Idle Timeout Interval is configured
- 5.2.3 | Ensure permissions on SSH private host key files are configured | group
- 5.2.3 | Ensure permissions on SSH private host key files are configured | perms
- 5.2.3 | Ensure permissions on SSH pub host key files are configured | user
- 5.2.5 | Ensure SSH LogLevel is appropriate
- 5.2.6 | Ensure SSH PAM is enabled
- 5.2.7 | Ensure SSH root login is disabled
- 5.2.8 | Ensure SSH HostbasedAuthentication is disabled
- 5.2.9 | Ensure SSH PermitEmptyPasswords is disabled
- 5.3.1 | Ensure sudo is installed
- 5.3.2 | Ensure sudo commands use pty | Config
- 5.3.2 | Ensure sudo commands use pty | sudoers.d
- 5.3.3 | Ensure sudo log file exists | sudoers.d
- 5.3.5 | Ensure re-authentication for privilege escalation is not disabled globally
- 5.4.4 | Ensure password hashing algorithm is up to date with the latest standards | common password
- 5.5.1.1 | Ensure minimum days between password changes is configured
- 5.5.1.2 | Ensure password expiration is 365 days or less | logins.def
- 5.5.1.2 | Ensure password expiration is 365 days or less | user_check
- 5.5.1.5 | Ensure all users last password change date is in the past
- 5.5.2 | Ensure system accounts are secured
- 5.5.3 | Ensure default group for the root account is GID 0
- 5.5.4 | Ensure default user umask is 027 or more restrictive | /etc/pam.d/common-session
- 5.5.4 | Ensure default user umask is 027 or more restrictive | profile_files
- 5.5.5 | Ensure default user shell timeout is 900 seconds or less | profile.d
- 6.1.1 | Ensure permissions on /etc/passwd are configured
- 6.1.10 | Ensure no unowned files or directories exist
- 6.1.11 | Ensure no ungrouped files or directories exist
- 6.1.2 | Ensure permissions on /etc/passwd- are configured
- 6.1.3 | Ensure permissions on /etc/group are configured
- 6.1.4 | Ensure permissions on /etc/group- are configured
- 6.1.5 | Ensure permissions on /etc/shadow are configured
- 6.1.6 | Ensure permissions on /etc/shadow- are configured
- 6.1.7 | Ensure permissions on /etc/gshadow are configured
- 6.1.8 | Ensure permissions on /etc/gshadow- are configured
- 6.1.9 | Ensure no world writable files exist
- 6.2.1 | Ensure accounts in /etc/passwd use shadowed passwords
- 6.2.10 | Ensure root is the only UID 0 account
- 6.2.11 | Ensure all local interactive user home directories exist
- 6.2.12 | Ensure local interactive users own their home directories
- 6.2.13 | Ensure all local interactive user home directories permissions are 750 or more restrictive
- 6.2.14 | Ensure no local interactive user has .netrc files
- 6.2.15 | Ensure no users have .forward files
- 6.2.16 | Ensure no users have .rhosts files
- 6.2.17 | Ensure users dot files are not group or world writable
- 6.2.2 | Ensure password fields are not empty
- 6.2.3 | Ensure all groups in /etc/passwd exist in /etc/group
- 6.2.4 | Ensure shadow group is empty
- 6.2.5 | Ensure no duplicate UIDs exist
- 6.2.6 | Ensure no duplicate GIDs exist
- 6.2.7 | Ensure no duplicate user names exist
- 6.2.8 | Ensure no duplicate group names exist
- 6.2.9 | Ensure root PATH Integrity