A Step-by-Step Guide to Applying CIS Level 2 Hardening with Ubuntu Security

In today's world of ever-growing cybersecurity threats, it is essential to ensure that our systems remain secure and comply with established security standards. The CIS (Center for Internet Security) benchmarks provide a set of best practices for securing systems, and CIS Level 2 is a more stringent configuration that helps harden servers against potential attacks.

In this guide, we will walk you through the process of using the Ubuntu Security Guide (USG) to implement CIS Level 2 server hardening on an Ubuntu server. This process will involve generating a tailoring file based on the CIS Level 2 standards, auditing the system, and applying the necessary fixes to harden your server. This guide is intended to help you secure your server while ensuring that your system remains operational.

Prerequisites

Before we begin, ensure you meet the following prerequisites:

1. You must have root or sudo access to the Ubuntu server.
   
   

2. The server must be running an Ubuntu version that supports Ubuntu Security Guide (USG).
   
   

3. You should have an active Ubuntu Pro subscription to access USG functionalities.
   
   

Steps to Implement CIS Level 2 Hardening

The process of applying CIS Level 2 hardening involves the following steps:

Step 1: Install the Necessary Tools

The first step is to install ubuntu-advantage-tools and enable Ubuntu Pro to access the security features. This tool will provide you with the necessary components to use USG.

sudo apt install -y ubuntu-advantage-tools

Once installed, enable Ubuntu Pro to access the USG tool:

sudo pro enable usg

Then, install the usg package:

sudo apt install -y usg

Step 2: Generate the Tailoring File for CIS Level 2

The next step is to generate the tailoring file, which is a custom configuration file based on the CIS Level 2 Server standards. The tailoring file ensures that the security controls you apply are aligned with CIS Level 2 requirements.

To generate the tailoring file for CIS Level 2:

sudo usg generate-tailoring cis_level2_server hardening.xml

This command creates the hardening.xml file, which includes all the configuration settings specific to CIS Level 2 hardening.

Step 3: Audit Your System for Compliance

Before applying any changes, it is critical to audit your system against the CIS Level 2 standards. Auditing allows you to identify potential vulnerabilities and determine whether the system is already compliant with the CIS hardening standards.

To audit the system:

sudo usg audit --tailoring-file hardening.xml

This command will run the audit and provide you with a report on the current state of your system, indicating which security controls are not compliant and need to be fixed.

Step 4: Apply the Necessary Fixes

Once you have reviewed the audit results and are ready to apply the recommended fixes, the next step is to use USG to apply those fixes automatically. This step will modify the system’s configuration to comply with CIS Level 2 guidelines.

To apply the fixes:

sudo usg fix --tailoring-file hardening.xml

This command will apply the changes specified in the tailoring file to your system. It is essential to review the system after the fixes are applied to ensure that no critical configurations are inadvertently changed, causing system instability.

Conclusion

In summary, using CIS Level 2 hardening with Ubuntu Security Guide is an effective way to enhance the security posture of your server. The process involves generating a tailoring file, auditing the system, and then applying the necessary fixes to ensure compliance with CIS standards. This approach provides a structured and automated method to harden your server, reducing the risk of vulnerabilities and improving overall security.

Merits of CIS Level 2 Hardening

1. Improved Security: By following CIS Level 2 guidelines, you ensure that your server adheres to a proven set of best practices, making it more secure against attacks.
   
   

2. Compliance: Many regulatory frameworks require compliance with CIS standards, so applying CIS Level 2 hardening helps you meet these requirements.
   
   

3. Automation: Using USG automates much of the process, reducing human error and ensuring consistency in applying security settings.
   
   

Demerits of CIS Level 2 Hardening

1. Potential System Breakage: Some of the CIS Level 2 configurations may conflict with existing applications or services on your server, leading to unexpected behavior or outages.
   
   

2. Time-Consuming: The audit process may take time, especially on systems with a large number of configurations, and requires careful review before applying fixes.
   
   

Caution

While CIS Level 2 hardening provides excellent security benefits, it should be applied with caution, especially in production environments. Always perform a backup before applying security hardening, and carefully test the changes in a staging or test environment before applying them to live systems.

Applying fixes without understanding their impact could lead to system downtime or degraded performance. It’s important to review the audit results and understand which changes are being made to avoid unintended consequences.

This comprehensive guide helps you secure your Ubuntu server with CIS Level 2 hardening using Ubuntu Security Guide (USG). By following the steps outlined above, you can ensure that your server is compliant with security best practices, reducing vulnerabilities and improving your system’s resilience to cyber threats.