Linux OS Hardening: CIS Benchmarks

Anjali S.
Published in
6 min readApr 29, 2020


As we’re going through a pandemic majority of business have taken things online with options like work from home and as things get more and moreover the internet our concerns regarding cybersecurity become more and more prominent. We start to dig a little to have standards in place and terms like Compliance, Hardening, CIS, HIPPA, PCI-DSS are minted out. Today we’ll be discussing why to have CIS benchmarks in place in the least and how we at Opstree have automated this for our clients.

Before moving forward get familiar with basic terms:

CIS Benchmarks are the best security measures that are created by the Centre of Internet Security to improve the security configuration of an organization. These are created by cybersecurity professionals and experts in the world every year. These benchmarks have 2 levels. Level 1 covers the basic security guidelines while level 2 is for advanced security and levels have Scored and Not scored criteria. Scores are mandatory while Not scored are optional.

Hardening is a process in which one reduces the vulnerability of resources to prevent it from cyber attacks like Denial of service, unauthorized data access, etc. So, in OS hardening, we configure the file system and directory structure, updates software packages, disable the unused filesystem and services, etc. according to the cis benchmark rules.

Now you have understood that what is cis benchmark and hardening. Let’s discuss in detail about these benchmarks for Linux operating systems.

1. Initial setup:

Each Linux operating system has its installation, but basic and mandatory security is the same in all the operating systems. Initial setup is very essential in the hardening process of Linux.

1.1 Filesystem Configuration:

Directories that are used for system-wide functions can be further protected by placing them on separate partitions. All these settings are easy to perform during the initial installation.

1.2 Configure Software Updates:

Ubuntu Linux uses apt to install and update software packages. Patch management procedures may vary widely between enterprises. Large enterprises may choose to install a local updates server that can be used in place of Ubuntu’s servers, whereas a single deployment of a system may prefer to get updates directly. Updates can be performed automatically or manually, depending on the site’s policy for patch management. For this benchmark, the requirement is to ensure that a patch management system is configured and maintained. The specifics on patch update procedures are left to the organization.

1.3 FileSystem Integrity Check:

This section focuses on checking the integrity of the installed files. AIDE is a file integrity checking tool that can be used to detect unauthorized changes to configuration files by alerting when the files are changed.

1.4 Secure Boot Settings:

The part recommends securing the bootloader and settings involved in the boot process directly.

1.5 Additional Processing Hardening:

A core dump is the memory of an executable program. It is generally used to determine why a program aborted. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user.

1.6 Mandatory Access Control:

Mandatory Access Control (MAC) provides an additional layer of access restrictions on top of the base Discretionary Access Controls. It restricts how processes can access files and resources on a system and the potential impact from vulnerabilities.

1.7 Warning Banners:

Presenting a warning banner before the normal user login may assist in the prosecution of trespassers on the computer system.

2. Services:

Services are the next for configuration which can be disabled or removed to reduce the cyber attack. If an attacker scans all the ports using Nmap then it can be used to detect running services thus it can help in the compromise of the system.

Least used service and clients like rsh, telnet, ldap, ftp should be disabled or removed.

2.1 Inetd Services:

Inetd is a super-server daemon that provides internet services and passes connections to configured services. While not commonly used inetd and any unneeded inetd based services should be disabled if possible.

2.2 Special Purpose Services:

This section describes services that are installed on systems that specifically need to run these services. If any of these services are not required, it is recommended that they be disabled or deleted from the system to reduce the potential attack surface.

2.3 Service Clients:

Several insecure services exist. While disabling the servers prevents a local attack against these services, it is advised to remove their clients unless they are required.

3. Network Configuration:

Post securing the server comes to the network as the network faces the malicious packets, requests, etc. Firstly one should make sure that unused ports are not open, secondly, firewall rules are configured properly. Then comes the configuration of host and router like IP forwarding, network protocols, hosts.allow and hosts.deny file, Ip tables rules, etc.

3.1 Network Parameter (Host-Only):

The following network parameters are intended for use if the system is to act as a host only. A system is considered to host only if the system has a single interface, or has multiple interfaces but will not be configured as a router.

3.2 Network Parameter (Host and Router ):

The following network parameters are intended for use on both host only and router systems.

3.3 IPv6:

IPv6 is a networking protocol that supersedes IPv4. It has more routable addresses and has built-in security. Disable if not in use.

3.4 TCP Wrappers:

TCP Wrappers provides a simple access list and standardized logging method for services capable of supporting it.

3.5 Uncommon Network Protocols:

The Linux kernel modules support several network protocols that are not commonly used. If these protocols are not needed, it is recommended that they be disabled in the kernel.

3.6 Firewall Configuration.:

IPtables is an application that allows a system administrator to configure the IPv4 tables, chains and rules provided by the Linux kernel firewall. While several methods of configuration exist this section is intended only to ensure the resulting IPtables rules are in place.

4. Logging and Auditing:

Logging of every event happening in the network is very important so that one can monitor it for troubleshooting the breach, theft, or other kinds of fault. One can use rsyslog for logging and auditd for auditing alone with the time in synchronization.

Install and configure rsyslog and auditd packages.

4.1 Configure System Accounting :

System auditing, through auditd, allows system administrators to monitor their systems such that they can detect unauthorized access or modification of data.

4.2 Configure Logging:

Logging services should be configured to prevent information leaks and to aggregate logs on a remote server so that they can be reviewed in the event of a system compromise and ease log analysis.

5. Access, Authentication and Authorization:

As the name suggests, this section is completely for the event collection and user restrictions. In this, we restrict the cron jobs, ssh server, PAM, etc. Horizontal and Vertical Access control attack can be prevented if these checkmarks are configured correctly.

5.1 configure cron:

Ensure cron daemon is enabled (Scored) Profile Applicability: Level 1 — Server Level 1 — Workstation Description: The cron daemon is used to execute batch jobs on the system.

5.2 SSH Server Configuration:

SSH is a secure, encrypted replacement for common login services such as telnet, ftp, rlogin, rsh, and rcp. It is strongly recommended that sites abandon older clear-text login protocols and use SSH to prevent session hijacking and sniffing of sensitive data off the network.

5.3 Configure PAM:

PAM (Pluggable Authentication Modules) is a service that implements modular authentication modules on UNIX systems. Files for PAM are typically located in the /etc/pam.d directory. PAM must be carefully configured to secure system authentication.

5.4 User Accounts and Environment:

It includes password and system accounts, root login and access to su commands.

6. System Maintenance:

Lastly comes the maintenance of the system with file permissions and user and group settings. File permissions of passwd, shadow, group, gshadow should be regularly checked and configured and make sure that no duplicate UID and GID bit exist and every user has their working directory and no user can access other user’s home, etc.

6.1 System File Permissions:

Since packages and important files may change with new updates and releases, it is recommended to verify everything, not just a finite list of files.

6.2 User and Group Settings:

The recommendations in this section check local users and groups. Any users or groups from other sources such as LDAP will not be audited. In a domain environment, similar checks should be performed against domain users and groups.

For the automation part, we have published an Ansible role for OS hardening covering scored CIS benchmarks which you can check here.

In the end, I would like to conclude that if organizations follow the above benchmarks to harden their operating systems, then surely they reduce the chances of getting hacked or compromised. Today I discussed CIS Benchmarks, stay tuned until my research regarding HIPPA, PCI DSS, etc. is completed.

Till then, stay safe and secure..!


Originally published at on April 29, 2020.