CIS Benchmarks are a set of security best practices for hardening operating systems and applications.
Let’s see what a typical Linux system looks like before we apply some CIS hardening. We’ll use a minimal Ubuntu 22.04 server and show some common vulnerabilities.
# Check for world-writable files
find / -xdev -type f -perm -0002 -print
# Check for services running as root
ps aux | grep 'root' | grep -v 'root'
# Check for enabled unauthenticated SSH
grep -E '^\s*PermitRootLogin\s+yes' /etc/ssh/sshd_config
# Check for password authentication enabled for SSH
grep -E '^\s*PasswordAuthentication\s+yes' /etc/ssh/sshd_config
# Check for default kernel parameters (e.g., related to IP forwarding)
sysctl net.ipv4.ip_forward
sysctl net.ipv6.conf.all.accept_redirects
Now, let’s imagine we’ve applied the CIS Ubuntu Linux 22.04 Benchmark. The goal is to create a system that’s significantly more resistant to common attacks by reducing its attack surface and enforcing stricter security policies.
Here’s how the system might look after applying some key CIS recommendations. We’ll focus on a few critical areas: SSH, file permissions, and kernel parameters.
Hardening SSH Access
Problem: Unauthenticated root login via SSH or password-based authentication makes it easy for attackers to brute-force their way in.
CIS Recommendation: Disable root login and enforce key-based authentication.
Diagnosis:
# Check current SSH configuration
cat /etc/ssh/sshd_config | grep -E 'PermitRootLogin|PasswordAuthentication'
Fix:
Edit /etc/ssh/sshd_config:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
Then restart the SSH service:
sudo systemctl restart sshd
Why it works: PermitRootLogin no prevents direct login as the root user. PasswordAuthentication no forces the use of SSH keys, which are much harder to guess or brute-force than passwords.
Restricting File Permissions
Problem: Sensitive files or directories with overly permissive access can be read, modified, or deleted by unauthorized users.
CIS Recommendation: Ensure critical system files have restrictive permissions and ownership.
Diagnosis:
# Check permissions on /etc/shadow (contains hashed passwords)
ls -l /etc/shadow
# Check for world-writable files (as shown before, but now we expect fewer)
find / -xdev -type f -perm -0002 -print
Fix:
# Set correct ownership and permissions for /etc/shadow
sudo chown root:shadow /etc/shadow
sudo chmod 640 /etc/shadow
# Remove world-writable bit from sensitive files (example)
sudo chmod o-w /etc/passwd
sudo chmod o-w /etc/group
Why it works: chmod 640 /etc/shadow ensures only the root user and members of the shadow group can read the password hash file. Removing the world-writable bit (o-w) from files like /etc/passwd and /etc/group prevents any user from modifying critical user account information.
Securing Kernel Parameters
Problem: Default kernel network settings can sometimes expose the system to certain types of network attacks or misconfigurations.
CIS Recommendation: Tune kernel parameters to enhance network security and system stability.
Diagnosis:
# Check current IP forwarding settings
sysctl net.ipv4.ip_forward
sysctl net.ipv6.conf.all.accept_redirects
Fix:
Create or edit a file in /etc/sysctl.d/ (e.g., 99-cis-hardening.conf):
# Disable IP forwarding to prevent the system from acting as a router
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
# Do not accept ICMP redirect messages
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Log martian packets
net.ipv4.conf.all.log_martians = 1
Apply the changes:
sudo sysctl -p /etc/sysctl.d/99-cis-hardening.conf
Why it works: Disabling IP forwarding (net.ipv4.ip_forward = 0) ensures the server doesn’t unintentionally become a router. Disabling acceptance of ICMP redirects (net.ipv4.conf.all.accept_redirects = 0) prevents man-in-the-middle attacks where an attacker could trick the system into sending traffic through them.
The CIS Benchmarks provide a comprehensive checklist, covering everything from user account management and audit logging to network service configuration and secure application settings. Applying them requires careful planning and testing, as some changes can impact system functionality if not implemented correctly.
The next hurdle you’ll encounter is ensuring your system’s configuration remains compliant over time, which often leads to exploring automated compliance scanning tools.