Frequently Asked Question

What are the CIS Benchmarks and how do I use them to harden a server?

The Center for Internet Security publishes the CIS Benchmarks, long, consensus-built checklists of hardening recommendations for specific operating systems, including separate documents for Ubuntu, Debian, RHEL, AlmaLinux, Amazon Linux, SUSE, and so on. Each benchmark is divided into Level 1 (broadly safe to apply everywhere) and Level 2 (stricter, may break some workloads), and each recommendation comes with a rationale, the audit command that checks it, and the remediation command that applies it. The PDFs are free for personal use and behind a membership for redistribution.

The benchmarks are not magic, many recommendations are ordinary advice you have already read in this chapter (disable root SSH login, set umask 027, enable auditd); but the value is in their completeness and the fact that auditors and procurement teams know them by name. Telling a customer "this server passes CIS Level 1 for Ubuntu 24.04" is a compact and recognised claim.

For practical use, do not work through a 400-page PDF by hand. Use a scanner that reads the OpenSCAP-formatted version (oscap xccdf eval --profile cis_level1 ssg-ubuntu2404-ds.xml), or Ansible roles such as the DevSec hardening collection or Canonical's Ubuntu Security Guide, then review the diff and apply what fits your environment. Treat the benchmark as a starting checklist, not a substitute for thinking about your threat model.