L12. CIS Benchmarks: A Hardening Checklist
Video generating
Check back soon for the video lesson on CIS Benchmarks: A Hardening Checklist
The Center for Internet Security (CIS) publishes detailed hardening benchmarks for every major Linux distribution. Learn what CIS benchmarks are, how Level 1 and Level 2 profiles differ, and how to automate compliance checks with tools like Lynis and OpenSCAP.
What Is the Center for Internet Security (CIS)?
The Center for Internet Security is a nonprofit organization that publishes security configuration guidelines for operating systems, cloud platforms, network devices, and applications. Their CIS Benchmarks are consensus-based documents developed by security professionals, vendors, and auditors worldwide.
CIS benchmarks are not mandatory regulations, but they are widely accepted as an industry standard for hardening. Many compliance frameworks (PCI DSS, HIPAA, SOC 2) reference CIS benchmarks as evidence of a secure baseline.
How CIS Benchmarks Work
A CIS benchmark is a document (typically 200 to 400 pages for a Linux distribution) containing specific configuration recommendations. Each recommendation includes:
- A title describing what to configure
- A rationale explaining why it matters
- Step-by-step audit instructions (how to check the current state)
- Step-by-step remediation instructions (how to fix it)
- The profile level it belongs to
Example Benchmark Item
Title: Ensure SSH root login is disabled Audit:grep -Ei '^s*PermitRootLogins+no' /etc/ssh/sshd_config# Set in /etc/ssh/sshd_config:
PermitRootLogin no# Then restart:
sudo systemctl restart sshd
You may recognize this from the SSH hardening lesson: CIS benchmarks formalize these practices into a checkable list.
Level 1 vs Level 2 Profiles
CIS benchmarks are split into two profiles:
| Profile | Intended For | Impact |
|---|---|---|
| Level 1 | All systems | Minimal performance impact; practical for most environments |
| Level 2 | High-security systems | May reduce functionality or performance; designed for environments that prioritize security above convenience |
Choosing a Profile
For most organizations, start with Level 1 for all servers. Apply Level 2 selectively to servers that handle regulated or high-value data (database servers, authentication servers, systems processing PII).
Key Benchmark Categories
A typical Linux CIS benchmark covers these areas:
| Category | Examples |
|---|---|
| Filesystem | Disable unused filesystems (cramfs, freevxfs), set noexec on /tmp |
| Services | Disable avahi, cups, and other unneeded daemons |
| Network | Disable IP forwarding, ignore ICMP redirects, enable TCP SYN cookies |
| Logging | Configure rsyslog, enable auditd, set log file permissions |
| Authentication | Password complexity, account lockout, SSH hardening |
| File permissions | Restrict /etc/passwd, /etc/shadow, /etc/crontab |
Automated Scanning with Lynis
Lynis is an open-source security auditing tool that runs hundreds of tests against your system and produces a hardening report.# Install Lynis
sudo apt install lynis # Debian/Ubuntu
sudo dnf install lynis # RHEL/CentOS# Run a full system audit
sudo lynis audit system
# Review the report
cat /var/log/lynis-report.dat
Lynis checks overlap significantly with CIS benchmark items. It assigns a hardening index (0 to 100) and lists specific suggestions you can act on. It does not make changes automatically: it only reports.
Automated Scanning with OpenSCAP
OpenSCAP is a more formal compliance scanner that can evaluate your system against an official CIS benchmark profile.# Install OpenSCAP and the CIS content
sudo apt install openscap-scanner scap-security-guide# List available profiles
oscap info /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml
# Run a scan against the CIS Level 1 profile
sudo oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis_level1_server \
--results results.xml \
--report report.html \
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml
OpenSCAP produces an HTML report showing which checks passed and which failed, along with detailed remediation instructions for each failure.
Using Benchmarks as a Security Baseline
CIS benchmarks work best as a starting point, not an endpoint:
- Download the benchmark for your specific distribution and version from the CIS website (free registration required)
- Run an initial scan with Lynis or OpenSCAP to see where you stand
- Prioritize Level 1 items that are currently failing
- Remediate in batches, testing after each change to avoid breaking applications
- Document exceptions for any benchmark items you intentionally skip (with a justification)
- Schedule regular scans to catch configuration drift over time
The goal is not a perfect score. The goal is a documented, repeatable baseline that you can defend during audits and improve over time.
CIS Beyond Linux
CIS publishes benchmarks for almost everything: Windows Server, AWS, Azure, GCP, Docker, Kubernetes, PostgreSQL, and dozens more. Once you understand the methodology on Linux, you can apply the same approach to any platform.
- ✓CIS benchmarks are consensus-based hardening guides published for every major OS, cloud platform, and application
- ✓Level 1 profiles are the practical baseline for all servers; Level 2 adds stricter controls for high-security environments
- ✓Lynis provides an automated hardening audit with a numeric hardening index and actionable suggestions
- ✓OpenSCAP can evaluate a system against official CIS benchmark profiles and produce HTML compliance reports
- ✓Benchmarks are a starting point: document exceptions, schedule regular scans, and track configuration drift
1. What is the key difference between CIS Benchmark Level 1 and Level 2 profiles?
2. What does Lynis do when it runs "audit system" on a Linux server?
3. Why should you document exceptions when you skip a CIS benchmark recommendation?