CIS: Ubuntu Linux Enterprise Server 20.04

This document provides information about the hotfix containing Center for Internet Security (CIS) templates for Ubuntu 20.04 Benchmark Version 1.1.0 released on Mar 31, 2021, with implementation for 288 rules that can be installed on  TrueSight Server Automation 21.x onwards.


Important

  • On the file server, check the value of the featureCisUbuntu2004Template key in the content.version file, located in the %FILESERVER%\BladeLogic\storage\Content directory. Depending on the value, do one of the following:
    • If the value is 22.2.00.000, you don’t need to perform the steps mentioned in this topic, as these templates are deployed as part of the 22.2 installation process.
    • If the value is lower than 22.2.00.000, perform the steps mentioned in this topic to deploy these templates.
  • If existing template is customized, make sure to rename it before importing new one and performing below steps.
  • Ensure to review Template's local and global properties default values to match with organization standards

Before you begin

Before you install this hotfix, ensure that you perform the following:

  • Save backup copies of the sensors folders, which are present on all Application Servers in your environment. The sensors folders contain extended object scripts and is located at the following path on an Application Server:
    <Application_Server_installation_directory >/share/sensors

Step 1: Downloading and installing the files

Download the CIS_Template_and_EO package from the EPD location and extract its contents to a temporary location on the file server.

You must log in or register to view this page

Click here to expand checksum related infromation

Verify the downloaded content by using the following check sums.

S.No

File Name

MD5SUM

1

CIS - Ubuntu Enterprise Linux 20.04.zip

15c0c9d79ce72a64b75c8c37ab1980ac

2

extended_objects.zip

dc38c6adad914b5ed0e73a0c74a51c6 

  1. Move the Ubuntu Enterprise Linux 20.04.zip package to your RCP client server.
  2. Extract the contents from the extended_objects.zip package and move them to a temporary location on all Application Servers.

Step 2: Replacing the extended object scripts on all Application Servers

Ensure that you perform the following steps on all the Application Servers in your environment:

  1. Navigate to the extended objects script files on your Application Server:

<Application_Server_installation_directory >/share/sensors/

Step 3: Importing the Compliance Content

  1. Log on to the Console.
  2. Right-click Component Templates and select Import
    The Import Wizard starts.
  3. Select the Import (Version-neutral) option.
  4. Select the CIS - Ubuntu Enterprise Linux 20.04.zip package and click Next.
    ubuntu-2004-img1.png
  5. Ensure that the Update objects according to the imported package and Preserve template group path options are selected, and click Next.
    ubuntu-2004-img2.png
  6. Navigate to the last screen of the wizard and then click Finish.
    The templates are imported successfully.
    image2022-6-9_11-57-15.png

Rules within the templates

The following are the details of the 288 rules provided in the zip package. It contains the following types of rules:

  • Rules that check for compliance(audit) and provides remediation – 214
  • Rules that check for compliance(audit) but do not provide remediation – 58
  • Rules that do not check for compliance and do not provide remediation - 16

The following are the details of the rules that are divided into parts:

  • Rules not divided into parts = 216
  • Rules divided into two parts (18 Rules) so (18 * 2) = 36
  • Rules divided into three parts (8 Rules) so (8 * 3) = 24
  • Rules divided into six parts (2 Rules) so (2 * 6) = 12

So, the current rule count according to CIS - Ubuntu Enterprise Linux 20.04 template after running the compliance job is 288 (216+ 36+24+12).

Manual rules - rules without any compliance checks or remediation

Rule IDs without compliance checks

Comments

3.5.1.4, 3.5.1.5, 3.5.1.6, 3.5.1.7, 3.5.2.7,3.5.2.10,3.5.3.2.1, 3.5.3.2.2, 3.5.3.2.4, 3.5.3.3.1, 3.5.3.3.2, 3.5.3.3.4

Changing the firewall settings when you are connected to the network can result in being locked out of the system. 

1.2.1,1.2.2,4.2.1.6

As an administrator, review these values based on the organization policy.

Rules with compliance checks but no remediation

Rule IDs with compliance checks but no remediation

Comments

1.1.10,1.1.11,1.1.15,1.1.16,1.1.17,1.1.2,1.1.6,1.6.1.2.3,1.6.1.2.3,1.8.2, 1.8.4, 2.1.1.4.2, 2.3, 3.1.2, 4.1.1.3,4.1.1.4, 4.1.17,4.2.1.3,4.2.1.5,4.4, 6.2.4,6.2.3,6.2.12,6.2.11

Remediation not provided as it needs manual intervention by a system administrator.

3.5.2.1,3.1.1.2,3.5.1.3,3.5.2.3,3.5.2.4,3.5.2.5,3.5.2.6,3.5.2.8.1, 3.5.2.8.2, 3.5.2.8.3, 3.5.3.2.3, 3.5.3.3.3

Remediation configures the system to the immutable mode.

5.4.1.5, 5.4.2, 6.2.2, 6.2.5, 6.2.7,6.2.8,6.2.9,6.2.17,6.2.16, 6.2.15,6.2.13,6.2.14,6.2.10

Remediation must be performed manually with required permission.

1.9

Remediation is not available as the package update or configuration information depends upon the organization.

1.3.1,1.4.2,1.4.4,1.5.1,2.1.1.3,4.3,5.6,5.7

The remediation requires user input

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*