Applying the CIS Ubuntu benchmark — the controls that matter and the ones we skip

The CIS Ubuntu benchmark has roughly 200 controls. Some of them materially harden the system. Others fire compliance dashboards full of yellow without changing attacker economics. A few are actively counterproductive on a modern Ubuntu host where defaults have already moved past them.

This is the pragmatic subset we ship on every managed Ubuntu fleet — and the controls we explicitly skip, with reasoning.

The audit run

# Open-source auditor — same control set as the paid CIS-CAT
sudo bash <(curl -fsSL https://github.com/dev-sec/cis-dil-benchmark/raw/main/inspec.sh) \
  --target=local://
 
# OpenSCAP with the SSG profile
sudo apt install ssg-base ssg-debderived
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level1_server \
  --results /tmp/cis-results.xml \
  /usr/share/xml/scap/ssg/content/ssg-ubuntu2404-ds.xml

We run this every 24 hours across the fleet and feed the deltas into a Grafana dashboard. The dashboard is split into "controls that fail because they should" and "controls that fail because the benchmark is wrong about this environment."

The full write-up covers:

• The Level 1 controls we apply universally (firewall defaults, password complexity, audit daemon)
• Level 2 controls — which ones we apply to internet-facing hosts only
• Controls we explicitly skip and why (e.g., disabling all module loading)
• AppArmor profiles — the ones in enforce mode by default
• auditd configuration — the rules that surface real attacks vs noise
• The CIS-CAT vs OpenSCAP vs ansible-lockdown trade-offs

We apply this baseline to every managed Ubuntu host.