Articles

Apply the CIS Benchmark Baseline to Harden Linux Servers (2026)

April 16, 2026 4 min read

Applying CIS Benchmarks to harden Linux servers isn’t just about ticking boxes; it’s about proactively defending against the most common and impactful attack vectors. The surprising truth is that many security teams, while aware of CIS, treat it as a static checklist rather than a dynamic security posture assessment.

Let’s see what this looks like in practice. Imagine you’ve just deployed a new Ubuntu 22.04 server. Out of the box, it’s configured for usability, not maximum security.

# Example: Checking SSH configuration before hardening
sudo grep -E "^(PermitRootLogin|PasswordAuthentication)" /etc/ssh/sshd_conf
# Expected output might show:
# PermitRootLogin yes
# PasswordAuthentication yes

This is a common scenario. Root login is permitted, and password authentication is enabled, both significant security risks. Now, let’s apply CIS recommendations. The CIS Ubuntu Linux 22.04 LTS Benchmark, for instance, will guide us through hundreds of checks.

The core idea is to reduce the attack surface and enforce least privilege. This means disabling unnecessary services, configuring restrictive file permissions, and ensuring strong authentication mechanisms are in place.

Here’s a breakdown of key areas and how they translate into action:

1. User and Group Management:

  • Problem: Unnecessary users or groups, or overly broad permissions for existing ones.
  • CIS Recommendation: Ensure only authorized users have accounts, and enforce strong password policies.
  • Action:
    • Check for inactive accounts:
      sudo awk -F: '$7 == "/sbin/nologin" && $3 < 1000 { print $1 }' /etc/passwd
      This command finds users with no login shell and UIDs below typical user ranges, potentially indicating stale or system accounts that should be reviewed.
    • Enforce password complexity and history: Edit /etc/security/pwquality.conf (or a similar file depending on PAM configuration) and set parameters like:
      minlen = 14
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1
difok = 8
remember = 12
      These settings enforce a minimum length of 14 characters, require at least one digit, uppercase letter, lowercase letter, and special character, and prevent reuse of the last 12 passwords.

2. File System Integrity and Permissions:

  • Problem: Sensitive files or directories with world-writable permissions, or critical system files being modifiable by unauthorized users.
  • CIS Recommendation: Implement strict permissions on critical system files and directories, and ensure file integrity monitoring is configured.
  • Action:
    • Check world-writable directories:
      sudo find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
      This identifies directories that are world-writable (other users can create files within them) but not sticky-bit set (like /tmp), which is a common vulnerability.
    • Secure /etc/passwd and /etc/shadow: Ensure these files are owned by root:root and have permissions 0644 and 0000 respectively.
      sudo chown root:root /etc/passwd /etc/shadow
sudo chmod 0644 /etc/passwd
sudo chmod 0000 /etc/shadow
      /etc/passwd needs to be readable by all users to resolve user IDs to names, but not writable. /etc/shadow contains hashed passwords and must be unreadable by anyone except root.

3. Network Services and Configuration:

  • Problem: Unnecessary network services running, or insecure network configurations (e.g., default SSH settings).
  • CIS Recommendation: Disable unused network services and configure firewalls and network daemons securely.
  • Action:
    • Disable unnecessary services: For example, if you don’t need Avahi (zeroconf networking):
      sudo systemctl stop avahi-daemon.socket
sudo systemctl disable avahi-daemon.socket
sudo systemctl stop avahi-daemon.service
sudo systemctl disable avahi-daemon.service
      Stopping and disabling a service prevents it from starting on boot and immediately terminates its current execution, reducing the attack surface.
    • Harden SSH: Edit /etc/ssh/sshd_config and set:
      PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
      Disabling root login and password authentication, while enforcing public key authentication, significantly strengthens SSH security by requiring a private key and preventing brute-force password attacks. After editing, reload the SSH service:
      sudo systemctl reload sshd

4. Auditing and Logging:

  • Problem: Insufficient logging or auditing to detect or investigate security incidents.
  • CIS Recommendation: Configure comprehensive system auditing to capture security-relevant events.
  • Action:
    • Install and configure auditd: Ensure auditd is installed and running:
      sudo apt update && sudo apt install auditd audispd-plugins -y
sudo systemctl enable auditd
sudo systemctl start auditd
      The audit daemon (auditd) is crucial for tracking system events. Installing it and ensuring it runs is the first step.
    • Add audit rules (example: monitor /etc/passwd changes): Edit /etc/audit/rules.d/audit.rules and add:
      -w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
      These rules tell auditd to watch for write (w) and attribute change (a) operations on /etc/passwd and /etc/shadow, logging them with the key identity for easy retrieval. Reload audit rules:
      sudo augenrules --load

The CIS Benchmark is not a one-time task. It’s a process that requires regular review and adaptation as new vulnerabilities emerge and system configurations change. The value lies in the systematic approach to identifying and mitigating risks, moving from a reactive security stance to a proactive one.

The next hurdle you’ll likely encounter is integrating automated compliance checking tools to ensure these configurations remain in place and to manage them across a fleet of servers.

Want structured learning?

Take the full Cdk course →