Hey all, I'm having a tough time getting Ubuntu 24.04 LTS to comply with CIS Benchmarks. I'm currently using Wazuh for monitoring, and I've even tried writing some remediation scripts myself. But I'm facing inconsistencies—what works on one server doesn't on another, which is making this feel like a nightmare. My goals are to establish a security baseline for my existing Ubuntu servers, create a golden image that meets CIS standards, and continuously track compliance using Wazuh. Any advice or shared experiences would be much appreciated!
6 Answers
I’ve played around with some tools on my home server (no CIS compliance needed) and they were quite helpful. Here’s a video you might find useful: [YouTube link](https://youtu.be/XYxybI7xZTw?si=rkAJilY1ykJbGw_8).
Have you checked the official Ubuntu documentation? They have some valuable resources related to CIS compliance. You can find them here: [Ubuntu CIS Documentation](https://ubuntu.com/security/certifications/docs/usg/cis) and the [hardening automation blog post](https://ubuntu.com/blog/hardening-automation-for-cis-benchmarks-now-available-for-ubuntu-24-04-lts).
Creating a golden image isn’t the best practice anymore. It’s more efficient to deploy a base image and then layer configuration changes on top with tools like Ansible. Using 'infrastructure as code' helps keep track of modifications and gives you a clear overview of your entire environment, making it easier to replicate anywhere.
There are playbooks available that you can use to help get everything up to CIS compliance, so that might be a good avenue to explore.
Yeah, I’d advise against golden images too. Focus on solid deployment and automation processes instead of thick imaging. That’s where flexibility and control come in!
Finding free resources for CIS compliance is a bit tricky since CIS funds itself through membership sales that give access to the necessary automation tools. But you can check [CIS Hardened Images](https://www.cisecurity.org/cis-hardened-images) for options.
Just a heads up, those resources might relate to the paid version, and I’m on the free one.