Achieving CIS Level 1 Hardening for Linux

This article explores the process of achieving CIS Level 1 hardening for SUSE Linux 15 and Oracle Linux 8, despite the absence of ready-made CIS-hardened images.
database managed services asm migration remote dba support database management Oracle linux
Picture of Written by Joel Gonsalves

Written by Joel Gonsalves

System Administrator at Blue Crystal Solutions

Hardening Oracle Linux and SUSE Linux

When securing Linux-based servers, adhering to industry standards is crucial for maintaining a robust and resilient infrastructure. The Centre for Internet Security (CIS) provides comprehensive benchmarks for hardening Linux systems, including CIS Level 1. However, in certain cases where servers have already been deployed, obtaining ready-made CIS-hardened images may not be feasible. In such scenarios, it becomes necessary to develop scripts for implementing the hardening manually. This article explores the journey of achieving CIS Level 1 hardening for SUSE Linux 15 and Oracle Linux 8, overcoming challenges and utilising tools such as OpenSCAP and Tenable to ensure compliance.

Understanding the Challenge

The initial requirement was to harden Linux servers based on CIS Level 1 standards. However, CIS had yet to release specific scripts for implementing the hardening on SUSE Linux 15 and Oracle Linux 8. This posed a significant challenge, as the hardening process had to be developed from scratch.

Leveraging OpenSCAP

After thorough research, the team identified OpenSCAP as a valuable resource for Linux hardening. Test servers were set up, and the OpenSCAP package was installed to access the available scripts for CIS hardening. While this provided a foundation, it was discovered that the provided scripts did not cover all items specified in the CIS standards.

Identifying Gaps and Customising Scripts

To bridge the gaps in the hardening process, a careful review of the existing scripts was conducted. By comparing the CIS standards and using tools like Tenable, the team gained insights into the vulnerabilities and areas where the existing scripts fell short. The scripts were customised and refined based on these findings to cover the remaining CIS requirements.

Testing and Reporting

Testing the effectiveness of the hardening measures is a crucial step in ensuring compliance. A reporting tool was unavailable for the servers associated with one client (Comviva). To address this, a prebuilt script was utilised, which generated a text-based report. This report provided insights into the gaps that needed to be addressed within the CIS script for Comviva’s servers.

Iterative Improvement

Using the reports generated by Tenable for one client and the text-based report for Comviva, the team could identify specific areas where the scripts needed refinement. These findings were then used to update the scripts iteratively, ensuring that all necessary security measures were implemented to meet CIS Level 1 standards.

Achieving CIS Level 1 Standard

Despite the challenges, the team successfully reached a point where the deployed servers for multiple clients met the stringent CIS Level 1 standards. By leveraging OpenSCAP, customised scripting, and iterative improvements based on testing and reporting, the Linux servers were hardened, providing enhanced security and compliance.

Implementing CIS Level 1 hardening for already deployed Linux servers requires meticulous planning and resourceful problem-solving. By leveraging tools like OpenSCAP and utilising reporting tools such as Tenable, even in the absence of a reporting tool, it is possible to identify and address the gaps in the hardening process. Through continuous refinement and customisation, the team achieved the desired level of security, providing clients with servers that meet the rigorous CIS Level 1 standards.

With security at the forefront of everything we do, we can work with your cyber teams to improve your security posture significantly. Whether it’s delivering to cyber recommendations or providing an audit of your current risks that helps you understand your security and resilience, we can help you protect what matters most to your organisation. Talk to us to find out more. 

Join our conversation on Medium.

Learn More.

Blue Crystal Solutions is proud to announce its successful graduation from the Growth Modules Program at the Australian Centre for Business Growth (AUCBG), University of South Australia. Over the past 9 months, our leadership team gained expert insights, actionable strategies, and a clear roadmap to accelerate our growth.

Discover how Oracle Database 23ai levels up privilege management with schema-level privileges. This innovative feature simplifies security and enhances database control by enforcing the Principle of Least Privilege (PoLP), ensuring compliance, and streamlining user access. Dive into the methodology, advantages, and practical examples for leveraging schema-level privileges effectively.

Premier Support Extension for Oracle Database 19c to December 31, 2029 gives organisations more time to plan their database upgrade strategy. With bug fixes, security patches, upgrades and 24x7 Oracle database monitoring by Blue Crystal Solutions, you can manage your Oracle 19c support effectively.

Blue Crystal Solutions: your trusted & innovative IT partner.

Australian owned and operated since 2004, we provide information technology services locally, nationally and beyond.

We are a specialised supplier of Cloud, Application, Database & Infrastructure, Operating System Management, Modernisation and Transformation services. With security at the forefront of everything we do, we can also work with your cyber teams to significantly improve your security posture whilst ensuring all your services with us are fortified by our integrated outage protection and 24×7 monitoring tool, BlueDiamond

Scroll to Top