Achieving CIS Level 1 Hardening for Linux

This article explores the process of achieving CIS Level 1 hardening for SUSE Linux 15 and Oracle Linux 8, despite the absence of ready-made CIS-hardened images.
database managed services asm migration remote dba support database management Oracle linux
Picture of Written by Joel Gonsalves

Written by Joel Gonsalves

System Administrator at Blue Crystal Solutions

Hardening Oracle Linux and SUSE Linux

When securing Linux-based servers, adhering to industry standards is crucial for maintaining a robust and resilient infrastructure. The Centre for Internet Security (CIS) provides comprehensive benchmarks for hardening Linux systems, including CIS Level 1. However, in certain cases where servers have already been deployed, obtaining ready-made CIS-hardened images may not be feasible. In such scenarios, it becomes necessary to develop scripts for implementing the hardening manually. This article explores the journey of achieving CIS Level 1 hardening for SUSE Linux 15 and Oracle Linux 8, overcoming challenges and utilising tools such as OpenSCAP and Tenable to ensure compliance.

Understanding the Challenge

The initial requirement was to harden Linux servers based on CIS Level 1 standards. However, CIS had yet to release specific scripts for implementing the hardening on SUSE Linux 15 and Oracle Linux 8. This posed a significant challenge, as the hardening process had to be developed from scratch.

Leveraging OpenSCAP

After thorough research, the team identified OpenSCAP as a valuable resource for Linux hardening. Test servers were set up, and the OpenSCAP package was installed to access the available scripts for CIS hardening. While this provided a foundation, it was discovered that the provided scripts did not cover all items specified in the CIS standards.

Identifying Gaps and Customising Scripts

To bridge the gaps in the hardening process, a careful review of the existing scripts was conducted. By comparing the CIS standards and using tools like Tenable, the team gained insights into the vulnerabilities and areas where the existing scripts fell short. The scripts were customised and refined based on these findings to cover the remaining CIS requirements.

Testing and Reporting

Testing the effectiveness of the hardening measures is a crucial step in ensuring compliance. A reporting tool was unavailable for the servers associated with one client (Comviva). To address this, a prebuilt script was utilised, which generated a text-based report. This report provided insights into the gaps that needed to be addressed within the CIS script for Comviva’s servers.

Iterative Improvement

Using the reports generated by Tenable for one client and the text-based report for Comviva, the team could identify specific areas where the scripts needed refinement. These findings were then used to update the scripts iteratively, ensuring that all necessary security measures were implemented to meet CIS Level 1 standards.

Achieving CIS Level 1 Standard

Despite the challenges, the team successfully reached a point where the deployed servers for multiple clients met the stringent CIS Level 1 standards. By leveraging OpenSCAP, customised scripting, and iterative improvements based on testing and reporting, the Linux servers were hardened, providing enhanced security and compliance.

Implementing CIS Level 1 hardening for already deployed Linux servers requires meticulous planning and resourceful problem-solving. By leveraging tools like OpenSCAP and utilising reporting tools such as Tenable, even in the absence of a reporting tool, it is possible to identify and address the gaps in the hardening process. Through continuous refinement and customisation, the team achieved the desired level of security, providing clients with servers that meet the rigorous CIS Level 1 standards.

With security at the forefront of everything we do, we can work with your cyber teams to improve your security posture significantly. Whether it’s delivering to cyber recommendations or providing an audit of your current risks that helps you understand your security and resilience, we can help you protect what matters most to your organisation. Talk to us to find out more. 

Join our conversation on Medium.

Learn More.

Choosing between Postgres vs SQL Server? It all depends on business needs. Postgres SQL offers flexibility and cost savings, while SQL Server provides enterprise-level support within Microsoft ecosystems. Blue Crystal Solutions optimises database choices with setup, 24x7 monitoring, and migration. Learn more about your SQL Server alternatives and Postgres database comparison.

Your SQL Server backups are critical to ensuring business continuity, data protection, and compliance. Reviewing and optimising your backup and restore jobs with an expert team like ours can give you confidence in your data protection strategy, helping your business stay resilient and prepared.

We’re playing a proactive role in enabling Digital Transformation in Public Sector by building a future where technology benefits everyone - with a focus on Digital Identity. In our involvement with the GX5 series, we are part of the solution to making Government Services more efficient, secure, and accessible for all Australians.

Blue Crystal Solutions: your trusted & innovative IT partner.

Australian owned and operated since 2004, we provide information technology services locally, nationally and beyond.

We are a specialised supplier of Cloud, Application, Database & Infrastructure, Operating System Management, Modernisation and Transformation services. With security at the forefront of everything we do, we can also work with your cyber teams to significantly improve your security posture whilst ensuring all your services with us are fortified by our integrated outage protection and 24×7 monitoring tool, BlueDiamond

Scroll to Top