N4T5RU LogoN4T5RU
EducationExperienceBlogContact
Back to Blog

Automating CIS Benchmark - Ubuntu 24.04 Server Hardening

February 17, 2026|[email protected]

Your Linux Servers Are Targets. Here’s How to Harden Them.

Every server connected to the internet is a target. Whether you're running a small financial platform, hosting a government portal, or managing the cloud infrastructure for a resort chain, the baseline security of your Linux servers is the foundation everything else stands on.
Yet, "secure the server" is frustratingly vague advice. What exactly should you configure? How do you know you haven't missed a tiny, exploitable gap? That’s the problem the Center for Internet Security (CIS) Benchmarks solve.
In this post, I’m going to demystify what the CIS framework actually is, why it matters, and walk through an automation script I built to apply the CIS Ubuntu Linux 24.04 LTS Benchmark to production servers.

What Is the CIS Framework?

The Center for Internet Security is a non-profit organization that publishes detailed, consensus-driven security guidelines called CIS Benchmarks. These aren't just theoretical whitepapers, they are prescriptive, step-by-step hardening guides developed by a global community of cybersecurity pros, government agencies, and auditors. There are benchmarks for over 100 technologies: operating systems, cloud platforms (AWS, Azure, GCP), databases, and more. Each document is usually a massive 300–800 page PDF covering every conceivable security toggle.

How the Benchmarks Are Structured

I like to break down the Ubuntu 24.04 LTS benchmark into these major domains:
  • Section 1 - Initial Setup: Filesystem hardening (disabling unused kernel modules like `cramfs`), software updates, and process-level defenses like ASLR. 
  • Section 2 - Services: This is about reducing your attack surface. If you don't need it, kill it. I'm talking about Avahi, CUPS, DHCP servers, and legacy protocols like `rsh` or `telnet`. 
  • Section 3 — Network Configuration: Tightening the kernel through `sysctl` (disabling IP forwarding and ICMP redirects) and setting up a "default-deny" firewall. 
  • Section 4 — Logging and Auditing: Making sure the system keeps a tamper-resistant trail. I use `auditd` to capture changes to user accounts and network configs, then make those rules immutable so an attacker can’t cover their tracks. 
  • Section 5 — Access and Auth: This is the big one. It covers SSH hardening (no root login, key-based auth only), password complexity, and account lockouts. 
  • Section 6 — System Maintenance: Cleaning up file permissions on critical files like `/etc/shadow` and enforcing idle session timeouts. 

Profile Levels: Which one do you need? 

  • Level 1: Practical hardening that shouldn't break your apps. This is the "must-have" baseline for any production server. 
  • Level 2: "Defense-in-depth" for high-security environments. These can be intrusive (like disabling USB storage) and might impact performance. 

Why I Care 

About This for Compliance If you need to hit ISO 27001, PCI-DSS, or SOC 2, these benchmarks are your best friend. When an auditor asks, "How is this server secured?" you can hand them a concrete report showing exactly how you've met the CIS standard. 

The Automation Script:

Saving You Hours of Work Manually clicking through 200+ recommendations is a recipe for a headache and human error. To solve this, I built `cis-harden-ubuntu2404.sh`. It automates the Level 1 profile (plus some "safe" Level 2 controls) in a single run.
Get the script here: https://github.com/n4t5ru/CIS-framwork-ubuntu24-automated 

My Design Principles 

  1. Safety First: I made sure the script backs up every original config file with a timestamp before touching it. 
  2. Transparency: You get color-coded logs (Pass/Skip/Fail) so you know exactly what happened. 
  3. Idempotency: You can run it multiple times without breaking anything or creating duplicate entries. 

What the Script Actually Does

  • Hardens the Kernel: It applies over 20 `sysctl` settings to stop packet redirect attacks and SYN floods. 
  • Locks Down SSH: It disables passwords in favor of keys, kills root login, and restricts ciphers to modern, strong algorithms. 
  • Configures the Firewall: It sets up UFW with a "deny-all" policy but explicitly allows SSH so you don't lock yourself out. 
  • Enforces Passwords: It requires 14-character passwords with uppercase, lowercase, digits, and symbols. 
  • AppArmor: It ensures your mandatory access control is actually running and confining apps. 

How to Use It

I recommend running this on a fresh Ubuntu 24.04 LTS installation. 
 1. Transfer and make it executable:
bash
chmod +x cis-harden-ubuntu2404.sh
 2. Run as root:
bash
sudo ./cis-harden-ubuntu2404.sh
A quick warning:
  • Before you hit enter, ensure you have SSH key-based authentication working. 
  • The script disables password logins. If you don't have a key set up, you WILL be locked out of your own server. 
  •  Once it's done, reboot the system and run a validation scan to see the results:
bash
sudo apt install lynis
sudo lynis audit system 

What Automation Can't Do

I should be clear: no script is a "magic wand." There are things you still have to do manually: 
  • Partitioning: You should ideally set up separate partitions for `/home` and `/var` during the OS installation. 
  • Service Removal: If you're running a web server, I don't want my script to accidentally delete Apache or Nginx. I’ll warn you about them, but I leave the final "purge" to you.
  • GRUB Passwords: This requires manual input to create a secure hash.

Final Thoughts 

A CIS Benchmark isn't a "one and done" checklist. It’s a living standard. I integrate this into my provisioning pipelines and re-validate regularly. Automation gets you 90% of the way there in minutes, but the last 10%—the monitoring and patching - is what keeps you truly secure.

Stay hardened.