Security Compliance

Security Compliance

Security compliance frameworks define minimum security standards for IT systems. For Ubuntu servers in enterprise environments, compliance typically involves meeting requirements from frameworks like CIS Benchmarks, PCI-DSS, SOC 2, or ISO 27001. Compliance is not the same as security — a system can pass a compliance audit and still have significant vulnerabilities. But compliance provides a measurable, auditable baseline that ensures minimum security hygiene is consistently maintained.

Common compliance frameworks

CIS Benchmarks for Ubuntu

# CIS Ubuntu 22.04 benchmark key controls:

# 1. Filesystem configuration:
sudo mount | grep /tmp    # /tmp should be on separate partition or tmpfs
echo "tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec 0 0" | sudo tee -a /etc/fstab

# 2. Disable unused filesystems:
sudo tee /etc/modprobe.d/disable-filesystems.conf > /dev/null << 'EOF'
install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install squashfs /bin/true
install udf /bin/true
EOF

# 3. Bootloader protection:
sudo chown root:root /boot/grub/grub.cfg
sudo chmod og-rwx /boot/grub/grub.cfg

# 4. Process hardening:
sudo tee -a /etc/sysctl.d/99-cis.conf > /dev/null << 'EOF'
kernel.randomize_va_space = 2      # ASLR full randomization
kernel.dmesg_restrict = 1          # Restrict dmesg to root
kernel.sysrq = 0                   # Disable SysRq
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.tcp_syncookies = 1        # SYN flood protection
EOF
sudo sysctl -p /etc/sysctl.d/99-cis.conf

Audit and scanning tools

# Lynis — free CIS-based security audit tool:
sudo apt install -y lynis
sudo lynis audit system

lynis audit output (summary)

Lynis security scan details:
  Hardening index : 72 [##############      ]
  Tests performed : 261
  Plugins enabled : 2

  Components:
    - Firewall               [V]    ENABLED
    - Malware scanner        [X]    NOT FOUND
    - File integrity monitor [X]    NOT FOUND

  Suggestions (33):
  * Consider hardening SSH [SSH-7408]
  * Install package audit tools [PKGS-7398]

# OpenSCAP — automated compliance scanning:
sudo apt install -y libopenscap8 openscap-scanner

# Download SCAP content for Ubuntu:
sudo apt install -y scap-workbench    # GUI tool for policy management

# Check CIS compliance:
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level1_server   --report /tmp/compliance-report.html   /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml

Compliance automation

# Run Lynis compliance checks weekly via systemd timer:
sudo tee /etc/systemd/system/lynis-audit.service > /dev/null << 'EOF'
[Unit]
Description=Weekly Lynis Security Audit

[Service]
Type=oneshot
ExecStart=/usr/sbin/lynis audit system --quick --report-file /var/log/lynis/report.dat
StandardOutput=journal
EOF

sudo tee /etc/systemd/system/lynis-audit.timer > /dev/null << 'EOF'
[Unit]
Description=Run Lynis weekly

[Timer]
OnCalendar=Sun *-*-* 03:00:00
Persistent=true

[Install]
WantedBy=timers.target
EOF

sudo mkdir -p /var/log/lynis
sudo systemctl enable --now lynis-audit.timer

Conclusion

Run Lynis after initial server setup and before putting a server into production. Address all "Suggestions" marked as high priority first, particularly around SSH configuration, authentication, and network hardening. Schedule weekly Lynis runs and compare the hardening index over time — a declining score indicates configuration drift. PCI-DSS and SOC 2 specifically require documented evidence of regular security scans, so keep the Lynis reports archived.