ZCSPM offers bash scripts for hardening the Ubuntu 18.04 OS on your Azure virtual machines. Make sure you test the scripts on a testing environment before running them on a production environment.

Hardening Script for ZCSPM supported Security Policies

Azure_CSBP_Ubuntu18_04_Remediation.sh: ZCSPM can remediate about 32 security policies to harden Ubuntu 18.04 OS on an Azure virtual machine.

• See the 32 security policies remediated
  Policy Title 1

  Ensure address space layout randomization (ASLR) is enabled

  Ensure Avahi Server is not enabled

  Ensure bogus ICMP responses are ignored

  Ensure broadcast ICMP requests are ignored

  Ensure cron daemon is enabled

  Ensure CUPS is not enabled

  Ensure DHCP Server is not enabled

  Ensure DNS Server is not enabled

  Ensure IMAP and POP3 server is not enabled (Ensure email services are not enabled)

  Ensure IP forwarding is disabled

  1 to 10 of 32

  Page 1 of 4

  Close

To run the ZCSPM recommended hardening script:

1. Make sure you are logged in to the virtual machine as a root user.
2. Open the bash terminal and download the script from GitHub using the following command:

wget https://raw.githubusercontent.com/Cloudneeti/os-harderning-scripts/master/Ubuntu18_04/Azure_CSBP_Ubuntu18_04_Remediation.sh -O Azure_CSBP_Ubuntu18_04_Remediation.sh

3. Switch to root using the following command:

sudo su

4. Run the script using the following command:

bash Azure_CSBP_Ubuntu18_04_Remediation.sh

You can scan the relevant cloud account in the ZCSPM Admin Portal and view the security policy results.

Hardening Script for CIS Compliance

CIS_Ubuntu18_04_Benchmark_v1_0_0_Remediation.sh: ZCSPM also offers a more extensive script which remediates 110 out of 189 security policies for the CIS Ubuntu 18.04 v1.0.0 Benchmark.

ZCSPM cannot remediate 79 security policies because either the appropriate APIs and commands are unavailable for automatic remediation, or they need user inputs and have to be manually remediated.

• See the 110 remediated security policies
  Policy Title 1

  Ensure access to the su command is restricted

  Ensure address space layout randomization (ASLR) is enabled

  Ensure AIDE is installed

  Ensure all users last password change date is in the past

  Ensure audit log storage size is configured

  Ensure audit logs are not automatically deleted

  Ensure auditd service is enabled

  Ensure authentication required for single user mode

  Ensure bogus ICMP responses are ignored

  Ensure bootloader password is set

  1 to 10 of 110

  Page 1 of 11

  Close
• See the 79 security policies which cannot be remediated
  Policy Title 1

  Audit SGID executables

  Audit SUID executables

  Audit system file permissions

  Ensure /etc/hosts.allow is configured

  Ensure /etc/hosts.deny is configured

  Ensure all groups in /etc/passwd exist in /etc/group

  Ensure all users' home directories exist

  Ensure audit log storage size is configured

  Ensure auditing for processes that start prior to auditd is enabled

  Ensure bootloader password is set

  1 to 10 of 78

  Page 1 of 8

  Close

To run the CIS compliance hardening script:

1. Make sure you are logged in to the virtual machine as a root user.
2. Open the terminal and download the script from GitHub using the following command:

wget https://raw.githubusercontent.com/Cloudneeti/os-harderning-scripts/master/Ubuntu18_04/CIS_Ubuntu18_04_Benchmark_v1_0_0_Remediation.sh -O CIS_Ubuntu18_04_Benchmark_v1_0_0_Remediation.sh

3. Switch to root using the following command:

sudo su

4. Run the script using the following command:

bash CIS_Ubuntu18_04_Benchmark_v1_0_0_Remediation.sh