CIS Hardened Images — Ubuntu 24.04 & Debian 12

BinaryLane now offers CIS-hardened versions of Ubuntu 24.04 and Debian 12. These images come pre-configured with security controls based on the CIS Benchmarks — an industry-standard set of best practices for securing operating systems.

CIS-hardened images are ideal for customers who need a secure starting point for their servers, whether for compliance requirements (ISO 27001, SOC 2, PCI-DSS) or simply to follow security best practices without spending hours on manual hardening.

⚠️ Important: These images disable password authentication and enable a default-deny firewall. Ensure you have an SSH key on your BinaryLane account before deploying. Read the Getting Started section below before your first deployment.

Table of Contents

• What Are CIS Benchmarks?
• What's Changed in These Images
• What's NOT Changed
• Getting Started
• CIS Compliance Scores
• Frequently Asked Questions
• Available Images

What Are CIS Benchmarks?

The Center for Internet Security (CIS) publishes detailed security configuration guides for every major operating system. Each benchmark contains hundreds of specific checks covering:

• Network security — firewall rules, kernel parameters, disabled protocols
• Access control — SSH hardening, password policies, account lockout
• Auditing — system logging, file integrity monitoring, audit trails
• Filesystem — partition isolation, mount options, permission hardening
• Software — removal of unnecessary packages and services

CIS benchmarks are used worldwide by government agencies, financial institutions, healthcare providers, and any organisation that takes security seriously. Many compliance frameworks explicitly reference CIS benchmarks as an acceptable hardening standard.

ℹ️ CIS Level 1 vs Level 2: Our images apply Level 1 controls — security settings that improve your server's posture without significantly impacting usability. Level 2 controls are more restrictive and are typically only required in high-security environments.

What's Changed in These Images

Below is a complete summary of every change compared to the standard BinaryLane images.

SSH Hardening

SSH configuration is stored in /etc/ssh/sshd_config.d/10-cis-hardening.conf. The default BinaryLane SSH drop-in (10-binarylane.conf) is removed.

Firewall (nftables)

A stateful nftables firewall is installed, enabled, and configured with a default-deny policy:

• Inbound: Only SSH (port 22) and ICMP ping are allowed by default
• Outbound: All outbound traffic is allowed
• Forward: Dropped (no routing)
• Loopback traffic is allowed; spoofed loopback from external interfaces is dropped

⚠️ You must add firewall rules for any services you run. For example, if you're running a web server, add rules to allow ports 80 and 443. Edit /etc/nftables.conf and run systemctl reload nftables.

Example: To allow HTTP and HTTPS, add these lines inside the chain input block in /etc/nftables.conf, before the closing brace:

        tcp dport 80 accept
        tcp dport 443 accept

Then reload: systemctl reload nftables

Kernel & Network Hardening

All kernel parameters are set in /etc/sysctl.d/99-cis-hardening.conf.

Disabled Kernel Modules

Unused and potentially dangerous kernel modules are blacklisted to reduce the attack surface:

cramfs, freevxfs, hfs, hfsplus, jffs2, squashfs, udf, dccp, rds, sctp, tipc, cifs, nfs, afs, ceph, exfat, fscache, gfs2, smbfs

ℹ️ Need a blacklisted module? If your application requires a disabled module (e.g., nfs for NFS mounts), remove the corresponding file from /etc/modprobe.d/. For example: rm /etc/modprobe.d/cis-nfs_common.conf

Password & Account Policies

ℹ️ Note: These password policies apply when creating local user accounts. If you only use SSH key authentication (recommended), the password policies won't affect your day-to-day access. The shell timeout (TMOUT=900) will disconnect idle SSH sessions after 15 minutes — edit /etc/profile.d/cis.sh to change this.

Audit & Logging

Audit rules are immutable after boot (-e 2), meaning they cannot be tampered with by an attacker who gains access. A reboot is required to change audit rules.

AppArmor

AppArmor is installed and enabled on boot. AppArmor is a mandatory access control (MAC) framework that restricts what programs can do — even if they're running as root. Default profiles are loaded for installed services.

Filesystem Hardening

Removed Packages

• telnet / inetutils-telnet — unencrypted remote access
• ftp / tnftp — unencrypted file transfer
• rsync — not needed by default, can be reinstalled if required
• apport — crash reporting that may leak sensitive data

Installed Security Packages

• auditd — system call auditing
• apparmor + apparmor-utils — mandatory access control
• aide — file integrity monitoring
• nftables — modern firewall
• libpam-pwquality — password strength enforcement
• at — job scheduling (required by CIS)
• rsyslog — system logging (Debian 12 only — Ubuntu includes it by default)
• chrony — NTP time synchronisation (Debian 12 only — Ubuntu uses timesyncd)

Other Hardening

• Cron permissions tightened — only root can create cron jobs by default
• Sudo logging — all sudo commands logged to /var/log/sudo.log
• Sudo timeout — 15-minute credential cache (re-enter password after)
• su restricted — only members of the sudo group can use su
• Login banner — legal warning displayed on SSH and console login
• MOTD removed — no system information leakage on login

What's NOT Changed

These images are designed to be a secure starting point, not a locked-down appliance. The following items are intentionally left for you to configure:

Getting Started

Prerequisites

Deploying a CIS-Hardened Image

Step 1: Ensure you have an SSH key added to your BinaryLane account under Dashboard → SSH Keys.

Step 2: Create a new server and select Ubuntu 24.04 CIS or Debian 12 CIS as the operating system image.

Step 3: Once the server is active, connect via SSH:

ssh root@YOUR_SERVER_IP

Step 4: Add firewall rules for any services you plan to run. Edit /etc/nftables.conf and reload:

systemctl reload nftables

Step 5: Create a non-root user and restrict SSH access (recommended):

adduser myuser
usermod -aG sudo myuser

# Copy SSH key to new user
mkdir -p /home/myuser/.ssh
cp /root/.ssh/authorized_keys /home/myuser/.ssh/
chown -R myuser:myuser /home/myuser/.ssh

# Restrict SSH to your user
echo "AllowUsers myuser" >> /etc/ssh/sshd_config.d/10-cis-hardening.conf
systemctl restart ssh    # Ubuntu
systemctl restart sshd   # Debian

Step 6: Initialise file integrity monitoring once your server is fully configured:

aideinit

After Deployment Checklist

CIS Compliance Scores

These images are tested against CIS benchmarks using Wazuh Security Configuration Assessment (SCA):

The remaining checks that don't pass fall into these categories:

• Partition layout (11 checks) — /var, /var/log, and /var/log/audit cannot be isolated as separate partitions on cloud VMs without risking data loss. /tmp, /home, and /var/tmp are isolated.
• Firewall tool overlap (10 checks) — CIS checks ufw, iptables, and nftables independently. We use nftables only, so the ufw and iptables checks report as not applicable.
• Bootloader (3 checks) — GRUB password and kernel command-line parameters cannot be reliably set on all cloud platforms.
• Configurable by customer (2 checks) — AllowUsers and PermitRootLogin are left for you to configure based on your requirements.

⭐ Adjusted score: When excluding cloud platform limitations and firewall tool overlap, both images achieve approximately 94% CIS compliance.

Frequently Asked Questions

Can I install additional software?

Yes. The CIS hardening does not prevent you from installing packages with apt. Some kernel modules are blacklisted — if you need one (e.g., nfs for NFS mounts), remove the corresponding file from /etc/modprobe.d/.

Will the CIS image break my application?

The most common things to watch out for:

Can I use these images with Docker?

Yes, with two changes:

1. Enable IP forwarding: set net.ipv4.ip_forward = 1 in /etc/sysctl.d/99-cis-hardening.conf and run sysctl --system
2. Add firewall rules for Docker's bridge network and any exposed ports

How do I check my CIS compliance score?

Install Wazuh agent and run an SCA scan, or use any CIS benchmark scanning tool such as OpenSCAP.

Is monitoring or SIEM included?

The images include auditd for system call auditing and AIDE for file integrity monitoring. No external SIEM or monitoring agent is pre-installed — you can connect your preferred monitoring solution.

Will updates overwrite the hardening?

Standard apt upgrade will not overwrite CIS settings. The hardening is applied via drop-in config files (/etc/ssh/sshd_config.d/, /etc/sysctl.d/, /etc/modprobe.d/), dedicated configs (/etc/nftables.conf, /etc/audit/rules.d/), and PAM configuration (/etc/pam.d/). These are not managed by packages.

ℹ️ Tip: If a package upgrade prompts you about a config file change, choose to keep your current version to preserve the CIS hardening.

Where are all the configuration files?

How to get images?

While we prepare the images for wider release the inital verisons are available for testing now, please reach out to our support for more information

Available Images

Both images are built from the official cloud images with CIS hardening applied at build time. They are available at no additional cost in all BinaryLane regions.

If you require assistance with BinaryLane services, feel free to submit a support ticket at our helpdesk here: Submit a ticket | BinaryLane

Last updated: March 2026