CIS Ubuntu Benchmark 2204
Badrul Amin
Infrastructure & DevOps SpecialistMap Ubuntu 22.04 CIS benchmark scripts into a searchable surface for section, title, control, and criticality review. Filter loaded controls, inspect script metadata, compare matching benchmark areas, and copy exact shell control bodies. Use the view as a local benchmark navigation aid and evidence organizer, not as host validation or compliance proof.
Controls
| # | Control | Title | Section | Criticality | Script | Copy |
|---|
Sections
| # | Section path | Depth | Controls | Children | Range |
|---|
Selected Script
Overview
CIS Ubuntu Benchmark 2204 is an InfraStack assessment workspace for browsing the copied Ubuntu 22.04 CIS benchmark script tree. It turns the local assets/bin/ inventory into a searchable review surface for control IDs, section paths, declared CRITICALITY, selected shell bodies, and exportable inventory snapshots. Center for Internet Security (n.d.-a) publishes the Ubuntu Linux benchmark family, so this workspace cites CIS as the benchmark source while keeping the local script inventory as the reviewed artifact.
Canonical (2021) identifies Ubuntu 22.04 LTS as Jammy Jellyfish and documents its support lifecycle, which anchors the Ubuntu release scope used by this tool.
Center for Internet Security (n.d.-b) documents CIS-CAT Pro Assessor as a tool for comparing target system settings against CIS Benchmarks, so this browser workspace stays honest: it organizes copied controls but does not assess a live host.
The workspace is read-only. It does not run benchmark checks, apply fixes, connect to hosts, or prove compliance. Use it to find the right control script, inspect the source body, copy or download it, and then decide how to test or run it in a controlled Ubuntu shell.
Use it when you need to:
- Browse 297 copied CIS control scripts without walking the folder tree manually
- Filter by family, section path, title, control ID, script filename, or criticality
- Keep missing metadata visible instead of assuming every script is normalized
- Review the exact selected shell body before copying it
- Export filtered controls as CSV, JSON, or a printable result view
| Workspace area | What it gives you | What to review before use |
|---|---|---|
| Filters | Family, section path, criticality, query, selected script, sort, and row-limit controls. | Confirm the filtered scope still contains the controls you intended to review. |
| Controls | A table of matching control IDs, titles, section paths, criticality labels, and script paths. | Use the control ID and title together; filenames alone can be too terse. |
| Sections | A rollup of matching benchmark paths, depth, child count, and control range. | Use it to understand where a control sits before narrowing to a single script. |
| Script | The selected local shell file body fetched through a constrained backend endpoint. | Read the script before running it. Copy-first is not execute-first. |
Technical Details
The workspace builds one filtered result from the local benchmark catalogue, the current form state, and the selected control. The same result drives the summary cards, Controls table, Sections table, selected Script view, CSV export, and JSON output.
The technical scope stays tied to benchmark and operating-system sources. Center for Internet Security (n.d.-a) anchors the benchmark family, Canonical (2021) anchors the Ubuntu 22.04 LTS release scope, and Center for Internet Security (n.d.-b) keeps the boundary clear between a browser catalogue and a live host assessment.
- Confirm the family, section, query, selected control, and row limit.
- Treat missing criticality as metadata to inspect, not risk to ignore.
- Review whether the script checks, fixes, or changes persistent state.
- Confirm package, service, file, user, group, and permission assumptions before use.
- Use CSV for filtered control lists and JSON for the catalogue snapshot.
- Attach owner, host class, evidence plan, exception policy, and rollback notes outside the export.
- The browser does not run controls or read a live Ubuntu host.
- Compliance needs controlled execution, evidence review, exceptions, and approval.
1. Copied benchmark inventory
The catalogue is generated from the copied scripts under templates/content/tools/cis/assess-ubuntu-2204-cis/assets/bin/ and embedded through assets/custom.json.twig. The current inventory describes 297 shell scripts across 71 section paths and 7 top-level families.
2. Filter and URL state
The browser state is derived from the visible controls and synchronized into URL query parameters such as cis_query, cis_family, cis_section, cis_criticality, cis_control, cis_sort, and cis_rows. This supports shareable filtered views without introducing JSON import or restore behavior.
3. Selected script loading
The script body is not embedded into the catalogue payload. When a script is selected, the browser posts the relative script path to the Symfony endpoint at /api/cis/assess-ubuntu-2204-cis/script. The endpoint normalizes the path, rejects traversal, limits reads to .sh files under assets/bin/, and returns the selected source body.
4. Metadata limits
Some copied scripts declare CRITICALITY; others do not. The workspace labels missing values as unspecified so review gaps stay visible. It does not infer severity, remap controls, or certify benchmark coverage.
5. How to read the catalogue
Read this workspace as a navigation and review layer over a local script set. It helps you find controls, inspect script bodies, group sections, compare metadata, and export a filtered view. It does not decide whether an Ubuntu host is hardened. It does not execute benchmark scripts. It does not inspect packages, services, kernel settings, audit rules, file permissions, users, groups, or running configuration on a server.
That boundary matters. A copied shell script can describe an intended check or remediation, but the host result still depends on the target machine, current package versions, local policy, exceptions, compensating controls, and how the script is run. The browser view gives you order and visibility. Evidence still has to come from the host or from a controlled assessment process.
6. Filter discipline
The filter controls are meant to narrow a large benchmark catalogue into a reviewable set. Search is useful when you know a control name, title, command, package, or keyword. Family and section filters are better when the review follows the benchmark structure. Criticality filters are useful for triage, but they should not be treated as a complete risk model because some source scripts have unspecified values.
Sorting and row limits change the visible table, not the underlying catalogue. If a filter returns fewer rows than expected, clear the query before assuming a section has no controls. If a selected control disappears after filter changes, select it again from the current result set so the script view and export match the review context.
7. Script body handling
The selected script body is loaded only when requested. The backend endpoint normalizes the submitted relative path and limits reads to local shell files under the tool package. That keeps the page lighter and avoids embedding every script body into the initial catalogue payload. It also keeps path handling explicit instead of trusting arbitrary browser input.
Script display is for reading, copying, and downloading. Treat copied shell as operational material. Review variables, assumptions, package names, service names, filesystem paths, and any command with destructive or persistent effects before use. A script written for one benchmark context may still need local change control, backup, test execution, or approval before it belongs on a production host.
8. Assessment boundaries
This workspace does not replace a benchmark scanner, configuration management run, audit program, or compliance platform. It does not compare a live server against every CIS recommendation. It does not prove pass or fail status. It does not know which controls are out of scope for a workload, which exceptions are approved, or which compensating controls an organization accepts.
Use it for preparation and review. A platform engineer can find relevant scripts, inspect shell bodies, and export a filtered list for a change. A security reviewer can identify missing metadata, unspecified criticality, or areas needing evidence. An operations team can use the section table to plan work by benchmark family. Those are useful tasks, but they are not the same as certification.
- Catalogue rows do not prove that packages, services, files, users, groups, permissions, or kernel settings match a benchmark target.
- Copied scripts can still be destructive, persistent, environment-specific, or wrong for the host class under review.
- Exported rows are useful work notes, not audit evidence until a controlled assessment records real host output.
9. Export and handoff behavior
CSV is useful for filtered control lists, section summaries, and review notes. JSON is useful when the active filters, selected control metadata, visible rows, and summary counts need to be preserved together. Neither export proves that a host was scanned or remediated. They preserve the workspace state and catalogue view.
When handing off a filtered set, include the target context outside the export: Ubuntu version, host class, environment, exception policy, maintenance window, reviewer, and evidence location. If a control will be executed, pair the copied script with a test plan and rollback plan. If a control is informational, pair it with the evidence expected from the host.
10. Human review workflow
Start at the section level. Confirm which top-level benchmark family is in scope, then narrow to the relevant section path. Use search only after the structural scope is clear. Select scripts deliberately and read the source body before copying. The fastest way to misuse a hardening script is to trust a title without reading the command.
Next, separate catalogue completeness from host readiness. Missing criticality metadata is a catalogue issue. A failed package check is a host issue. An approved exception is a governance issue. The workspace can help keep those categories separate by showing filters, sections, selected script content, and export payloads in one place.
11. Practical review checklist
Before using a script from the workspace, answer the review questions in the same place as the selected row:
- Scope: Confirm the Ubuntu release, host class, benchmark family, section path, and selected control.
- Script: Decide whether the body is an audit check, remediation action, helper, or mixed shell workflow.
- Evidence: Define what output should be captured before and after any controlled execution.
- Change: Name the approval path, maintenance window, rollback plan, and exception owner when needed.
- Decision: Mark the next action as inspect, test, remediate, defer, except, or close with evidence.
The final output should make the next action clear: inspect more scripts, export a filtered evidence list, copy a specific script for controlled testing, record a metadata gap, or hand a section to the owner. That is the useful level for this tool. It turns a large local benchmark tree into a reviewable working surface without pretending to be the host assessment itself.
12. Change-control context
Hardening work touches running systems, so catalogue review should be connected to change control. Before a script is used outside a lab, record whether it only checks state or whether it modifies packages, files, services, kernel parameters, audit rules, users, groups, permissions, or authentication behavior. That distinction determines who must approve the action and what evidence should be captured.
Some controls are straightforward on a fresh server and risky on a long-lived workload. A service that should be disabled in a baseline might still support a legacy process. A filesystem option might require a reboot or maintenance window. A permission change might affect application startup. The workspace cannot know those local dependencies. It can only make the script easy to inspect before someone applies it.
13. Evidence and exception handling
When a control is accepted, rejected, or deferred, keep the reason near the exported row. Good notes say whether the decision came from successful evidence, approved exception, compensating control, business constraint, or missing data. Weak notes say "not applicable" with no owner and no date. Future reviewers deserve better than that.
Use unspecified criticality as a signal to inspect, not as an excuse to ignore. If the control matters to the environment, assign a local severity or review priority during the assessment process. If it does not apply, record why. The tool is strongest when it helps the team separate real security work from catalogue noise.
Final review should end with an owner, a decision, and an evidence path. If the row is ready for testing, say who tests it, where they test it, and what output proves success. If the row is deferred, say why and when it returns. If the row is an exception, link the approval and expiry date. Catalogue work becomes useful when it leaves fewer unnamed decisions behind for the next engineer who has to trust the record during audit or change.
14. Result and export model
| Output | Backed by | Boundary |
|---|---|---|
| Catalogue | Copied shell scripts, derived control IDs, section paths, titles, and optional criticality values. | The local file still needs mapping to the benchmark control and local policy scope. |
| Selection | Family, section, query, row limit, sort, and selected script state. | The filtered set still needs host class, exception policy, and change-window context. |
| Controls table | Filtered local catalogue rows. | The visible row limit affects the table only; selected script choices still come from the full match set. |
| Sections table | Section rollups calculated from the filtered controls. | Empty sections can exist in the catalogue when no copied script lives under that path. |
| Selected script | Constrained backend read of one local .sh file. |
It is displayed for review, copy, and download only; the browser does not execute it. |
| JSON | Benchmark metadata, active filters, summary counts, selected control metadata, controls, and visible sections. | JSON is a snapshot export. JSON import and restore are not implemented. |
Example Commands
These examples show the shell workflow for taking a copied CIS control script from the Script tab and running it manually on a target host.
vi script.shShow use Hide use
#!/bin/sh
CRITICALITY=1
TITLE="Ensure cramfs kernel module is not available"
function check {
STATUS="Fail"
modprobe -n -v cramfs 2>&1 | grep -E "install" > /dev/null
if [ $? == 0 ]; then
lsmod 2>&1 | grep cramfs > /dev/null
if [ $? != 0 ]; then
STATUS="Pass"
fi
fi
echo "Check status: $STATUS"
}
function fix {
echo "install cramfs /bin/true" | tee -a /etc/modprobe.d/cramfs.conf > /dev/null
}Show use Hide use
chmod +x script.shShow use Hide use
./script.shShow use Hide use
Input Tips
The explorer works best when the filter scope is explicit. Start broad enough to see context, then narrow to one selected script before copying.
Start with the benchmark family
- Use the top-level section when you already know the area, such as initial setup, services, network, firewall, access control, logging, or maintenance.
- Use Section path when you want one nested benchmark branch instead of the full family.
- Reset the section path after changing family if the result set looks unexpectedly narrow.
Use query for exact jumps
- Search by control ID when you know the benchmark number.
- Search by title terms such as
auditd,ssh,pam,cramfs, oriptables. - Search by script filename only when the folder naming is already familiar.
Review before execution
- Open the Script tab and read the selected shell body before copying it.
- Check whether the script includes both
checkandfixfunctions or only one operational path. - Run copied scripts manually on an appropriate Ubuntu 22.04 host, with your own backup, rollback, and change-control process.
How To Use
Use this workflow to narrow the benchmark catalogue into a reviewable script and export set. The page organizes the work; it does not run checks for you.
1. Choose the benchmark scope
Select the benchmark family, section, profile, severity, status, and result limit that match the review you want to run.
2. Filter and explore controls
Add a control or keyword filter when needed, then run Explore Controls to build the matched control table, section rollups, and selected script view.
3. Review selected script and evidence
Open a control row and inspect the selected script, metadata, rationale, and result context before copying it into an operations or review workflow.
4. Copy or download review artifacts
Use Copy script, Download script, row copy actions, and CSV export to move exact review material into tickets, runbooks, or evidence notes.
5. Export the assessment snapshot
Use Export PDF, Download CSV, Copy JSON, or Download JSON to preserve what the assessment explorer displayed for this review.
Export Notes
The workspace supports several copy and export paths, but they do not preserve the same information.
Copy script
Use Copy script when you need the selected shell body in a note, terminal buffer, or change review.
The copied value is the script body currently loaded in the Script tab.
Download script
Use Download script when you want the selected .sh file body as a local artifact.
Downloading does not make the script safe to run. Review the body and target host first.
Export PDF
Use Export PDF for a printable snapshot of the current result panel.
PDF captures the visible review surface. It does not preserve interactive filter state.
Download CSV
Use Download CSV when filtered controls need spreadsheet review or attachment to a ticket.
The CSV includes filtered control rows, not an executable benchmark run.
Copy JSON / Download JSON
Use Copy JSON or Download JSON when you need a structured benchmark review snapshot.
- Benchmark metadata
- Active filters
- Summary counts
- Selected control metadata
- Visible sections and controls
JSON is a review snapshot in this tool. JSON import and restore are not implemented.
FAQ
Use these answers to keep the page honest about what it is: a benchmark-script explorer, not a live host assessor.
Does this page run CIS checks from the browser?
Does this prove the host is compliant?
Why do some controls show unspecified criticality?
CRITICALITY. The workspace keeps that missing metadata visible instead of inventing a value.
Why can the controls table show fewer rows than the match count?
Can JSON restore the explorer later?
Why use the Script tab instead of opening files manually?
Acronyms
| Term | Meaning | Why it matters in this tool |
|---|---|---|
| CIS | Center for Internet Security. | The copied script tree follows CIS-style benchmark control organization. |
| Control ID | The benchmark identifier derived from a copied script filename, such as 1.1.1.1 or 5.1.20. |
Use it for exact lookup and review notes. |
| Section path | The nested folder path that places a control inside the copied benchmark tree. | Use it to narrow the review to one benchmark branch. |
| CRITICALITY | An optional metadata variable declared by some copied shell scripts. | Use it as source metadata only; do not treat missing values as low risk. |
| CSV | Comma-separated values. | Use it when the filtered control inventory needs spreadsheet review. |
| JSON | JavaScript Object Notation. | Use it as a structured export snapshot. It is not a restore format here. |
References
These sources support the in-text citations used in this tool page.
| Source type | In-text citation | Reference |
|---|---|---|
| Benchmark website | (Center for Internet Security, n.d.-a) | Center for Internet Security. (n.d.-a). Ubuntu Linux Benchmarks. Retrieved May 13, 2026, from https://www.cisecurity.org/benchmark/ubuntu_linux |
| Release notes | (Canonical, 2021) | Canonical. (2021, October 15). Jammy Jellyfish Release Notes. Ubuntu Community Hub. https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes/24668 |
| Assessment tool website | (Center for Internet Security, n.d.-b) | Center for Internet Security. (n.d.-b). About CIS-CAT Pro Assessor v4. Retrieved May 13, 2026, from https://ciscat-assessor.docs.cisecurity.org/en/latest/About/ |