Hardening Ubuntu Server with OpenSCAP

OpenSCAP is an open‑source implementation of the Security Content Automation Protocol (SCAP). It provides a framework and tooling to automate security compliance tasks: assessing systems against published benchmarks, producing machine- and human-readable reports, and applying automated remediations where available. For system administrators and DevOps teams, OpenSCAP makes it practical to enforce, verify, and document hardening across servers in a repeatable way.

This article uses OpenSCAP to harden an Ubuntu 24 server by applying a pre-built security guide (SCAP content). The workflow demonstrated here follows safe operational practices: assess the system before changes, back up important configuration, run remediation (automated where supported), and re-audit to verify results. Key actions covered include user and SSH hardening, sudo configuration, bootloader protection (console required), installing OpenSCAP and dependencies, running the pre-built guide and remediation, configuring log rotation for audit logs, and verifying your application/configuration after changes.

Important notes:

• You will need root or sudo privileges to perform the steps.

• Back up configurations and schedule maintenance windows before applying automated remediations.

• Automated remediation can change system behavior—test on staging before production.

• A physical or virtual console is required if you plan to set a bootloader password.

What you’ll get by following this guide:

• A repeatable audit and remediation process using OpenSCAP.

• Pre- and post-remediation HTML audit reports for compliance evidence.

• A hardened Ubuntu 24 server aligned with the chosen security guide. Instructions to verify and revert changes if needed.

So, let's get started…

Environment

Hostname	alfian-lab
Operating System	Ubuntu 24.04 (Noble)
CPU	2 vCPU
Memory	2 GB
Disk	40 GB
Private IP Address	10.11.11.101

Hardening Ubuntu Server with OpenSCAP

1. Set password user

# passwd alfian
# passwd root

1. Configure sudoers for user

# echo "alfian ALL=(ALL) PASSWD:ALL" > /etc/sudoers.d/alfian

1. Add authorized keys

# su - alfian
$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
$ nano .ssh/authorized_keys
-- paste your public key --
$ chmod 600 ~/.ssh/authorized_keys

1. Delete default user (make sure you not login via ubuntu user)

# ps aux | grep "^ubuntu"
# pkill -u ubuntu
# ls /home/ubuntu/
# userdel -r ubuntu

1. Custom ssh port

# nano /etc/ssh/sshd_config
---
Port 815

# nano /usr/lib/systemd/system/ssh.socket
---
ListenStream=0.0.0.0:815
ListenStream=[::]:815

# systemctl daemon-reload
# systemctl restart ssh.socket

1. Assessment and backup your app/configuration

# ss -tunlp > ss.$(date +"%d%m%Y")
# iptables-save > iptables.$(date +"%d%m%Y")
# ufw status > ufw.$(date +"%d%m%Y")

1. Install openscap and dependencies

# apt -y install openscap-scanner openscap-utils bzip2 unzip
# oscap --version

1. Download the pre-built security guide

# wget https://github.com/ComplianceAsCode/content/releases/download/v0.1.80/scap-security-guide-0.1.80.zip
# unzip scap-security-guide-0.1.80.zip

1. Audit ubuntu 24 server before remediation

# cd scap-security-guide-0.1.80/
# oscap xccdf eval --results ~/audit-result-ubuntu24-before.xml --report ~/audit-report-ubuntu24-before.html --profile xccdf_org.ssgproject.content_profile_cis_level2_server ssg-ubuntu2404-ds.xml

audit html report before:

1. Run remediation script for ubuntu 24 server (time spent based your server workload, ~15 minute for empty server)

# tmux new -s remediation
# /bin/bash ~/scap-security-guide-0.1.80/bash/ubuntu2404-script-cis_level2_server.sh

1. Set bootloader password

skip this step if you hasn't console access!

# grub-mkpasswd-pbkdf2
-- set bootloader password and copy the output --

# nano /etc/grub.d/40_custom
---
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.XXXXXXXXXXXXXXXXXXX
-- paste the output in that file --

# grub-mkconfig -o /boot/grub/grub.cfg
# update-grub

1. Reboot the server

# reboot

1. Unlock the server with bootloader password via console

1. Set logrotate for audit log

# nano /etc/logrotate.d/audit
---
/var/log/audit/audit.log {
    daily
    rotate 5
    compress
    copytruncate
    missingok
    notifempty
    create 666 root root
    su root root
}

# logrotate -d /etc/logrotate.d/audit

1. Disable password authentication and allow pubkey authentication

# nano /etc/ssh/sshd_config # disable
---
PubkeyAuthentication yes
PasswordAuthentication no
-- disable also in sshd_config.d if that configuration exists --

# systemctl restart ssh.socket

1. Audit ubuntu 24 server after remediation

# cd ~/scap-security-guide-0.1.80/
# oscap xccdf eval --results ~/audit-result-ubuntu24-after.xml --report ~/audit-report-ubuntu24-after.html --profile xccdf_org.ssgproject.content_profile_cis_level2_server ssg-ubuntu2404-ds.xml

audit html report after:

1. Verification your app/configuration

# ss -tunlp
# iptables -L
# ufw status

1. Cleanup pre-built security guide

# rm -r scap-security-guide-0.1.80 scap-security-guide-0.1.80.zip

References

• https://static.open-scap.org/openscap-1.3/oscap_user_manual.html

---

Thank You.