charm-cis-hardening

Charm Template

Channel Revision Published Runs on
latest/edge 32 19 Feb 2026
Ubuntu 24.04 Ubuntu 22.04
latest/edge 31 19 Feb 2026
Ubuntu 24.04 Ubuntu 22.04
juju deploy charm-cis-hardening --channel edge
Show information

Learn to deploy on juju >

Platform:

Ubuntu
24.04 22.04
Read documentation

Contacts

Share your thoughts on this charm with the community on discourse.

Join the discussion

A charm to perform CIS hardening with usg on the machine it runs on.

charm-cis-hardening

Charmhub package name: charm-cis-hardening

More information: https://charmhub.io/charm-cis-hardening

This charm implements CIS (Center for Internet Security) hardening for Juju units. It provides capabilities to install, configure, and audit security configurations based on CIS benchmarks.

Usage

Pre-requisites

  • This charm needs parent unit to be registered with a valid Ubuntu Pro token and have usg enabled.

You can use the following subordinate ubuntu-pro. Ensure usg is enabled in the services config.

juju deploy --channel=latest/stable ubuntu-pro --config token=<YOUR_UBUNTU_PRO_TOKEN> --config services=esm-infra,usg
juju relate ubuntu-pro ubuntu
``

#### Deploy the charm
```bash
# Deploy charm
juju deploy --channel=latest/edge charm-cis-hardening cis-hardening-ubuntu

Configure charm

juju config cis-hardening-ubuntu pre-hardening-script=@pre-hardening-script.sh
juju config cis-hardening-ubuntu tailoring-file="$(base64 custom-tailoring.xml)"
juju relate cis-hardening-ubuntu ubuntu # Or any other machine charm

This assumes machine unit has already a Ubuntu Pro token attached. Either through cloud-init or through ubuntu-pro subordinate charm.

Subordinate charm should now be in active/idle status waiting for hardening

cis-hardening-ubuntu/0*  active   idle   Ready for CIS hardening. Run 'harden' action

Execute usg

juju run cis-hardening-ubuntu/0 -- harden

The status should now be blocked, waiting for human action.

cis-hardening-ubuntu/0*  blocked   idle   Hardening complete. Please reboot the unit

Reboot the unit

juju ssh cis-hardening-ubuntu/0 -- sudo reboot

After reboot, the status should be active/idle

cis-hardening-ubuntu/0*  active   idle   Unit is hardened. Use 'audit' action to check compliance

Audit the unit post-hardening

juju run cis-hardening-ubuntu/0 -- audit

Once finished, the status of the unit should be active/idle with the following message:

charm-cis-hardening/0* active   idle   Audit finished. Result file: /tmp/audit.results.html

(Optional) Fetch the results

juju run charm-cis-hardening/0 -- get-results format=html | base64 -d > usg-result.html
juju run charm-cis-hardening/0 -- get-results format=xml | base64 -d > usg-result.xml

(Optional) Fetch the status

The get-status action returns information about whether the unit is hardened/audit and when happened the latest actions. It also returns the hardening percentage/score

juju run cis-hardening-ubuntu/0 -- get-status | yq .
result:
  audited: "True"
  hardened: "True"
  last-audit-files: ops.framework.StoredList(['/tmp/audit.results.xml', '/tmp/audit.results.html'])
  last-audit-result: 85.522530%
  last-audit-time: 2024-11-17T11:51:12.176138
  last-harden-time: 2024-11-17T11:47:34.967484

Squeleton for tailoring.xml can be generated using sudo usg generate-tailoring cis_level2_server tailoring.xml. Adjust it by enabling/disabling specific rules to match the current unit you wish to harden

Other resources