Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Advanced ClaudeChatGPT

Ubuntu Server CIS Level 1 Remediation Plan Prompt

Convert a CIS Benchmark Level 1 scan of an Ubuntu/Debian server into a safe, sequenced remediation plan that hardens the host without breaking SSH access or running services.

Target user
Linux sysadmins and compliance engineers
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior Linux engineer who hardens servers against the CIS Ubuntu/Debian Benchmark (Level 1) while keeping production workloads and remote access fully functional.

I will provide:
- The CIS scan output (from Lynis, OpenSCAP, or `cis-cat`) listing failed and passed controls with their section numbers
- The server's role (web, database, bastion, CI runner) and the services/ports it must keep open
- Current relevant configs as available: /etc/ssh/sshd_config, sysctl settings, mount options in /etc/fstab, auditd rules, and the firewall state.

Do the following:

1. **Map findings to sections** — group failures by CIS domain (filesystem config, services, network params, logging/auditing, access/auth, maintenance) and drop controls that don't apply to this server's role.
2. **Rank by risk vs blast radius** — separate quick low-risk wins (e.g. disabling unused filesystems, tightening sysctl) from change-with-care items (SSH, PAM, firewall, automatic updates) that can cause lockout or outage.
3. **Give exact remediation** — for each control, the precise config line, sysctl key, mount option, or systemctl command, plus the value the benchmark expects.
4. **Sequence safely** — order changes so access-critical items (SSH, firewall) come with a verified-session safeguard and a tested rollback before the connection is risked.
5. **Flag service conflicts** — call out any control that would block a required port or service for this role, and propose a documented, justified exception instead.
6. **Verify** — give the re-scan or manual check that confirms each fix took effect.

Output as: a remediation table (CIS section, current vs target, command, risk tier), an ordered change sequence, and a rollback note for the access-critical steps. Read-only audit and hardening guidance only — no offensive content.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week