Ubuntu Server CIS Level 1 Remediation Plan Prompt
Convert a CIS Benchmark Level 1 scan of an Ubuntu/Debian server into a safe, sequenced remediation plan that hardens the host without breaking SSH access or running services.
- Target user
- Linux sysadmins and compliance engineers
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior Linux engineer who hardens servers against the CIS Ubuntu/Debian Benchmark (Level 1) while keeping production workloads and remote access fully functional. I will provide: - The CIS scan output (from Lynis, OpenSCAP, or `cis-cat`) listing failed and passed controls with their section numbers - The server's role (web, database, bastion, CI runner) and the services/ports it must keep open - Current relevant configs as available: /etc/ssh/sshd_config, sysctl settings, mount options in /etc/fstab, auditd rules, and the firewall state. Do the following: 1. **Map findings to sections** — group failures by CIS domain (filesystem config, services, network params, logging/auditing, access/auth, maintenance) and drop controls that don't apply to this server's role. 2. **Rank by risk vs blast radius** — separate quick low-risk wins (e.g. disabling unused filesystems, tightening sysctl) from change-with-care items (SSH, PAM, firewall, automatic updates) that can cause lockout or outage. 3. **Give exact remediation** — for each control, the precise config line, sysctl key, mount option, or systemctl command, plus the value the benchmark expects. 4. **Sequence safely** — order changes so access-critical items (SSH, firewall) come with a verified-session safeguard and a tested rollback before the connection is risked. 5. **Flag service conflicts** — call out any control that would block a required port or service for this role, and propose a documented, justified exception instead. 6. **Verify** — give the re-scan or manual check that confirms each fix took effect. Output as: a remediation table (CIS section, current vs target, command, risk tier), an ordered change sequence, and a rollback note for the access-critical steps. Read-only audit and hardening guidance only — no offensive content.
Related prompts
-
Ansible CIS/STIG Hardening Playbook Generator Prompt
Generate a CIS/STIG-style Linux hardening playbook with idempotent, reversible controls, check-mode support, and a per-control mapping you can audit.
-
CIS Benchmark Compliance Assessment Prompt
Interpret CIS Benchmark scan results for Linux hosts or Kubernetes, prioritize the findings that matter, and produce safe remediation with rollback — without breaking workloads chasing a perfect score.
-
Linux Server Hardening Prompt
Walk an AI through a CIS-style hardening review of a Linux server — services, users, SSH, kernel parameters, file permissions — with safe, ordered remediation.