Ubuntu Linux Security Baseline Assistant

Step 1 · Choose your Ubuntu controls

Select the protections you want in your baseline script.

Profiles blend severity and compatibility. Relaxed focuses on foundational controls that rarely conflict with common workloads. Strict adds opinionated hardening such as FIPS, tighter SSH crypto, and kernel protections. Custom lets you hand-pick every item.

Profiles Relaxed Strict Custom

The generated script is a checklist-style shell script. Each selected control becomes a clearly commented block with a short hint, for example apt-get remove --purge telnet. You can extend or replace these hints with your own commands before running anything in production.

Critical controls (CAT I)

Medium controls (CAT II)

Low controls (CAT III)

Install chrony for time sync CAT III

Ensures a supported time synchronization service such as chrony is installed so logs and security events share a consistent time source.
Enforce delay after failed logon attempts CAT III

Introduces a short delay after failed login attempts to slow down brute-force attacks while keeping usability reasonable.
Limit cached PAM authentications CAT III PAM change

Controls how long cached credentials from PAM may be reused, aligning with the requirement to limit reuse to one day or less.
Restrict access to kernel message buffer CAT III

Reduces exposure of sensitive kernel information by limiting which users can read the kernel message buffer (for example via dmesg).

Step 2 · Review and export the script

Script output

The script below is intentionally conservative. It builds a checklist-style Ubuntu hardening script where each selected control is turned into a separate commented block with a short implementation hint. Review everything carefully, extend the hints into concrete commands, then test on non-critical systems first.

Save this script as ubuntu-baseline.sh, make it executable with chmod +x ubuntu-baseline.sh, and run it from a root or sudo-enabled shell only after you have adapted it to your environment.

Generated script (shell). File name suggestion ubuntu-baseline.sh

Important notice and legal disclaimer

This Ubuntu Linux Security Baseline Assistant and its generated scripts are provided for educational and informational use only. They do not replace formal STIG implementation guidance, vendor documentation, or professional services, and they do not guarantee compliance with any framework, including STIG, NIST, CIS, PCI DSS, HIPAA, or GDPR. All logic runs locally in your browser and any output remains on your systems unless you choose to share or upload it. You are responsible for reviewing, testing, and adapting every line before use, ensuring you have reliable backups, a rollback approach, and appropriate approvals before changing production systems.