Claude Code CIS Benchmark Hardening Script Automation

The Center for Internet Security (CIS) Benchmarks are industry-standard security configuration guides used by organizations worldwide to harden their systems. Automating CIS benchmark compliance with Claude Code transforms what was once a manual, time-intensive process into an efficient, repeatable workflow. This guide shows you how to use Claude Code skills to create automated CIS hardening scripts that ensure consistent security compliance across your infrastructure.

Understanding CIS Benchmarks and Automation

CIS Benchmarks provide detailed security configurations for operating systems, applications, and cloud platforms. Each benchmark contains hundreds of individual checks—settings that must be verified and remediated to achieve compliance. Traditionally, auditors and system administrators manually reviewed each control, a process that scales poorly and introduces human error.

Claude Code changes this equation fundamentally. By combining Claude Code’s natural language processing with its ability to execute shell commands, read files, and run scripts, you can create skills that understand CIS benchmark requirements and automatically generate, execute, and verify hardening scripts.

Creating a CIS Benchmark Hardening Skill

A Claude Code skill for CIS hardening consists of markdown files containing detailed instructions that Claude uses when invoked. Here’s how to structure a comprehensive CIS benchmark hardening skill:

# CIS Benchmark Hardening Skill

You are a CIS benchmark security specialist. Your role is to help users:
1. Audit system configurations against CIS benchmarks
2. Generate hardening scripts for Linux/Windows systems
3. Verify compliance status and create remediation plans

When asked about CIS hardening, follow this workflow:
1. First, detect the operating system using `uname -a` or `systeminfo`
2. Identify the applicable CIS benchmark version (CIS Ubuntu, CIS RHEL, CIS Windows)
3. Run audit checks and present findings in a structured table
4. Generate remediation scripts with clear explanations
5. Verify changes and provide compliance reports

Always prioritize safety: never execute destructive commands without explicit user confirmation.

Save this as ~/.claude/skills/cis-hardening/skill.md and invoke it with /cis-hardening in your Claude Code session.

Practical Example: Ubuntu CIS Benchmark Auditing

Once your skill is loaded, you can perform comprehensive audits. Here’s a practical example:

/cis-hardening audit my Ubuntu 22.04 server against CIS benchmark

Claude will generate and execute audit commands like:

#!/bin/bash
# CIS Benchmark Audit Script for Ubuntu 22.04

echo "=== CIS Ubuntu 22.04 Benchmark Audit ==="
echo "Starting audit at $(date)"
echo ""

# 1.1.1.1 Ensure mounting of cramfs is disabled (Scored)
if modprobe -n cramfs 2>/dev/null | grep -q "install /bin/true"; then
    echo "[PASS] 1.1.1.1 cramfs module disabled"
else
    echo "[FAIL] 1.1.1.1 cramfs module not disabled"
fi

# 1.1.1.2 Ensure mounting of squashfs is disabled (Scored)
if modprobe -n squashfs 2>/dev/null | grep -q "install /bin/true"; then
    echo "[PASS] 1.1.1.2 squashfs module disabled"
else
    echo "[FAIL] 1.1.1.2 squashfs module not disabled"
fi

# 1.1.1.3 Ensure mounting of udf is disabled (Scored)
if modprobe -n udf 2>/dev/null | grep -q "install /bin/true"; then
    echo "[PASS] 1.1.1.3 udf module disabled"
else
    echo "[FAIL] 1.1.1.3 udf module not disabled"
fi

# 1.2.1 Ensure package manager repositories are configured (Scored)
echo ""
echo "=== Package Repository Check ==="
apt-cache policy 2>/dev/null | head -20

Generating Automated Hardening Scripts

After auditing, Claude can generate remediation scripts. Here’s how to request hardening:

/cis-hardening generate remediation script for all FAIL results in the audit

Claude will create a comprehensive hardening script:

#!/bin/bash
# CIS Ubuntu 22.04 Hardening Script
# Generated by Claude Code CIS Hardening Skill

set -e

echo "=== Applying CIS Benchmark Hardening ==="
echo "Starting at $(date)"
echo ""

# Disable unnecessary filesystems (1.1.1.1 - 1.1.1.3)
echo "Disabling unnecessary filesystems..."
for fs in cramfs squashfs udf vfat jffs2 hfs hfsplus; do
    if ! grep -q "^install $fs /bin/true" /etc/modprobe.d/*.conf 2>/dev/null; then
        echo "install $fs /bin/true" >> /etc/modprobe.d/cis-hardening.conf
        echo "  Disabled $fs"
    fi
done

# Configure packet redirecting (4.1.2)
echo "Configuring ICMP redirects..."
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.default.accept_redirects=0
sysctl -w net.ipv6.conf.all.accept_redirects=0
sysctl -w net.ipv6.conf.default.accept_redirects=0

# Ensure core dumps are restricted (1.5.1)
echo "Restricting core dumps..."
echo "* hard core 0" >> /etc/security/limits.conf
echo "fs.suid_dumpable = 0" >> /etc/sysctl.d/99-cis-hardening.conf

# Enable TCP SYN cookies (4.2.1)
echo "Enabling TCP SYN cookies..."
sysctl -w net.ipv4.tcp_syncookies=1

echo ""
echo "=== Hardening Complete ==="
echo "Review /var/log/cis-hardening.log for details"
echo "REBOOT RECOMMENDED for full effect"

Continuous Compliance Monitoring

Beyond one-time hardening, Claude Code skills can implement continuous monitoring. Create a skill that schedules regular compliance checks:

#!/bin/bash
# Continuous CIS Compliance Monitor
# Run daily via cron: 0 0 * * * /opt/cis-monitor/run-daily.sh

LOG_FILE="/var/log/cis-compliance/daily-$(date +%Y%m%d).log"
ALERT_EMAIL="security@yourcompany.com"

# Run CIS audit
/opt/cis-scripts/audit.sh > "$LOG_FILE" 2>&1

# Check for failures
FAIL_COUNT=$(grep -c "\[FAIL\]" "$LOG_FILE" || echo "0")

if [ "$FAIL_COUNT" -gt 0 ]; then
    echo "CIS Compliance Alert: $FAIL_COUNT failures detected" | \
        mail -s "CIS Compliance Failure" "$ALERT_EMAIL"
    
    # Notify Claude Code for immediate remediation assistance
    echo "Failures detected, initiating remediation workflow..."
fi

Add this to your crontab for automated compliance:

# Add to crontab
crontab -e

# Add this line for daily checks at midnight
0 0 * * * /opt/cis-monitor/run-daily.sh >> /var/log/cis-cron.log 2>&1

Integration with Configuration Management

Claude Code hardening scripts integrate smoothly with tools like Ansible, Chef, or Puppet. Generate Ansible-playbook compatible output:

/cis-hardening generate ansible playbook from current audit results

Claude outputs a complete playbook:

---
- name: CIS Ubuntu 22.04 Hardening
  hosts: all
  become: yes
  vars:
    cis_version: "1.0.0"
    
  tasks:
    - name: Disable unused filesystems
      community.general.modprobe:
        name: "{{ item }}"
        state: absent
      loop:
        - cramfs
        - squashfs
        - udf
      ignore_errors: yes
    
    - name: Configure sysctl parameters
      sysctl:
        name: "{{ item.name }}"
        value: "{{ item.value }}"
        state: present
        reload: yes
        ignore_errors: yes
      loop:
        - { name: 'net.ipv4.conf.all.accept_redirects', value: '0' }
        - { name: 'net.ipv4.conf.default.accept_redirects', value: '0' }
        - { name: 'net.ipv4.tcp_syncookies', value: '1' }
        - { name: 'fs.suid_dumpable', value: '0' }

Best Practices for CIS Hardening Automation

When automating CIS benchmark hardening with Claude Code, follow these best practices:

Always Audit First: Run read-only audit commands before generating any remediation scripts. This gives you a baseline and ensures you understand what changes will be made.

Test in Staging: Never apply hardening scripts to production systems without testing in an equivalent environment first. Some CIS controls can affect system behavior unexpectedly.

Maintain Rollback Plans: Keep backup scripts that can reverse hardening changes. Store configuration backups before applying modifications.

Document Exceptions: Some CIS controls may not apply to your environment. Document any exceptions with business justification for auditors.

Version Control Your Scripts: Store your hardening scripts in git with clear version tagging matching the CIS benchmark version.

Conclusion

Claude Code transforms CIS benchmark compliance from a manual, error-prone process into an automated, reproducible workflow. By creating dedicated skills for security hardening, you can audit systems, generate remediation scripts, implement continuous monitoring, and integrate with configuration management—all through natural language interactions. This approach ensures consistent security compliance while saving significant time and reducing human error in your security operations.

Built by theluckystrike — More at zovo.one