Scale Linux Workload Security on Azure with CIS Benchmarks

Organizations like yours face mounting pressure to maintain consistent Linux security across cloud, on-premises, and multi-cloud environments. Manual hardening is not only time-consuming but also prone to human error, making it difficult to prove compliance during audits. On top of that, hybrid environments add another layer of complexity, requiring your teams to manage and enforce security policies across diverse platforms.

You need a secure-by-default, scalable solution for navigating these challenges.

The solution? Microsoft and the Center for Internet Security^® (CIS^®) now deliver CIS Benchmarks^® directly for all Azure-endorsed Linux distributions inside the Azure Machine Configuration service. This means when you deploy virtual machines (VMs) based on pre-hardened or base images, you can audit them against the latest CIS Benchmarks, ensuring consistent runtime compliance across your hybrid environments. It reduces human error and the need for creating custom scripts, and it gives your organization a standardized, automated way to stay aligned with CIS security best practices.

In this blog post, we'll examine the enhancements behind what we've achieved with Microsoft below. We'll begin by providing a quick overview of the CIS Benchmarks.

What Are the CIS Benchmarks?

The CIS Benchmarks are secure configuration guidelines developed by global IT experts through a consensus-driven process. They remove the guesswork from hardening systems, providing prescriptive recommendations for reducing vulnerabilities. They're also referenced by numerous industry frameworks, thus helping you to streamline your compliance efforts.

Want to learn more about the CIS Benchmarks? Check out our video below.

 

 

How Built-In CIS Benchmarks Simplify Compliance

CIS Benchmarks are now built into Azure Machine Configuration powered by azure-osconfig engine for all Azure-endorsed Linux distributions, specifically:

• AlmaLinux OS 8 and 9
• Debian Linux 12
• Oracle Linux 8 and 9
• Red Hat Enterprise Linux 8 and 9
• Rocky Linux 8 and 9
• SUSE Linux Enterprise 15
• Ubuntu 22.04 LTS and 24.04 LTS

Delivered through Azure Machine Configuration’s Security Benchmarks capability and powered by the open-source azure-osconfig’s compliance engine, this change benefits you in several ways.

• Flexible configuration: Adjust parameters and define exceptions.
• Consistent enforcement: Apply CIS-aligned settings across Azure, on-prem, and hybrid environments using Azure Arc.
• Future-ready: Leverage it for audits today, with auto-remediation and expanded distro support coming soon.

The Enhanced Compliance Engine of Azure-OSConfig

Azure-osconfig supports complex rules for accurate compliance checks required by the CIS Critical Security Controls^® (CIS Controls^®). Through Azure Machine Configuration integration, it enables you to audit large Linux fleets against the latest CIS Benchmarks out of the box on Azure. Future updates will include auto-remediation capabilities, enabling organizations to maintain secure configurations without manual intervention.

Let's use an example to see what this looks like in practice. Say you're a state agency deploying 500 Linux VMs. Before this new capability, each VM required manual checks using some form of custom scripting to determine whether they meet the CIS Benchmarks, a process that was time-consuming and inconsistent. With Azure Machine Configuration and the new compliance engine, those CIS Benchmarks can be applied automatically at deployment via an Azure Machine Configuration assignment. You can consistently monitor the state of your compliance across hybrid environments and reduce audit preparation time dramatically. All the evidence required will be at your fingertips.

Compliance as Code: Automate and Scale

Building this capability into Azure also aligns with DevOps and Infrastructure as Code principles. By integrating with GitHub Actions and Azure APIs, you can manage your Azure Machine Configuration assignments via compliance as code, thus creating repeatable, auditable workflows that scale across environments. Specifically, you can use GitHub Actions and integrate your GitHub repository and Azure environments using OIDC authentication to apply CIS profiles at scale, reducing risk and accelerating deployment.

Get Started with a Secure Cloud for Linux

Our collaboration with Microsoft reflects a shared commitment to practical, consistent cloud-native compliance. With ongoing support for new CIS Benchmarks releases and expanded distro coverage, azure-osconfig integration into Azure Machine Configuration reinforces Microsoft’s secure-by-default philosophy. You can learn more about this collaborative effort on the Microsoft Community Hub blog.

How to Enable CIS Benchmarks

1. Enable CIS Benchmarks via Azure Machine Configuration.
2. Select the CIS profile for your distro and customize as needed.
   1. Note: You can change a secure recommendation of a CIS Benchmark, but in making this customization, you would no longer comply with that CIS Benchmark — even if the change ensures your compliance with local site policies. For example, CIS Benchmarks come with a recommended password length of 14 characters, but a local policy recommendation could be 10 characters. Please be aware of this impact when customizing CIS Benchmarks recommendations.
3. For additional distro support, open a GitHub issue at azure-osconfig’s GitHub page or use the Azure support portal to open a new case.

Ready to learn how azure-osconfig and CIS Benchmarks can modernize your cloud security and streamline compliance?