CIS Compliance with USG for Ubuntu 24.04 LTS

henrycoggill · February 28, 2025, 6:46pm

The Center for Internet Security (CIS) is an independent group that publishes hardening guides for a wide range of products, including Ubuntu. The CIS benchmarks for Ubuntu 24.04 LTS contain a large number of recommendations for how to configure an Ubuntu system for maximum security. Canonical has developed the Ubuntu Security Guide (USG) tool in order to simply the process of applying the recommendations and then checking to see whether the system is still in compliance with the benchmark.

USG is available with an Ubuntu Pro subscription, which is free for up to 5 machines.

Installing USG

sudo pro enable usg
sudo apt install -y usg

Generate a tailoring file

sudo usg generate-tailoring cis_level1_server hardening.xml

Auditing a system

sudo usg audit --tailoring-file hardening.xml

Remediating a system

sudo usg fix --tailoring-file hardening.xml

hsreeram · April 3, 2025, 1:43pm

Can’t install usg directly. What is the best method to install usg package in 24.04 ?

ldgrim · April 3, 2025, 6:59pm

When running USG, applying the remediation scripts to a failed CIS benchmark finding, it still fails. For example, the entire GNOME3 hardening. Tried both the scripts, as well as the GUI dconf-editor, to no avail.

epomattiio · April 18, 2025, 12:40am

Which error are you getting?

This worked for me on an attached instance running 24.04. LTS:

apt install -y ubuntu-advantage-tools
pro enable usg
apt install -y usg

hsreeram · April 18, 2025, 9:03am

I got the issue. the usg is dependant on openscap which is available in Ubuntu/universe. I had to enable Ubuntu/universe repo.

cumigoreng · April 21, 2025, 7:09am

cmiiw, but is it missing :
1.1.1.7 Ensure squashfs kernel module is not available (Automated) ?

The hardening was done using :

sudo usg generate-tailoring cis_level2_server hardening.xml
sudo usg fix --tailoring-file hardening.xml

elaouni · April 25, 2025, 2:30pm

usg fix stays forever in this state:

Remediating rule 3/393: 'xccdf_org.ssgproject.content_rule_aide_build_database'
Running aide --init...

benn · May 18, 2025, 7:06am

I need to install this via Terraform.
Is there an image that doesn’t require the faff of set up?

A user data script could automate the setup steps every time, but repeating setup multiple times a day doesn’t sound ideal, an actual image would be best.

mustufa992 · August 12, 2025, 8:44am

can you please share which tools is this…?

mustufa992 · August 12, 2025, 8:44am

same…

Is there any solution for this…?

elaouni · August 12, 2025, 8:57am

This step takes a few hours. Just be patient.

cumigoreng · August 14, 2025, 9:54am

that was the audit result from :
usg audit “profile” i.e usg audit cis_level1_server or usg audit cis_level2_server

after the auditing was done, it shows the result is saved in both xml and html in :
/var/lib/usg/

as for the the “Running aide --init…” run forever, yeah thats because its create a database of checksum etc of every file in your system (assuming you havent set which directory to be skipped). Open another ssh and run ps, you will see it running for a long times.

On my 1 vcpu ,2 gb ram test server with 32gb storage newly installed ubuntu 24.04, it took like around 90+ mins.