CIS Compliance with USG for Ubuntu 24.04 LTS

Documentation Security Certification Documentation
1

The Center for Internet Security (CIS) is an independent group that publishes hardening guides for a wide range of products, including Ubuntu. The CIS benchmarks for Ubuntu 24.04 LTS contain a large number of recommendations for how to configure an Ubuntu system for maximum security. Canonical has developed the Ubuntu Security Guide (USG) tool in order to simply the process of applying the recommendations and then checking to see whether the system is still in compliance with the benchmark.

USG is available with an Ubuntu Pro subscription, which is free for up to 5 machines.

Installing USG

sudo pro enable usg
sudo apt install -y usg

Generate a tailoring file

sudo usg generate-tailoring cis_level1_server hardening.xml

Auditing a system

sudo usg audit --tailoring-file hardening.xml

Remediating a system

sudo usg fix --tailoring-file hardening.xml
2

Can’t install usg directly. What is the best method to install usg package in 24.04 ?

3

When running USG, applying the remediation scripts to a failed CIS benchmark finding, it still fails. For example, the entire GNOME3 hardening. Tried both the scripts, as well as the GUI dconf-editor, to no avail.

4

Which error are you getting?

This worked for me on an attached instance running 24.04. LTS:

apt install -y ubuntu-advantage-tools
pro enable usg
apt install -y usg
5

I got the issue. the usg is dependant on openscap which is available in Ubuntu/universe. I had to enable Ubuntu/universe repo.

6

image
image1058×601 41.9 KB

cmiiw, but is it missing :
1.1.1.7 Ensure squashfs kernel module is not available (Automated) ?

The hardening was done using :

sudo usg generate-tailoring cis_level2_server hardening.xml
sudo usg fix --tailoring-file hardening.xml
7

usg fix stays forever in this state:

Remediating rule 3/393: 'xccdf_org.ssgproject.content_rule_aide_build_database'
Running aide --init...
8

I need to install this via Terraform.
Is there an image that doesn’t require the faff of set up?

A user data script could automate the setup steps every time, but repeating setup multiple times a day doesn’t sound ideal, an actual image would be best.