Key | Value |
---|---|
Summary | How to use the Ubuntu Security Guide to audit with the CIS benchmark or DISA-STIG. |
Categories | server, desktop, pro |
Difficulty | 2 |
Author | Nikos Mavrogiannopoulos nmav@canonical.com |
Overview
Duration: 2:00
What is the Ubuntu Security Guide?
Security Technical Implementation Guides like the CIS benchmark or DISA-STIG have hundreds of configuration recommendations, so hardening and auditing a Linux system manually can be very tedious. Ubuntu Security Guide (USG) is a new tool available with Ubuntu 20.04 LTS that greatly improves the usability of hardening and auditing, and allows for environment-specific customizations. The following sections provide more information on hardening and auditing with usg.
In this tutorial, we will learn how to audit with the CIS benchmark or DISA-STIG on Ubuntu 20.04 LTS machines, while using an Ubuntu Pro subscription.
Understanding the Pro client
The Ubuntu Pro client is a tool designed to automate access to Pro services like Extended Security Maintenance (ESM), USG, FIPS, and more.
What youâll learn:
- How to check which version of the Pro client is installed on your machine and how to update it if necessary
- How to attach the Pro client to your account using your Ubuntu Pro token
- How to enable the USG on your Ubuntu machine
- How to perform an audit for CIS or DISA-STIG
What youâll need:
-
An active Ubuntu Pro
-
An Ubuntu machine running a fresh install* of Ubuntu server or desktop 20.04 LTS
-
Please note that if you use the tool to harden an existing Ubuntu image, the hardening process may take a long time due to the filesystem checks.
Installing the Pro client
Duration: 4:00
In this step, we will install the latest version of the Pro client to ensure that it contains support for USG. Use the following commands:
$ sudo apt update
$ sudo apt install ubuntu-advantage-tools
Retrieving your Pro token from the Ubuntu Pro dashboard and attaching it to the Pro client
Duration: 5:00
If you are enabling USG on an Ubuntu Pro instance from a public cloud marketplace, you can skip this step and go straight to step 4! For all other images, your Pro token is used to connect the Pro client you have installed on your machines to your Ubuntu Pro subscription.
Letâs first check whether we have already attached our Pro token to the Pro client by running :
$ sudo pro status
SERVICE AVAILABLE DESCRIPTION
anbox-cloud yes Scalable Android in the cloud
esm-apps yes Expanded Security Maintenance for Applications
esm-infra yes Expanded Security Maintenance for Infrastructure
fips yes NIST-certified FIPS crypto packages
fips-updates yes FIPS compliant crypto packages with stable security updates
livepatch yes Canonical Livepatch service
ros yes Security Updates for the Robot Operating System
usg yes Security compliance and audit tools
For a list of all Ubuntu Pro services, run 'pro status --all'
This machine is not attached to an Ubuntu Pro subscription.
See https://ubuntu.com/pro
We can see that this is not yet attached to a Pro subscription. Letâs fix that now.
Your UA token can be found on your Ubuntu Advantage dashboard. To access your dashboard, you need an Ubuntu One account. If you still need to create one, ensure that you use the email address used to purchase your subscription.
The Ubuntu One account functions as a Single Sign On, so once logged in we can go straight to the Ubuntu Pro dashboard at ubuntu.com/pro/dashboard.
Now weâre ready to attach our token to the Pro client:
$ sudo pro attach <your_pro_token>
Enabling default service esm-apps
Updating Ubuntu Pro: ESM Apps package lists
Ubuntu Pro: ESM Apps enabled
Enabling default service esm-infra
Updating Ubuntu Pro: ESM Infra package lists
Ubuntu Pro: ESM Infra enabled
Enabling default service livepatch
Installing canonical-livepatch snap
Canonical Livepatch enabled
This machine is now attached to 'Ubuntu Pro - free personal subscription'
SERVICE ENTITLED STATUS DESCRIPTION
anbox-cloud yes disabled Scalable Android in the cloud
esm-apps yes enabled Expanded Security Maintenance for Applications
esm-infra yes enabled Expanded Security Maintenance for Infrastructure
fips yes disabled NIST-certified FIPS crypto packages
fips-updates yes disabled FIPS compliant crypto packages with stable security updates
livepatch yes enabled Canonical Livepatch service
ros yes disabled Security Updates for the Robot Operating System
usg yes disabled Security compliance and audit tools
NOTICES
Operation in progress: pro attach
For a list of all Ubuntu Pro services, run 'pro status --all'
Enable services with: pro enable <service>
Account: <email>
Subscription: Ubuntu Pro - free personal subscription
Enabling the Ubuntu Security Guide
Duration: 3:00
Now weâre ready to enable and install USG:
$ sudo pro enable usg
$ sudo apt install usg
One moment, checking your subscription first
Updating package lists
USG enabled
Run the Ubuntu Security Guide
Duration: 15:00
You have successfully enabled USG tool and are ready to use it to audit or harden your Ubuntu machine. To audit use the following command, replacing <PROFILE>
with cis_level1_server
, with cis_level1_workstation
or disa_stig
, depending on the compliance target.
$ sudo usg audit <PROFILE>
The output of this command will show the compliance status, and it will also point to an html file containing the audit report. Use a browser to view the file. It will look similarly to the one below.
For more complex operations you can proceed with the steps from Ubuntuâs Security certifications documentation to complete the hardening process.
Congratulations!
Duration: 1:00
Congratulations, you have successfully used the Pro client to audit your Ubuntu image!