Key | Value |
---|---|
Summary | How to use the Ubuntu Security Guide to audit with the CIS benchmark or DISA-STIG. |
Categories | server, desktop, pro |
Difficulty | 2 |
Author | Nikos Mavrogiannopoulos nmav@canonical.com |
Overview
Duration: 2:00
What is the Ubuntu Security Guide?
Security Technical Implementation Guides like the CIS benchmark or DISA-STIG have hundreds of configuration recommendations, so hardening and auditing a Linux system manually can be very tedious. Ubuntu Security Guide (USG) is a new tool available with Ubuntu 20.04 LTS that greatly improves the usability of hardening and auditing, and allows for environment-specific customizations. The following sections provide more information on hardening and auditing with usg.
In this tutorial, we will learn how to audit with the CIS benchmark or DISA-STIG on Ubuntu 20.04 LTS machines, while using an Ubuntu Pro subscription.
Understanding the Pro client
The Ubuntu Pro client is a tool designed to automate access to Pro services like Extended Security Maintenance (ESM), USG, FIPS, and more.
What youâll learn:
- How to check which version of the Pro client is installed on your machine and how to update it if necessary
- How to attach the Pro client to your account using your Ubuntu Pro token
- How to enable the USG on your Ubuntu machine
- How to perform an audit for CIS or DISA-STIG
What youâll need:
-
An active Ubuntu Pro
-
An Ubuntu machine running a fresh install* of Ubuntu server or desktop 20.04 LTS
-
Please note that if you use the tool to harden an existing Ubuntu image, the hardening process may take a long time due to the filesystem checks.
Installing the Pro client
Duration: 4:00
In this step, we will install the latest version of the Pro client to ensure that it contains support for USG. Use the following commands:
$ sudo apt update
$ sudo apt install ubuntu-pro-client
Retrieving your Pro token from the Ubuntu Pro dashboard and attaching it to the Pro client
Duration: 5:00
If you are enabling USG on an Ubuntu Pro instance from a public cloud marketplace, you can skip this step and go straight to step 4! For all other images, your Pro token is used to connect the Pro client you have installed on your machines to your Ubuntu Pro subscription.
Letâs first check whether we have already attached our Pro token to the Pro client by running :
$ sudo pro status
SERVICE AVAILABLE DESCRIPTION
anbox-cloud yes Scalable Android in the cloud
esm-apps yes Expanded Security Maintenance for Applications
esm-infra yes Expanded Security Maintenance for Infrastructure
fips yes NIST-certified FIPS crypto packages
fips-updates yes FIPS compliant crypto packages with stable security updates
livepatch yes Canonical Livepatch service
ros yes Security Updates for the Robot Operating System
usg yes Security compliance and audit tools
For a list of all Ubuntu Pro services, run 'pro status --all'
This machine is not attached to an Ubuntu Pro subscription.
See https://ubuntu.com/pro
We can see that this is not yet attached to a Pro subscription. Letâs fix that now.
To attach your machine to a subscription, run the following command in your terminal:
$ sudo pro attach
You should see output like this, giving you a link and a code:
Initiating attach operation...
Please sign in to your Ubuntu Pro account at this link:
https://ubuntu.com/pro/attach
And provide the following code: 123456
Open the link without closing your terminal window.
To access your Pro subscription, you need an Ubuntu One account. If you still need to create one, ensure that you use the email address used to purchase your subscription.
In the field that asks you to enter your code, copy and paste the code shown in the terminal. Then, choose which subscription you want to attach to. By default, the Free Personal Token will be selected.
Once you have pasted your code and chosen the subscription you want to attach your machine to, click on the âSubmitâ button.
The attach process will then continue in the terminal window, and you should eventually be presented with the following message:
Attaching the machine...
Enabling default service esm-apps
Updating Ubuntu Pro: ESM Apps package lists
Ubuntu Pro: ESM Apps enabled
Enabling default service esm-infra
Updating Ubuntu Pro: ESM Infra package lists
Ubuntu Pro: ESM Infra enabled
Enabling default service livepatch
Installing canonical-livepatch snap
Canonical Livepatch enabled
This machine is now attached to 'Ubuntu Pro - free personal subscription'
SERVICE ENTITLED STATUS DESCRIPTION
anbox-cloud yes disabled Scalable Android in the cloud
esm-apps yes enabled Expanded Security Maintenance for Applications
esm-infra yes enabled Expanded Security Maintenance for Infrastructure
fips yes disabled NIST-certified FIPS crypto packages
fips-updates yes disabled FIPS compliant crypto packages with stable security updates
livepatch yes enabled Canonical Livepatch service
ros yes disabled Security Updates for the Robot Operating System
usg yes disabled Security compliance and audit tools
NOTICES
Operation in progress: pro attach
For a list of all Ubuntu Pro services, run 'pro status --all'
Enable services with: pro enable <service>
Account: <email>
Subscription: Ubuntu Pro - free personal subscription
Enabling the Ubuntu Security Guide
Duration: 3:00
Now weâre ready to enable and install USG:
$ sudo pro enable usg
One moment, checking your subscription first
Updating package lists
USG enabled
$ sudo apt install usg
Run the Ubuntu Security Guide
Duration: 15:00
You have successfully enabled USG tool and are ready to use it to audit or harden your Ubuntu machine. To audit use the following command, replacing <PROFILE>
with cis_level1_server
, with cis_level1_workstation
or disa_stig
, depending on the compliance target.
$ sudo usg audit <PROFILE>
The output of this command will show the compliance status, and it will also point to an html file containing the audit report. Use a browser to view the file. It will look similarly to the one below.
For more complex operations you can proceed with the steps from Ubuntuâs Security certifications documentation to complete the hardening process.
Congratulations!
Duration: 1:00
Congratulations, you have successfully used the Pro client to audit your Ubuntu image!