Comply with CIS or DISA STIG on Ubuntu 20.04 with Ubuntu Security Guide

Overview

Duration: 2:00

What is the Ubuntu Security Guide?

Security Technical Implementation Guides like the CIS benchmark or DISA-STIG have hundreds of configuration recommendations, so hardening and auditing a Linux system manually can be very tedious. Ubuntu Security Guide (USG) is a new tool available with Ubuntu 20.04 LTS that greatly improves the usability of hardening and auditing, and allows for environment-specific customizations. The following sections provide more information on hardening and auditing with usg.

In this tutorial, we will learn how to audit with the CIS benchmark or DISA-STIG on Ubuntu 20.04 LTS machines, while using an Ubuntu Pro subscription.

Understanding the Pro client

The Ubuntu Pro client is a tool designed to automate access to Pro services like Extended Security Maintenance (ESM), USG, FIPS, and more.

What you’ll learn:

• How to check which version of the Pro client is installed on your machine and how to update it if necessary
• How to attach the Pro client to your account using your Ubuntu Pro token
• How to enable the USG on your Ubuntu machine
• How to perform an audit for CIS or DISA-STIG

What you’ll need:

• An active Ubuntu Pro

• An Ubuntu machine running a fresh install* of Ubuntu server or desktop 20.04 LTS

• Please note that if you use the tool to harden an existing Ubuntu image, the hardening process may take a long time due to the filesystem checks.

Installing the Pro client

Duration: 4:00

In this step, we will install the latest version of the Pro client to ensure that it contains support for USG. Use the following commands:

$ sudo apt update
$ sudo apt install ubuntu-pro-client

Retrieving your Pro token from the Ubuntu Pro dashboard and attaching it to the Pro client

Duration: 5:00

If you are enabling USG on an Ubuntu Pro instance from a public cloud marketplace, you can skip this step and go straight to step 4! For all other images, your Pro token is used to connect the Pro client you have installed on your machines to your Ubuntu Pro subscription.

Let’s first check whether we have already attached our Pro token to the Pro client by running :

$ sudo pro status

SERVICE          AVAILABLE  DESCRIPTION
anbox-cloud      yes        Scalable Android in the cloud
esm-apps         yes        Expanded Security Maintenance for Applications
esm-infra        yes        Expanded Security Maintenance for Infrastructure
fips             yes        NIST-certified FIPS crypto packages
fips-updates     yes        FIPS compliant crypto packages with stable security updates
livepatch        yes        Canonical Livepatch service
ros              yes        Security Updates for the Robot Operating System
usg              yes        Security compliance and audit tools

For a list of all Ubuntu Pro services, run 'pro status --all'

This machine is not attached to an Ubuntu Pro subscription.
See https://ubuntu.com/pro

We can see that this is not yet attached to a Pro subscription. Let’s fix that now.

To attach your machine to a subscription, run the following command in your terminal:

$ sudo pro attach

You should see output like this, giving you a link and a code:

Initiating attach operation...

Please sign in to your Ubuntu Pro account at this link:
https://ubuntu.com/pro/attach
And provide the following code: 123456

Open the link without closing your terminal window.

To access your Pro subscription, you need an Ubuntu One account. If you still need to create one, ensure that you use the email address used to purchase your subscription.

In the field that asks you to enter your code, copy and paste the code shown in the terminal. Then, choose which subscription you want to attach to. By default, the Free Personal Token will be selected.

Once you have pasted your code and chosen the subscription you want to attach your machine to, click on the “Submit” button.

The attach process will then continue in the terminal window, and you should eventually be presented with the following message:

Attaching the machine...
Enabling default service esm-apps
Updating Ubuntu Pro: ESM Apps package lists
Ubuntu Pro: ESM Apps enabled
Enabling default service esm-infra
Updating Ubuntu Pro: ESM Infra package lists
Ubuntu Pro: ESM Infra enabled
Enabling default service livepatch
Installing canonical-livepatch snap
Canonical Livepatch enabled
This machine is now attached to 'Ubuntu Pro - free personal subscription'

SERVICE          ENTITLED  STATUS       DESCRIPTION
anbox-cloud      yes       disabled     Scalable Android in the cloud
esm-apps         yes       enabled      Expanded Security Maintenance for Applications
esm-infra        yes       enabled      Expanded Security Maintenance for Infrastructure
fips             yes       disabled     NIST-certified FIPS crypto packages
fips-updates     yes       disabled     FIPS compliant crypto packages with stable security updates
livepatch        yes       enabled      Canonical Livepatch service
ros              yes       disabled     Security Updates for the Robot Operating System
usg              yes       disabled     Security compliance and audit tools

NOTICES
Operation in progress: pro attach

For a list of all Ubuntu Pro services, run 'pro status --all'
Enable services with: pro enable <service>

     Account: <email>
Subscription: Ubuntu Pro - free personal subscription

Enabling the Ubuntu Security Guide

Duration: 3:00

Now we’re ready to enable and install USG:

$ sudo pro enable usg
One moment, checking your subscription first
Updating package lists
USG enabled

$ sudo apt install usg

Run the Ubuntu Security Guide

Duration: 15:00

You have successfully enabled USG tool and are ready to use it to audit or harden your Ubuntu machine. To audit use the following command, replacing <PROFILE> with cis_level1_server, with cis_level1_workstation or disa_stig, depending on the compliance target.

$ sudo usg audit <PROFILE>

The output of this command will show the compliance status, and it will also point to an html file containing the audit report. Use a browser to view the file. It will look similarly to the one below.

Screenshot from 2021-12-17 15-46-291435×702 74.2 KB

For more complex operations you can proceed with the steps from Ubuntu’s Security certifications documentation to complete the hardening process.

Congratulations!

Duration: 1:00

Congratulations, you have successfully used the Pro client to audit your Ubuntu image!

There is a typo in command example for enabling ‘usg’ with ‘ua’. It should be …
$ sudo ua enable usg
instead of current:
$ sudo ua enable sug

Thanks for pointing that out! We’ve corrected that typo

This command is mentioned in a number of documents:

$ sudo usg audit cis_level1_server

Gives:

Error: could not find any benchmark bundle installed.

Verify if there is any 'usg-benchmarks-<VERSION>' package installed or if the
alternatives entry 'usg_current_benchmarks' is properly configured.

<VERSION> is the version number of the benchmark bundle contained into the package.

Solved “Error: could not find any benchmark bundle installed.” by doing

sudo apt install usg-benchmarks-1

root@ub2204:/home/ant2ne# ua enable usg
One moment, checking your subscription first
Ubuntu Security Guide is not available for Ubuntu 22.04 LTS (Jammy Jellyfish).

But the article title specifies 2204

I’m getting the same error re: 22.04.

Does anyone know when this will be available?

replacing <PROFILE> with cis_level1_server, with cis_level1_workstation or disa_stig, depending on the compliance target.

But I didn’t see where those options are explained. I ran with cis_level1_server. Mainly to see what suggestions it made. But also to find out how it was going to make those changes so I can learn about how to harden a system.

I am doing this for Ubuntu on VMWare to see what a workstation results would be.

sudo usg audit cis_level1_workstation

At step

Title User Initialization Files Must Not Run World-Writable Programs
Rule xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs

It hangs and got out by ctrl-C

Where would I find the output file?

Regards

Had the same problem, ended up disabling that rule in both the audit and the fix templates.
Additionally, it doesn’t look like the report is generated until it completes.

im wondering is this only for older versions: Ubuntu 20.04?