Using the UA client to enable the CIS benchmarking tool

alysonrose · April 30, 2021, 4:14pm

Key	Value
Summary	How to use the UA client to access and enable the CIS benchmarking tool on Ubuntu and Ubuntu Pro images.
Categories	server, desktop, ua
Difficulty	2
Author	Alyson Richens <alyson@richens@canonical.com>

Overview

Duration: 2:00

What is the CIS benchmarking tool?

The Center for Internet Security (CIS) has published hardening benchmarks for all Ubuntu LTS versions since Ubuntu 12.04 LTS. These hardening benchmarks are meant to be best-practice security configurations. Canonical has developed a tool that automates the process of hardening and auditing Ubuntu LTS images based on the published CIS benchmarks, enabling you to harden an image within minutes.

In this tutorial, we will learn how Ubuntu Advantage for Infrastructure and Ubuntu Pro customers, as well as personal users taking advantage of their free access to Ubuntu Advantage for Infrastructure, can use the Ubuntu Advantage client (UA client) to enable the CIS benchmarking tool on Ubuntu 16.04 ESM, 18.04 LTS machines.

NOTE: On Ubuntu 20.04 LTS we recommend using the Ubuntu Security Guide to comply with CIS.

Understanding the UA client

The Ubuntu Advantage (UA) client is a tool designed to automate access to UA services like Extended Security Maintenance (ESM), CIS, FIPS, and more. The client is available for all Ubuntu LTS releases, however some services, such as the CIS benchmarking tool, are in beta or are not available for all Ubuntu LTS or ESM releases.

What you’ll learn:

How to check which version of the UA client is installed on your machine and how to update it if necessary
How to attach the UA client to your Ubuntu Advantage account using your UA token
How to enable the CIS benchmarking tool on your Ubuntu machine

What you’ll need:

An active Ubuntu Advantage for Infrastructure or Ubuntu Pro subscription, or a free account (can be used on up to 3 machines)
An Ubuntu machine running a fresh install* of Ubuntu server or desktop 16.04, 18.04 or 20.04 LTS
Please note that if you use the tool to harden an existing Ubuntu image, the hardening process may take longer than estimated.

Checking the UA client

Duration: 4:00

In this step, we will check which version of the UA client we have installed, because we need at least version 27.1 to enable the CIS benchmarking tool. We will then update our UA client if needed.

To see which version of the UA client you have installed, run:

$ apt-cache policy ubuntu-advantage-tools

ubuntu-advantage-tools:

Installed: 10ubuntu0.16.04.1

Candidate: 10ubuntu0.16.04.1

Version table:

*** 10ubuntu0.16.04.1 500

500 http://azure.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages

100 /var/lib/dpkg/status

We need at least version 27.1 and we have 10ubuntu0.16.04.1, so we now need to upgrade our UA package (skip this step if you are already running at least 27.1):

$ sudo apt update
$ sudo apt install ubuntu-advantage-tools

Now we have the correct version running!

$ ua version

27.1~16.04.1

Retrieving your UA token from the Ubuntu Advantage dashboard and attaching it to the UA client

Duration: 5:00

If you are enabling the CIS tool on an Ubuntu Pro instance, you can skip this step and go straight to step 4! For non-Pro images, your UA token is used to connect the UA client you have installed on your machines to your Ubuntu Advantage for Infrastructure subscription.

Let’s first check whether we have already attached our UA token to the UA client by running :

$ sudo ua status

SERVICE           AVAILABLE      DESCRIPTION
esm-infra         yes            UA Infra: Extended Security Maintenance (ESM)
fips              yes            NIST-certified FIPS modules
fips-updates      yes            Uncertified security updates to FIPS modules
livepatch         yes            Canonical Livepatch service
This machine is not attached to a UA subscription.
See [https://ubuntu.com/advantage](https://ubuntu.com/advantage)

We can see that this is not yet attached to a UA subscription. Let’s fix that now.

Your UA token can be found on your Ubuntu Advantage dashboard. To access your dashboard, you need an Ubuntu One account. If you still need to create one, ensure that you use the email address used to purchase your subscription.

The Ubuntu One account functions as a Single Sign On, so once logged in we can go straight to the Ubuntu Advantage dashboard at ubuntu.com/advantage. Then click on the ‘Machines’ column in the Your Paid Subscriptions table to reveal your token.

Now we’re ready to attach our UA token to the UA client:

$ sudo ua attach <your_ua_token>

Enabling default service esm-infra
Updating package lists
ESM Infra enabled
Enabling default service livepatch
Canonical livepatch enabled.
 
This machine is now attached to 'your account name'
 
SERVICE      ENTITLED    STATUS   DESCRIPTION
cis          yes         disabled Center for Internet Security Audit Tools
esm-infra    yes         enabled  UA Infra: Extended Security Maintenance (ESM)
fips         yes         n/a      NIST-certified FIPS modules
fips-updates yes         n/a      Uncertified security updates to FIPS modules
livepatch    yes         enabled  Canonical Livepatch service

Enabling the CIS tool

Duration: 3:00

Now it is time to enable the CIS tool. First, we want to run the following command to see the CIS service and its status:

$ ua status --all

We should see an output like this:

SERVICE        ENTITLED       STATUS       DESCRIPTION 
cc-eal         yes            n/a          Common Criteria EAL2 Provisioning Packages 
cis            yes            n/a          Center for Internet Security Audit Tools 
esm-apps       no             —            UA Apps: Extended Security Maintenance (ESM) 
esm-infra      yes            enabled      UA Infra: Extended Security Maintenance (ESM) 
fips           yes            n/a          NIST-certified FIPS modules 
fips-updates   yes            n/a          Uncertified security updates to FIPS modules 
livepatch      yes            enabled      Canonical Livepatch service 
Enable services with: ua enable <service>

Now we’re ready to enable CIS:

$ sudo ua enable cis

One moment, checking your subscription first

Updating package lists

Installing CIS Audit packages

CIS Audit enabled

Configure and run the CIS benchmarking tool

Duration: 20:00

You have successfully enabled the CIS benchmarking tool and are ready to use it to harden your Ubuntu machine. Now you can proceed with the next steps from the “Configure and run CIS Benchmark rules” section of the Ubuntu’s documentation about CIS Compliance for Ubuntu to complete the hardening process.

Congratulations!

Duration: 1:00

Congratulations, you have successfully used the UA client to harden your Ubuntu image!

ariannalozano · May 4, 2021, 4:38pm

Add here a Pro subscription

steventillson02 · July 7, 2021, 11:51am

An active Ubuntu Advantage for Infrastructure subscription how to get?

ogra · July 7, 2021, 12:22pm

did you actually click the link you re-posted ?

nealmcb · October 5, 2021, 9:58pm

Congratulations, you have successfully used the UA client to harden your Ubuntu image!

This is misleading. After spending the 20 minutes or so that is estimated, it would indeed be wonderful if the image was hardened. But actually, that just installs the tools. And they are designed for a fresh install. Next they have to be configured, and run, with unclear results. I don’t even know if I want to continue.
It would be much more helpful to provide a clearer sense up-front of the steps needed, and to provide a sense for what the likely outcome would be, given this further investment.

alysonrose · October 7, 2021, 3:07pm

Thanks for the feedback Neal. The running the tool is covered in the section before the ‘Congratulations’ section, but I can see how this is unclear. I’ll improve the wording now and adjust the time estimate.

I’ll also add that you ideally want a fresh install of Ubuntu to the ‘What you’ll need’ list at the beginning of the tutorial.

maegic73 · February 9, 2023, 9:49am

The CIS feature seems to be replaced with USG in Ubuntu 20.04++.