Comply with CIS or DISA STIG on Ubuntu 20.04 with Ubuntu Security Guide

1. Overview

What is the Ubuntu Security Guide?

Security Technical Implementation Guides like the CIS benchmark or DISA-STIG have hundreds of configuration recommendations, so hardening and auditing a Linux system manually can be very tedious. Ubuntu Security Guide (USG) is a new tool available with Ubuntu 20.04 LTS that greatly improves the usability of hardening and auditing, and allows for environment-specific customizations. The following sections provide more information on hardening and auditing with usg.

In this tutorial, we will learn how to audit with the CIS benchmark or DISA-STIG on Ubuntu 20.04 LTS machines, while using an Ubuntu Pro subscription.

Understanding the Pro client

The Ubuntu Pro client is a tool designed to automate access to Pro services like Extended Security Maintenance (ESM), USG, FIPS, and more.

What you’ll learn:

  • How to check which version of the Pro client is installed on your machine and how to update it if necessary
  • How to attach the Pro client to your account using your Ubuntu Pro token
  • How to enable the USG on your Ubuntu machine
  • How to perform an audit for CIS or DISA-STIG

What you’ll need:

  • An active Ubuntu Pro

  • An Ubuntu machine running a fresh install* of Ubuntu server or desktop 20.04 LTS

  • Please note that if you use the tool to harden an existing Ubuntu image, the hardening process may take a long time due to the filesystem checks.


2. Installing the Pro client

In this step, we will install the latest version of the Pro client to ensure that it contains support for USG. Use the following commands:

$ sudo apt update
$ sudo apt install ubuntu-pro-client

3. Retrieving your Pro token from the Ubuntu Pro dashboard and attaching it to the Pro client

If you are enabling USG on an Ubuntu Pro instance from a public cloud marketplace, you can skip this step and go straight to step 4! For all other images, your Pro token is used to connect the Pro client you have installed on your machines to your Ubuntu Pro subscription.

Let’s first check whether we have already attached our Pro token to the Pro client by running :

$ sudo pro status
SERVICE          AVAILABLE  DESCRIPTION
anbox-cloud      yes        Scalable Android in the cloud
esm-apps         yes        Expanded Security Maintenance for Applications
esm-infra        yes        Expanded Security Maintenance for Infrastructure
fips             yes        NIST-certified FIPS crypto packages
fips-updates     yes        FIPS compliant crypto packages with stable security updates
livepatch        yes        Canonical Livepatch service
ros              yes        Security Updates for the Robot Operating System
usg              yes        Security compliance and audit tools

For a list of all Ubuntu Pro services, run 'pro status --all'

This machine is not attached to an Ubuntu Pro subscription.
See https://ubuntu.com/pro

We can see that this is not yet attached to a Pro subscription. Let’s fix that now.

To attach your machine to a subscription, run the following command in your terminal:

$ sudo pro attach

You should see output like this, giving you a link and a code:

Initiating attach operation...

Please sign in to your Ubuntu Pro account at this link:
https://ubuntu.com/pro/attach
And provide the following code: 123456

Open the link without closing your terminal window.

To access your Pro subscription, you need an Ubuntu One account. If you still need to create one, ensure that you use the email address used to purchase your subscription.

In the field that asks you to enter your code, copy and paste the code shown in the terminal. Then, choose which subscription you want to attach to. By default, the Free Personal Token will be selected.

Once you have pasted your code and chosen the subscription you want to attach your machine to, click on the “Submit” button.

The attach process will then continue in the terminal window, and you should eventually be presented with the following message:

Attaching the machine...
Enabling default service esm-apps
Updating Ubuntu Pro: ESM Apps package lists
Ubuntu Pro: ESM Apps enabled
Enabling default service esm-infra
Updating Ubuntu Pro: ESM Infra package lists
Ubuntu Pro: ESM Infra enabled
Enabling default service livepatch
Installing canonical-livepatch snap
Canonical Livepatch enabled
This machine is now attached to 'Ubuntu Pro - free personal subscription'

SERVICE          ENTITLED  STATUS       DESCRIPTION
anbox-cloud      yes       disabled     Scalable Android in the cloud
esm-apps         yes       enabled      Expanded Security Maintenance for Applications
esm-infra        yes       enabled      Expanded Security Maintenance for Infrastructure
fips             yes       disabled     NIST-certified FIPS crypto packages
fips-updates     yes       disabled     FIPS compliant crypto packages with stable security updates
livepatch        yes       enabled      Canonical Livepatch service
ros              yes       disabled     Security Updates for the Robot Operating System
usg              yes       disabled     Security compliance and audit tools

NOTICES
Operation in progress: pro attach

For a list of all Ubuntu Pro services, run 'pro status --all'
Enable services with: pro enable <service>

     Account: <email>
Subscription: Ubuntu Pro - free personal subscription

4. Enabling the Ubuntu Security Guide

Now we’re ready to enable and install USG:

$ sudo pro enable usg
One moment, checking your subscription first
Updating package lists
USG enabled
$ sudo apt install usg

5. Run the Ubuntu Security Guide

You have successfully enabled USG tool and are ready to use it to audit or harden your Ubuntu machine. To audit use the following command, replacing <PROFILE> with cis_level1_server, with cis_level1_workstation or disa_stig, depending on the compliance target.

$ sudo usg audit <PROFILE>

The output of this command will show the compliance status, and it will also point to an html file containing the audit report. Use a browser to view the file. It will look similarly to the one below.

For more complex operations you can proceed with the steps from Ubuntu’s Security certifications documentation to complete the hardening process.


6. Congratulations!

Congratulations, you have successfully used the Pro client to audit your Ubuntu image!