Categories: BlogCanonicalUbuntu

CIS benchmark compliance: Introducing the Ubuntu Security Guide

The CIS benchmark has hundreds of configuration recommendations, so hardening and auditing a Linux system manually can be very tedious. Every administrator of systems that need to comply with that benchmark would wish that this process is easily usable and automatable. Why is that? Manual configuration of such a large number of rules leads to mistakes – mistakes that cause not only functional problems, but may also cause security breaches. In fact, one of the top reasons for security breaches the last few years is due to misconfigurations, according to Verizon data breach investigations.

Sponsored

Let us introduce the Ubuntu Security Guide (USG). The Ubuntu Security Guide is a new tool available on Ubuntu 20.04 LTS that makes automation easy and greatly improves the usability of hardening and auditing with CIS, while allowing for environment-specific customizations. In the rest of this blog, we go through the major use cases such as CIS compliance, audit, and customization.

Key benefits or, why should I care?

While observing how our existing CIS compliance tools were being used by auditors and administrators of Ubuntu systems, we identified several points that would improve their workflow. The following list summarizes the main pain points for audit and compliance workflows that are addressed by Ubuntu Security Guide.

With Ubuntu Security Guide

  • you can customize (tailor) the CIS profile; select the CIS rules to comply with.
  • you can select a specific version of the CIS benchmark, i.e., a tooling upgrade doesn’t need to break scheduled scans that target a specific benchmark version.
  • teams can standardize on a profile by storing it in a hard-wired location, preventing the case of different people accidentally scanning or complying with different profiles or versions.
  • the same experience applies whether scanning for the CIS benchmark, DISA-STIG and any other profiles made available in the future.
  • last but not least, you use a consistent interface across Ubuntu releases.

Let us now take a deep dive into using the Ubuntu Security Guide.

How to install the Ubuntu Security Guide

The Ubuntu Security Guide is available with a subscription. Once the subscription is attached on your Ubuntu system, install USG with the following commands:

$ sudo apt update
$ sudo apt install ubuntu-advantage-tools

$ sudo ua enable usg
$ sudo apt install usg

How to audit the system

At the time of this writing, the corresponding CIS benchmark for Ubuntu 20.04 LTS is the “CIS Ubuntu Linux 20.04 LTS Benchmark v1.0.0”. We will audit our system using USG and that benchmark with the following command.

$ sudo usg audit cis_level1_server
Sponsored

This will generate a report placed in /var/lib/usg with the results of the audit. The HTML report contains the list of rules that succeeded and failed, and looks like the following screenshot.

The compliance report output by ubuntu security guide.

What was the “cis_level1_server” command line option that we used? It indicates the USG profile name to use for audit. These profiles correspond to the CIS profiles with hardening tailored towards workstations vs. server systems, and a higher level indicates more rules that further reduce the attack surface of a system, but at the cost of reducing usability.

USG profile name Corresponding CIS profile
cis_level1_workstation Level 1 Workstation profile
cis_level1_server Level 1 Server profile
cis_level2_workstation Level 2 Workstation profile
cis_level2_server Level 2 Server profile

How to modify the system for compliance

Modifying a system to comply with the CIS benchmark with USG is as simple as the following command.

$ sudo usg fix cis_level1_server

And that’s all. Performing an audit after a reboot will reveal that the compliance level has increased significantly!

How to create a custom profile based on CIS

Compliance with a benchmark is not an all-or-nothing task. Each environment is different, and options that are considered as niche in one place can be essential in another. As such, USG allows tailoring the profile and removing unnecessary rules, as well as customising the rules that have multiple options available. 

You can customise a profile using a tailoring file, as demonstrated below. 

1. Generate a tailoring file:

$ sudo usg generate-tailoring stig ./tailor.xml

2. Edit the tailoring file and go through the rules shown as comments. For example, to set the remote auditd server (rule UBTU-20-010216), find the text:


By replacing the “selected=true” with “selected=false”, we no longer enforce the disablement of the jffs2 filesystem.

3. Audit using the new tailoring file:

$ sudo usg audit

4. Fix the system using the new tailoring file:

$ sudo usg fix

Conclusions

Manually complying with security profiles is a tedious and complex task that is easy to get wrong. The Ubuntu Security Guide (USG) brings simplicity and integrates the experience of several teams working on compliance. It enables the audit, fixing, and customisation of a system with minimal command line options, while enabling a system-wide configuration for compliance for easy management by diverse people in a devops team. The usg tool is available on Ubuntu 20.04 with Ubuntu Advantage or Ubuntu Pro. There are many ways to achieve compliance with the CIS benchmark, some easier than others. The Ubuntu Security Guide is Ubuntu’s way of achieving compliance by providing a familiar, Linux native interface and is based on the OpenSCAP technology. We welcome you to consider giving it a try! More detailed documentation is available at our documentation pages.

Ubuntu Server Admin

Recent Posts

Building RAG with enterprise open source AI infrastructure

One of the most critical gaps in traditional Large Language Models (LLMs) is that they…

10 hours ago

Life at Canonical: Victoria Antipova’s perspective as a new joiner in Product Marketing

Canonical is continuously hiring new talent. Being a remote- first company, Canonical’s new joiners receive…

1 day ago

What is patching automation?

What is patching automation? With increasing numbers of vulnerabilities, there is a growing risk of…

2 days ago

A beginner’s tutorial for your first Machine Learning project using Charmed Kubeflow

Wouldn’t it be wonderful to wake up one day with a desire to explore AI…

3 days ago

Ubuntu brings comprehensive support to Azure Cobalt 100 VMs

Ubuntu and Ubuntu Pro supports Microsoft’s Azure Cobalt 100 Virtual Machines (VMs), powered by their…

3 days ago

Ubuntu Weekly Newsletter Issue 870

Welcome to the Ubuntu Weekly Newsletter, Issue 870 for the week of December 8 –…

4 days ago