Posted inUbuntu

Automating Ubuntu Server Hardening to CIS Benchmarks Standards with USG

Ubuntu tutorial - IT technology blog
Ubuntu tutorial - IT technology blog

The Nightmare of “Manual Hardening” at Midnight

Imagine this scenario: 2 AM, you receive an urgent email from the Security Audit department. They require 20 current server clusters to comply with CIS Benchmarks Level 1 immediately. If you follow the traditional method, you have to download a PDF over 300 pages long and read every line. Then, you’ll struggle to fix dozens of configuration files from /etc/sysctl.conf to sshd_config.

I once spent an entire day manually configuring five Ubuntu 22.04 VPS instances. This process is not only time-consuming but also extremely error-prone. Just one mistyped SSH parameter, and you’ll lock yourself out of the system. That’s when Ubuntu Security Guide (USG) appears as a lifesaver, wrapping a complex security process into a few command lines.

What is Ubuntu Security Guide (USG)?

Previously, Ubuntu users were familiar with the compliance-itg tool. However, starting from version 20.04 LTS, Canonical replaced it with USG. This is an official tool included in the Ubuntu Pro package. It is designed to audit and automatically remediate systems according to strict standards like CIS or DISA STIG.

The biggest difference is that USG is extremely smart. It doesn’t just list errors; it knows how to apply secure configurations without crashing critical services, as long as you choose the right Profile.

Prerequisites

To use USG, your server must have Ubuntu Pro activated. The good news is that Canonical allows individuals to use it for free on up to 5 machines. If you are an official community contributor, this number goes up to 50.

First, check the Ubuntu Pro status on your machine:

pro status

If the system reports it’s not activated, get a token from the Ubuntu homepage and run:

sudo pro attach [YOUR_TOKEN]

Once the machine is ready, installing USG takes only about 30 seconds:

sudo apt update && sudo apt install usg -y

Hands-on: Auditing and Hardening Like a Pro

1. Assessing Current Status (Audit)

Never fix a system without knowing what’s broken. I always run an audit command first to get a status report. For Ubuntu 22.04, the most common profile is cis_level1_server.

sudo usg audit --profile cis_level1_server --output report.html

Download the report.html file to your machine via SCP. When opened in a browser, you’ll see a “glowing red” list of failed items. Don’t worry too much; a default Ubuntu installation usually only scores about 30-40% on CIS security benchmarks.

2. Automatic Remediation

This is where USG shows its power. Instead of fixing each file, the following command will automatically reconfigure the entire system according to the standard:

sudo usg fix --profile cis_level1_server

Important Note: Never run this command directly on a Production server. Test it in a Staging environment first. USG will tighten rules such as: disabling legacy protocols (DCCP, SCTP), configuring detailed auditd logs, or re-permissioning the /etc/shadow file.

3. Verifying Results

After the fix process is complete, run the audit command again. Now, most items should turn green (Pass). The feeling of seeing a clean, error-free report is truly satisfying.

Customizing Profiles (Tailoring) to Avoid Backfiring

Sometimes CIS standards are too split for practical needs. For example, CIS requires disabling PasswordAuthentication, but your team still needs passwords for SSH. If applied blindly, you’ll be kicked out of the server immediately.

To solve this, create a custom file (Tailoring file):

sudo usg generate-fix --profile cis_level1_server --output my_custom_policy.xml

You can edit this XML file to remove conflicting rules. This is the best way to balance security and convenience for the development team.

Real-world Experience: Hard-earned Lessons

I once almost lost access to a VPN server because USG automatically reconfigured iptables. To avoid repeating that mistake, remember these 3 golden rules:

  • Always keep two SSH sessions open: One to execute commands, one as a backup in case you get disconnected.
  • Check syntax: After fixing, use sshd -t to check the SSH configuration file before restarting the service.
  • Check Logs: Closely monitor /var/log/syslog to early detect services crashing due to missing permissions.

Conclusion

USG is not just a tool; it’s a solution that helps you sleep better. Instead of spending weeks digging through documentation, you only need 15 minutes to bring your server up to international security standards. Whether managing 1 or 100 machines, prioritize automating the hardening process. Don’t wait for an incident to happen before worrying about security. Try installing USG in your Lab environment today!

Share:
Tags: