USG - Ubuntu Security Guide (usg) - DISA-STIG compliance -
link Detail # USG - Ubuntu Security Guide (usg)
sudo apt-get install libopenscap8
oscap -v
oscap -V
sudo apt install ubuntu-advantage-tools
sudo ua attach |||||
sudo ua enable usg
sudo apt install usg -y
# generate report in /var/lib/usg/ , report can show result.sh ./result_XXXXX.txt
sudo usg audit cis_level1_server > result_usg_$(date +"%y%m%d").txt
TAILOR_FILENAME=tailor_cis_level1_server$(date +"%y%m%d").xml
# generate tailor for customize
sudo usg generate-tailoring cis_level1_server $TAILOR_FILENAME
#turn all off
sed -i 's/selected="true"/selected="false"/g' $TAILOR_FILENAME
# turn all what we need
sed -i '/xccdf_org.ssgproject.content_rule_sshd_set_keepaliv/s/selected="false"/selected="true"/g' $TAILOR_FILENAME
sed -i '/xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout/s/selected="false"/selected="true"/g' $TAILOR_FILENAME
sed -i '/xccdf_org.ssgproject.content_rule_sshd_disable_rhosts/s/selected="false"/selected="true"/g' $TAILOR_FILENAME
sed -i '/xccdf_org.ssgproject.content_rule_sshd_disable_root_login/s/selected="false"/selected="true"/g' $TAILOR_FILENAME
sed -i '/xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time/s/selected="false"/selected="true"/g' $TAILOR_FILENAME
sed -i '/xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries/s/selected="false"/selected="true"/g' $TAILOR_FILENAME
sed -i '/xccdf_org.ssgproject.content_rule_sshd_set_maxstartups/s/selected="false"/selected="true"/g' $TAILOR_FILENAME
sed -i '/xccdf_org.ssgproject.content_rule_sshd_use_strong_ciphers/s/selected="false"/selected="true"/g' $TAILOR_FILENAME
sed -i '/xccdf_org.ssgproject.content_rule_sshd_use_strong_kex/s/selected="false"/selected="true"/g' $TAILOR_FILENAME
sed -i '/xccdf_org.ssgproject.content_rule_sshd_use_strong_macs/s/selected="false"/selected="true"/g' $TAILOR_FILENAME
sed -i '/xccdf_org.ssgproject.content_rule_file_permissions_sshd_config/s/selected="false"/selected="true"/g' $TAILOR_FILENAME
usg audit --tailoring-file $TAILOR_FILENAME
sudo usg generate-fix --output ./fix.sh --tailoring-file $TAILOR_FILENAME
Security Technical Implementation Guide
-
-
-
Detail sudo apt-get install libopenscap8
oscap -v
oscap -V
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level1_server --results-arf arf.xml --report $1 /usr/share/ubuntu-scap-security-guides/1/benchmarks/ssg-ubuntu2004-ds.xml
oscap info /usr/share/ubuntu-scap-security-guides/1/benchmarks/ssg-ubuntu2204-ds-1.2.xml
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --report report.html /usr/share/ubuntu-scap-security-guides/1/benchmarks/ssg-ubuntu2204-ds-1.2.xml
oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_stig --fix-type bash /usr/share/ubuntu-scap-security-guides/1/benchmarks/ssg-ubuntu2204-ds-1.2.xml > fix_sig.sh
grep '2 echo "' ./fx_sig.sh