In today’s threat landscape, security compliance isn’t optional—it’s essential. Whether you’re running a single server or managing an enterprise infrastructure, knowing your security posture is the first step toward protecting your systems. Two powerful tools stand out for Ubuntu server hardening:
OpenSCAP for vulnerability scanning and compliance checking, and the Ubuntu Security Guide (USG) for automated CIS benchmark implementation.
This guide will walk you through both tools, helping you understand when to use each and how to implement them effectively.
Part 1: OpenSCAP – Vulnerability Scanning and Compliance Checking
What is OpenSCAP?
OpenSCAP is an open-source security auditing tool based on the Security Content Automation Protocol (SCAP) . It helps system administrators:
- Scan systems for known vulnerabilities (CVEs)
- Check configuration compliance against security benchmarks
- Generate detailed HTML reports for documentation and auditing
- Identify missing security patches
SCAP is a NIST-standard protocol that combines multiple security specifications :
| Component | Purpose |
|---|---|
| OVAL | Open Vulnerability and Assessment Language – defines how to check system state |
| XCCDF | Extensible Configuration Checklist Description Format – defines security checklists |
| CPE | Common Platform Enumeration – identifies operating systems and applications |
| CVE | Common Vulnerabilities and Exposures – tracks known vulnerabilities |
Installing OpenSCAP on Ubuntu 22.04
# Update your package repository sudo apt update # Install OpenSCAP and required utilities sudo apt install libopenscap8 bzip2 -y
The libopenscap8 package contains the core scanning engine, while bzip2 is needed to decompress the OVAL data files .
Downloading Ubuntu OVAL Data
Canonical provides official OVAL data that contains vulnerability definitions for all supported Ubuntu releases :
# Download OVAL data for your current Ubuntu release wget https://security-metadata.canonical.com/oval/com.ubuntu.$(lsb_release -cs).usn.oval.xml.bz2 # Decompress the file bzip2 -d com.ubuntu.$(lsb_release -cs).usn.oval.xml.bz2
For Ubuntu 22.04 (Jammy), this creates a file named com.ubuntu.jammy.usn.oval.xml containing all Ubuntu Security Notice (USN) definitions .
Running Your First Vulnerability Scan
# Scan your system and generate an HTML report oscap oval eval --report oval-report.html com.ubuntu.$(lsb_release -cs).usn.oval.xml
The scan evaluates each OVAL definition and returns:
true– The system is vulnerable or meets the conditionfalse– The system is not vulnerable
Understanding the Scan Results
After completion, you’ll have an HTML report file that you can view in any web browser :
# List the generated report ls -lh oval-report.html
Open this file in your browser to see:
- Green – Patched/secure configurations
- Orange/Red – Vulnerabilities requiring attention
- Details – Specific CVEs and remediation steps
Advanced OpenSCAP Usage:
Scanning with SCAP Security Guide Profiles
For comprehensive compliance checking beyond basic vulnerability scanning, use the SCAP Security Guide content :
# Install SCAP Security Guide content sudo apt install ssg-base ssg-debderived ssg-ubuntu -y # List available profiles ls -la /usr/share/xml/scap/ssg/content/
Running a CIS Benchmark Scan
# Run a CIS Level 1 Server profile scan sudo oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_cis_level1_server \ --results results.xml \ --report cis-report.html \ /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml
This generates a comprehensive HTML report showing:
- Overall compliance score
- Pass/fail status for hundreds of security rules
- Detailed remediation instructions
- References to CIS benchmark requirements
Understanding OpenSCAP Architecture
OpenSCAP operates in four layers :
- Content Layer (XCCDF) – Benchmarks, profiles, groups, and rules
- Logic Layer (OVAL) – Objects to examine, expected states, comparison logic
- Execution Layer (Probes) – System interrogators that gather actual state
- Results Layer – Pass, fail, error, or not applicable with evidence
Automating OpenSCAP Scans
Create a weekly scan script :
sudo nano /usr/local/bin/weekly-openscap-scan.sh
#!/bin/bash # Weekly OpenSCAP compliance scan DATE=$(date +%Y-%m-%d) REPORT_DIR="/var/log/compliance/openscap" # Create report directory mkdir -p $REPORT_DIR # Run CIS Level 1 scan oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_cis_level1_server \ --results $REPORT_DIR/results-$DATE.xml \ --report $REPORT_DIR/report-$DATE.html \ /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml # Run vulnerability scan oscap oval eval \ --report $REPORT_DIR/oval-report-$DATE.html \ com.ubuntu.$(lsb_release -cs).usn.oval.xml
Make it executable and schedule it:
sudo chmod +x /usr/local/bin/weekly-openscap-scan.sh sudo crontab -e # Add: 0 3 * * 0 /usr/local/bin/weekly-openscap-scan.sh (runs every Sunday at 3 AM)
Part 2: Ubuntu Security Guide (USG) – Automated CIS Benchmark Hardening
What is Ubuntu Security Guide?
Ubuntu Security Guide (USG) is Canonical’s official tool for automated security hardening and auditing . Unlike OpenSCAP which primarily scans and reports, USG can actively remediate non-compliant configurations to meet CIS benchmarks.
Key Features:
- Automated hardening against CIS Level 1 and Level 2 profiles
- Audit-only mode to check compliance without making changes
- Tailoring files for environment-specific customizations
- HTML and XML reports for documentation
- Integration with Ubuntu Pro for extended support
Prerequisites: Ubuntu Pro
USG requires an Ubuntu Pro subscription, which is free for personal use on up to 5 machines .
Step 1: Register for Ubuntu Pro
- Visit https://ubuntu.com/pro
- Create or sign in with your Ubuntu One account
- Generate your free personal token
Step 2: Install the Ubuntu Pro Client
# Update package list sudo apt update # Install the pro client sudo apt install ubuntu-pro-client -y # Verify installation pro --version
Step 3: Attach Your Ubuntu Pro Token
# Attach using your token sudo pro attach YOUR_TOKEN_HERE # Verify attachment sudo pro status
You should see output showing enabled services like esm-apps and esm-infra, with usg available but disabled .
Enabling and Installing USG
# Enable the USG service sudo pro enable usg # Install the USG package sudo apt install usg -y # Verify installation usg --help
The pro enable usg command activates the service in your subscription, while apt install usg installs the actual tool .
Available USG Profiles
USG supports multiple compliance profiles :
| Profile | Target | Description |
|---|---|---|
cis_level1_server | Servers | Basic security requirements (recommended for most servers) |
cis_level2_server | Servers | Enhanced security for high-security environments |
cis_level1_workstation | Workstations | Basic workstation hardening |
cis_level2_workstation | Workstations | Enhanced workstation security |
disa_stig | US DoD | Defense Information Systems Agency standards |
Auditing Your System with USG
Run an Audit (No Changes)
# Audit against CIS Level 1 Server profile sudo usg audit cis_level1_server
The audit process:
- Evaluates hundreds of security rules
- Shows pass/fail results for each rule in real-time
- Takes 5-15 minutes depending on system size
- Saves reports to
/var/lib/usg/
Understanding Audit Results
After completion, USG displays:
- Path to the HTML report (
/var/lib/usg/usg-report.html) - Path to the XML results (
/var/lib/usg/usg-results.xml) - Summary of passed and failed rules
Viewing the HTML Report
Since Ubuntu Server is CLI-based, copy the report to your local machine :
# Copy report to home directory for easy access sudo cp /var/lib/usg/usg-report.html ~/ # From your local machine, use SCP to download it scp user@your-server:~/usg-report.html .
Creating a Tailoring File
For custom configurations, create a tailoring file to adjust specific rules :
# Generate a tailoring file template sudo usg generate-tailoring cis_level1_server hardening.xml
Edit the tailoring file to:
- Disable rules that don’t apply to your environment
- Adjust expected values for specific settings
- Add custom requirements
Applying Hardening (Fixing Issues)
⚠️ WARNING: Apply hardening only on test systems first, never on production without thorough testing .
# Apply CIS Level 1 hardening sudo usg fix cis_level1_server
The fix command will:
- Run an audit to identify non-compliant settings
- Automatically apply remediation scripts
- Generate reports showing what was changed
- Take significantly longer than audits (up to 90+ minutes on larger systems)
Using a Tailoring File with Fix
sudo usg fix --tailoring-file hardening.xml cis_level1_server
What USG Hardening Actually Does
The CIS Level 1 profile includes hundreds of security configurations :
Filesystem Partitioning
- Ensures
/home,/tmp,/var,/var/log, and/var/log/auditare on separate partitions - Prevents users from filling system-critical partitions
System Accounting (auditd)
- Configures comprehensive system auditing
- Tracks login attempts, account modifications, and authentication events
- Ensures audit logs are properly protected
SSH Hardening
- Disables root login
- Enforces strong ciphers and MACs
- Sets appropriate timeouts
Authentication Settings
- Password complexity requirements
- Account lockout policies
- PAM configuration hardening
Dealing with Long-Running Operations
Some remediation steps, particularly aide --init (filesystem integrity checking), can take hours :
Remediating rule 3/393: 'xccdf_org.ssgproject.content_rule_aide_build_database' Running aide –init… This is normal—it's building a cryptographic database of every file on your system. On a 1 vCPU, 2GB RAM server with 32GB storage, this can take 90+ minutes . Open another SSH session to monitor progress:
# Check if aide is still running ps aux | grep aide
Post-Hardening Verification
After applying fixes, run another audit to verify compliance:
sudo usg audit cis_level1_server
Compare the new report with your pre-hardening report to see improvements.
Troubleshooting Common USG Issues
Issue: “Command not found” after enabling USG
# USG service enabled but package not installed sudo apt install usg -y
Issue: AIDE initialization hangs forever
# Check if it's actually running ps aux | grep aide # Wait—it can take hours on large filesystems [citation:7]
Issue: Applications break after hardening
# Some applications require specific configurations # Use tailoring files to exclude problematic rules sudo usg generate-tailoring cis_level1_server custom.xml # Edit custom.xml to disable conflicting rules sudo usg fix --tailoring-file custom.xml cis_level1_server
Issue: Can’t install usg on Ubuntu 24.04
# Ensure universe repository is enabled sudo add-apt-repository universe sudo apt update sudo apt install usg -y
Best Practices Summary
| Practice | Recommendation |
|---|---|
| Test first | Always run USG on non-production systems first |
| Audit before fix | Understand what will change before applying fixes |
| Use tailoring files | Customize profiles for your specific environment |
| Document changes | Keep records of which profiles and tailoring files you applied |
| Regular audits | Run weekly audits to detect configuration drift |
| Version control | Store tailoring files in Git for change tracking |
OpenSCAP vs USG: When to Use Which
| Scenario | Recommended Tool |
|---|---|
| Quick vulnerability scan | OpenSCAP OVAL scan |
| Comprehensive compliance check | OpenSCAP with SSG profiles |
| CIS certification required | USG (official Ubuntu tool) |
| Automated remediation | USG fix |
| Custom compliance requirements | Both—OpenSCAP for scanning, USG with tailoring for hardening |
| Non-Ubuntu systems | OpenSCAP only |
| Production systems without testing | OpenSCAP audit only (never USG fix without testing) |
Conclusion
Both OpenSCAP and Ubuntu Security Guide are essential tools for maintaining secure Ubuntu servers:
- OpenSCAP provides flexible, comprehensive scanning against multiple benchmarks and is ideal for ongoing monitoring and vulnerability assessment .
- USG offers automated remediation against CIS benchmarks, making it invaluable for quickly hardening systems to industry standards, especially when certification is required .
For maximum security, use both tools together:
- Scan with OpenSCAP to identify vulnerabilities
- Audit with USG to check CIS compliance
- Apply USG fixes (after testing)
- Schedule regular scans with both tools
Remember: Security is a journey, not a destination. Regular scanning and continuous improvement are key to maintaining a rock-solid security posture.