Ubuntu Security Guide

USG not available for 24.04

Bug #2064663 reported by dc test on 2024-05-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu Security Guide	Invalid	Undecided	Unassigned

Bug Description

I have installed an LTE version of Ubuntu 24.04. I wanted to run hardening script to be CIS-compliant, however When I followed the guide, I only received:

sudo ua enable usg
[sudo] password for xxxxxxx:
One moment, checking your subscription first
Ubuntu Security Guide is not available for Ubuntu 24.04 LTS (Noble Numbat).

So, how it's possible that current LTS cannot be CIS-compliant using the built-in tools? I have checked the github of USG but there is not even a development branch for 24.04.

What would really help, scripts for usg tool for previous LTS could be available as simple script able to run anywhere as an option for customization because it's better to try partial compliance than being left on your own.

Revision history for this message

dc test (dctestlapek2) wrote on 2024-05-02:

Of course one can use some debian hardening scripts and try their luck but Ubuntu should really pay attention to such details if it wants to be a major distro for production usage. Unless the LTS is only for marketing and it's really not that stable and mature as it claims to be.
I am using Ubuntu since Hardy Heron pretty much everywhere in my private life but this is the first time when I have issues with production environment. My only two options are:
a) run some debian script carefully to achieve some compliance
b) downgrade Ubuntu to 22.04 because 24.04 is not ready yet.

Revision history for this message

Miha Purg (mihap) wrote on 2024-05-03:

Hi dc test, thank you for raising this issue.

We are currently unable to offer tooling for CIS compliance on Ubuntu 24.04 LTS,
because the CIS benchmark for Ubuntu 24.04 has not yet been published by CIS.

The Center for Internet Security (CIS) usually publishes a new benchmark
several months after we have released an LTS version of Ubuntu.

Previous publication dates:
- CIS Ubuntu Linux 18.04 LTS Benchmark v1.0.0: Aug 13th 2018
- CIS Ubuntu Linux 20.04 LTS Benchmark v1.0.0: Jul 21st 2020
- CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0: Aug 15th 2022

Kind regards,
Miha

Changed in usg:
status:	New → Invalid

Revision history for this message

dc test (dctestlapek2) wrote on 2024-05-03:

Acknowledged. So, my suggestion would be: implement previous CIS recommendations as 'beta' until official release + implementation are possible. That way I could achieve partial compliance (probably pretty close to full compliance) despite no official recommendations. I know that 'compliance' is more a 'red tape' term so without official CIS benchmark for current LTE it would only be a wishful thinking, however running your tool implementing 'beta' recommendations would definitely help with hardening until there is an official release.
Adding such 'beta' would require "only" (easy to write, I know):
- supporting 24.04 through an extra commandline switch
- testing 22.04 recommendations against 24.04 and assuring they are not breaking things.

The latter however would probably be required in great extent anyway as I doubt that recommendations differ that much between LTE releases.

Also, to sum up:
It is therefore a feature request, not a bug as you are not able to provide such compliance now and 'beta'/'semi-compliance' is only a feature not allowing for actual compliance but helping people harden their new OS.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.