USG (Ubuntu Security Guide) Deep Dive¶

Platform: Ubuntu only | Binary: usg | Type: Canonical's CIS benchmark tool

Overview¶

Ubuntu Security Guide (USG) is Canonical's official tool for CIS benchmark compliance on Ubuntu systems. It is tightly integrated with Ubuntu Pro.

Requirements¶

Ubuntu distribution only (not Debian, Kali, etc.)
Ubuntu Pro subscription (free for personal use, up to 5 machines)
ubuntu-advantage-tools package

How CISentinel Uses USG¶

1. Installation¶

sudo apt install -y ubuntu-advantage-tools
sudo pro enable usg

Note: CISentinel installs the package but cannot enable Pro — that requires a subscription token.

2. Scan Execution¶

sudo usg audit

3. Status Handling¶

CISentinel has special handling for USG:

# USG package can be present without entitlement-enabled binary
if tool_name == "usg":
    if self.check_tool_status("usg"):
        return True
    logger.warning("USG package installed but 'usg' command unavailable.")
    return True  # Don't fail — package is installed, just missing Pro

Distro Restriction¶

USG is restricted to Ubuntu only:

"usg": {
    "supported_distros": ["ubuntu"],
    ...
}

CISentinel automatically skips USG on non-Ubuntu distributions.

Output¶

USG produces compliance results showing: - CIS Level 1 and Level 2 benchmark results - Pass/fail for each rule - Remediation commands

Common Issues¶

Issue	Cause	Solution
`usg` command not found	Pro not enabled	Run `sudo pro attach <token>` then `sudo pro enable usg`
Package installed but non-functional	Missing entitlement	Free Pro token from ubuntu.com/pro
Skipped on non-Ubuntu	By design	Use OpenSCAP or Lynis instead