Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000206-GPOS-00084
Group -
SRG-OS-000206-GPOS-00084
Group -
Ubuntu 22.04 LTS must be configured so that the "journalctl" command is group-owned by "root".
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or pla...Rule Medium Severity -
SRG-OS-000256-GPOS-00097
Group -
SRG-OS-000206-GPOS-00084
Group -
SRG-OS-000206-GPOS-00084
Group -
SRG-OS-000206-GPOS-00084
Group -
SRG-OS-000206-GPOS-00084
Group -
Ubuntu 22.04 LTS must configure the "/var/log/syslog" file to be group-owned by "adm".
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or pla...Rule Medium Severity -
SRG-OS-000205-GPOS-00083
Group -
SRG-OS-000138-GPOS-00069
Group -
SRG-OS-000297-GPOS-00115
Group -
SRG-OS-000297-GPOS-00115
Group -
SRG-OS-000480-GPOS-00232
Group -
SRG-OS-000420-GPOS-00186
Group -
SRG-OS-000096-GPOS-00050
Group -
SRG-OS-000355-GPOS-00143
Group -
SRG-OS-000356-GPOS-00144
Group -
Ubuntu 22.04 LTS must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when condu...Rule Low Severity -
SRG-OS-000359-GPOS-00146
Group -
SRG-OS-000142-GPOS-00071
Group -
Ubuntu 22.04 LTS must be configured to use TCP syncookies.
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managin...Rule Medium Severity -
SRG-OS-000423-GPOS-00187
Group -
SRG-OS-000423-GPOS-00187
Group -
SRG-OS-000023-GPOS-00006
Group -
SRG-OS-000480-GPOS-00229
Group -
Ubuntu 22.04 LTS must not allow unattended or automatic login via SSH.
Failure to restrict system access to authenticated users negatively impacts Ubuntu 22.04 LTS security.Rule High Severity -
SRG-OS-000126-GPOS-00066
Group -
SRG-OS-000163-GPOS-00072
Group -
Ubuntu 22.04 LTS must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.
Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or con...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
Ubuntu 22.04 LTS must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in whic...Rule High Severity -
SRG-OS-000480-GPOS-00227
Group -
Ubuntu 22.04 LTS SSH daemon must prevent remote hosts from connecting to the proxy display.
When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds ...Rule Medium Severity -
SRG-OS-000033-GPOS-00014
Group -
SRG-OS-000250-GPOS-00093
Group -
Ubuntu 22.04 LTS must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-3-approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DOD nonpublic information systems by an...Rule Medium Severity -
SRG-OS-000033-GPOS-00014
Group -
Ubuntu 22.04 LTS SSH server must be configured to use only FIPS-validated key exchange algorithms.
Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection. The system will at...Rule Medium Severity -
SRG-OS-000125-GPOS-00065
Group -
Ubuntu 22.04 LTS must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions.
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network....Rule Medium Severity -
SRG-OS-000023-GPOS-00006
Group -
SRG-OS-000023-GPOS-00006
Group -
SRG-OS-000028-GPOS-00009
Group -
Ubuntu 22.04 LTS must retain a user's session lock until that user reestablishes access using established identification and authentication procedures.
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary...Rule Medium Severity -
SRG-OS-000029-GPOS-00010
Group -
SRG-OS-000480-GPOS-00227
Group -
Ubuntu 22.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.
A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the...Rule High Severity -
SRG-OS-000378-GPOS-00163
Group -
SRG-OS-000481-GPOS-00481
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.