Guide to the Secure Configuration of Ubuntu 16.04
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Uninstall the telnet server
The telnet daemon should be uninstalled.Rule High Severity -
Configure DHCP Client if Necessary
If DHCP must be used, then certain configuration changes can minimize the amount of information it receives and applies from the network, and thus the amount of incorrect information a rogue DHCP s...Group -
Configure DHCP Server
If the system must act as a DHCP server, the configuration information it serves should be minimized. Also, support for other protocols and DNS-updating schemes should be explicitly disabled unless...Group -
Minimize Served Information
Edit /etc/dhcp/dhcpd.conf. Examine each address range section within the file, and ensure that the following options are not defined unless there is an operational need to provide this information ...Rule Unknown Severity -
SSH Privilege Separation Setting
Specify whether and how sshd separates privileges when handling incoming network connections.Value -
Application Whitelisting Daemon
Fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. Applications that are known via a reputation source are allowed access while unknown applicat...Group -
fapolicyd Must be Configured to Limit Access to Users Home Folders
fapolicyd needs be configured so that users cannot give access to their home folders to other users.Rule Medium Severity -
Configure vsftpd to Provide FTP Service if Necessary
The primary vsftpd configuration file is/etc/vsftpd.conf, if that file exists, or/etc/vsftpd/vsftpd.confif it does not.Group -
Restrict the Set of Users Allowed to Access FTP
This section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to do this entirely due to legacy applications, how to restrict insecure FTP login to only...Group -
Limit Users Allowed FTP Access if Necessary
If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add o...Rule Unknown Severity -
SSH LoginGraceTime setting
Configure parameters for how long the servers stays connected before the user has successfully logged inValue -
SSH MaxStartups setting
Configure parameters for maximum concurrent unauthenticated connections to the SSH daemon.Value -
LDAP
LDAP is a popular directory service, that is, a standardized way of looking up information from a central database. Ubuntu 16.04 includes software that enables a system to act as both an LDAP clien...Group -
Configure OpenLDAP Clients
This section provides information on which security settings are important to configure in OpenLDAP clients by manually editing the appropriate configuration files. Ubuntu 16.04 provides an automa...Group -
Configure OpenLDAP Server
This section details some security-relevant settings for an OpenLDAP server.Group -
Uninstall openldap-servers Package
The slapd package is not installed by default on a Ubuntu 16.04 system. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended...Rule Low Severity -
The Postfix package is installed
A mail server is required for sending emails. Thepostfixpackage can be installed with the following command:$ apt-get install postfix
Rule Medium Severity -
Configure SMTP For Mail Clients
This section discusses settings for Postfix in a submission-only e-mail configuration.Group -
Postfix relayhost
Specify the host all outbound email should be routed into.Value -
Postfix Root Mail Alias
Specify an email address (string) for a root mail alias.Value
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.