Skip to content
Log In

Guide to the Secure Configuration of Ubuntu 16.04

Rules, Groups, and Values defined within the XCCDF Benchmark

  • FTP Server

    FTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data transmitted during the session can be captured an...
    Group
    Show

  • Configure Firewalls to Protect the FTP Server

    By default, <code>iptables</code> blocks access to the ports used by the web server. To configure <code>iptables</code> to allow port 21 traffic, one must edit <code>/etc/sysconfig/iptables</code>...
    Rule Unknown Severity
    Show

  • Ensure LDAP client is not installed

    The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. The <code>lapd-utils</code> package can be removed with the ...
    Rule Low Severity
    Show

  • Mail Server Software

    Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious targets of network attack. Ensure that systems are not r...
    Group
    Show

  • Configure System to Forward All Mail From Postmaster to The Root Account

    Verify the administrators are notified in the event of an audit processing failure. Check that the "/etc/aliases" file has a defined value for "root". <pre>$ sudo grep "postmaster:\s*root$" /etc/al...
    Rule Medium Severity
    Show

  • Disable Network File Systems (netfs)

    The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be di...
    Rule Unknown Severity
    Show

  • Network Time Protocol

    The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...
    Group
    Show

  • Enable the NTP Daemon

    The ntp service can be enabled with the following command: 
    $ sudo systemctl enable ntp.service
    Rule High Severity
    Show

  • Obsolete Services

    This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best a...
    Group
    Show

  • Remove Rsh Trust Files

    The files <code>/etc/hosts.equiv</code> and <code>~/.rhosts</code> (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To re...
    Rule High Severity
    Show

  • SSH is required to be installed

    Specify if the Policy requires SSH to be installed. Used by SSH Rules to determine if SSH should be uninstalled or configured.<br> A value of 0 means that the policy doesn't care if OpenSSH server ...
    Value
    Show

  • Remove SSH Server iptables Firewall exception (Unusual)

    By default, inbound connections to SSH's port are allowed. If the SSH server is not being used, this exception should be removed from the firewall configuration. <br> <br> Edit the files <co...
    Rule Unknown Severity
    Show

  • Set SSH Client Alive Interval

    SSH allows administrators to set a network responsiveness timeout interval. After this interval has passed, the unresponsive client will be automatically logged out. <br> <br> To set this t...
    Rule Medium Severity
    Show

  • Disable Kerberos Authentication

    Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos. <br> The default SSH configuration disallows authentication validation through Kerberos. The ...
    Rule Medium Severity
    Show

  • Disable X11 Forwarding

    The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. SSH has the capability to encrypt remote X11 connections when SSH...
    Rule Medium Severity
    Show

  • Enable GSSAPI Authentication

    Sites setup to use Kerberos or other GSSAPI Authenticaion require setting sshd to accept this authentication. To enable GSSAPI authentication, add or correct the following line in <code>/etc/ssh/...
    Rule Medium Severity
    Show

  • Enable SSH Print Last Log

    Ensure that SSH will display the date and time of the last successful account logon. <br> The default SSH configuration enables print of the date and time of the last login. The appropriate configu...
    Rule Medium Severity
    Show

  • Force frequent session key renegotiation

    The <code>RekeyLimit</code> parameter specifies how often the session key of the is renegotiated, both in terms of amount of data that may be transmitted and the time elapsed.<br> To decrease the d...
    Rule Medium Severity
    Show

  • Configure auditd Data Retention

    The audit system writes data to <code>/var/log/audit/audit.log</code>. By default, <code>auditd</code> rotates 5 logs by size (6MB), retaining a maximum of 30MB of data in total, and refuses to wri...
    Group
    Show

  • Make the auditd Configuration Immutable

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <cod...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules