Skip to content
Log In

Guide to the Secure Configuration of Ubuntu 16.04

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Rsyslog Logs Sent To Remote Host

    If system logs are to be useful in detecting malicious activities, it is necessary to send logs to a remote server. An intruder who has compromised the root account on a system may delete the log e...
    Group
    Show

  • Remote Log Server

    Specify an URI or IP address of a remote host where the log messages will be sent and stored.
    Value
    Show

  • Network Configuration and Firewalls

    Most systems must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses the security impact of decisions about networking wh...
    Group
    Show

  • iptables and ip6tables

    A host-based firewall called <code>netfilter</code> is included as part of the Linux kernel distributed with the system. It is activated by default. This firewall is controlled by the program <code...
    Group
    Show

  • Inspect and Activate Default Rules

    View the currently-enforced <code>iptables</code> rules by running the command: <pre>$ sudo iptables -nL --line-numbers</pre> The command is analogous for <code>ip6tables</code>. <br> <br> ...
    Group
    Show

  • Verify ip6tables Enabled if Using IPv6

    The ip6tables service can be enabled with the following command: 
    $ sudo systemctl enable ip6tables.service
    Rule Medium Severity
    Show

  • Set Default iptables Policy for Incoming Packets

    To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in <code>/etc/sysconfig/iptables</code>: <pre>...
    Rule Medium Severity
    Show

  • Set Default iptables Policy for Forwarded Packets

    To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line ...
    Rule Medium Severity
    Show

  • IPv6

    The system includes support for Internet Protocol version 6. A major and often-mentioned improvement over IPv4 is its enormous increase in the number of available addresses. Another important featu...
    Group
    Show

  • Disable IPv6 Networking Support Automatic Loading

    To prevent the IPv6 kernel module (<code>ipv6</code>) from binding to the IPv6 networking stack, add the following line to <code>/etc/modprobe.d/disabled.conf</code> (or another file in <code>/etc/...
    Rule Medium Severity
    Show

  • Disable IPv6 Addressing on All IPv6 Interfaces

    To disable support for (<code>ipv6</code>) addressing on all interface add the following line to <code>/etc/sysctl.d/ipv6.conf</code> (or another file in <code>/etc/sysctl.d</code>): <pre>net.ipv6....
    Rule Medium Severity
    Show

  • Disable IPv6 Addressing on IPv6 Interfaces by Default

    To disable support for (<code>ipv6</code>) addressing on interfaces by default add the following line to <code>/etc/sysctl.d/ipv6.conf</code> (or another file in <code>/etc/sysctl.d</code>): <pre>n...
    Rule Medium Severity
    Show

  • Kernel Parameters Which Affect Networking

    The sysctl utility is used to set parameters which affect the operation of the Linux kernel. Kernel parameters which affect networking and have security implications are described here.
    Group
    Show

  • Network Related Kernel Runtime Parameters for Hosts and Routers

    Certain kernel parameters should be set for systems which are acting as either hosts or routers to improve the system's ability defend against certain types of IPv4 protocol attacks.
    Group
    Show

  • net.ipv4.conf.default.arp_filter

    Controls whether the ARP filter is enabled or not. 1 - Allows you to have multiple network interfaces on the same subnet, and have the ARPs for each interface be answered based on whether or not t...
    Value
    Show

  • net.ipv4.conf.default.arp_ignore

    Control the response modes for ARP queries that resolve local target IP addresses: 0 - (default): reply for any local target IP address, configured on any interface 1 - reply only if the target IP...
    Value
    Show

  • net.ipv4.conf.all.shared_media

    Controls whether the system can send (router) or accept (host) RFC1620 shared media redirects. <code>shared_media</code> for the interface will be enabled if at least one of conf/{all,interface}/sh...
    Value
    Show

  • Configure Response Mode of ARP Requests for All IPv4 Interfaces

    To set the runtime status of the <code>net.ipv4.conf.all.arp_ignore</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.arp_ignore=<xccdf-1.2:sub idref="xccd...
    Rule Medium Severity
    Show

  • Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces

    To set the runtime status of the <code>net.ipv4.conf.all.route_localnet</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.route_localnet=0</pre> To make su...
    Rule Medium Severity
    Show

  • Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces

    To set the runtime status of the <code>net.ipv4.conf.all.shared_media</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.shared_media=<xccdf-1.2:sub idref="...
    Rule Medium Severity
    Show

  • Configure Sending and Accepting Shared Media Redirects by Default

    To set the runtime status of the <code>net.ipv4.conf.default.shared_media</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.shared_media=<xccdf-1.2:sub...
    Rule Medium Severity
    Show

  • Verify ufw Enabled

    The ufw service can be enabled with the following command: 
    $ sudo systemctl enable ufw.service
    Rule Medium Severity
    Show

  • Uncomplicated Firewall (ufw)

    The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the iptables suite of commands. iptables provide a compl...
    Group
    Show

  • Uncommon Network Protocols

    The system includes support for several network protocols which are not commonly used. Although security vulnerabilities in kernel networking code are not frequently discovered, the consequences ca...
    Group
    Show

  • Disable TIPC Support

    The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the <code>tipc</code> kernel module...
    Rule Low Severity
    Show

  • Verify Permissions on Important Files and Directories

    Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verifie...
    Group
    Show

  • Ensure No World-Writable Files Exist

    It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor f...
    Rule Medium Severity
    Show

  • Enable Kernel Parameter to Enforce DAC on Symlinks

    To set the runtime status of the <code>fs.protected_symlinks</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.protected_symlinks=1</pre> To make sure that the setting is...
    Rule Medium Severity
    Show

  • Verify Permissions on Files with Local Account Information and Credentials

    The default restrictive permissions for files which act as important security databases such as <code>passwd</code>, <code>shadow</code>, <code>group</code>, and <code>gshadow</code> files must be ...
    Group
    Show

  • Verify Group Who Owns Backup group File

    To properly set the group owner of /etc/group-, run the command: 
    $ sudo chgrp root /etc/group-
    Rule Medium Severity
    Show

  • Verify Group Who Owns Backup gshadow File

    To properly set the group owner of /etc/gshadow-, run the command: 
    $ sudo chgrp shadow /etc/gshadow-
    Rule Medium Severity
    Show

  • Verify Group Who Owns Backup passwd File

    To properly set the group owner of /etc/passwd-, run the command: 
    $ sudo chgrp root /etc/passwd-
    Rule Medium Severity
    Show

  • Verify User Who Owns Backup shadow File

    To properly set the group owner of /etc/shadow-, run the command: 
    $ sudo chgrp shadow /etc/shadow-
    Rule Medium Severity
    Show

  • Verify Group Who Owns group File

    To properly set the group owner of /etc/group, run the command: 
    $ sudo chgrp root /etc/group
    Rule Medium Severity
    Show

  • Verify Group Who Owns gshadow File

    To properly set the group owner of /etc/gshadow, run the command: 
    $ sudo chgrp shadow /etc/gshadow
    Rule Medium Severity
    Show

  • Verify User Who Owns Backup gshadow File

    To properly set the owner of /etc/gshadow-, run the command: 
    $ sudo chown root /etc/gshadow-
    Rule Medium Severity
    Show

  • Verify User Who Owns Backup passwd File

    To properly set the owner of /etc/passwd-, run the command: 
    $ sudo chown root /etc/passwd-
    Rule Medium Severity
    Show

  • Verify Group Who Owns Backup shadow File

    To properly set the owner of /etc/shadow-, run the command: 
    $ sudo chown root /etc/shadow-
    Rule Medium Severity
    Show

  • Verify User Who Owns group File

    To properly set the owner of /etc/group, run the command: 
    $ sudo chown root /etc/group
    Rule Medium Severity
    Show

  • Verify User Who Owns gshadow File

    To properly set the owner of /etc/gshadow, run the command: 
    $ sudo chown root /etc/gshadow
    Rule Medium Severity
    Show

  • Verify User Who Owns passwd File

    To properly set the owner of /etc/passwd, run the command: 
    $ sudo chown root /etc/passwd
    Rule Medium Severity
    Show

  • Verify User Who Owns shadow File

    To properly set the owner of /etc/shadow, run the command: 
    $ sudo chown root /etc/shadow
    Rule Medium Severity
    Show

  • Verify Permissions on Backup group File

    To properly set the permissions of /etc/group-, run the command: 
    $ sudo chmod 0644 /etc/group-
    Rule Medium Severity
    Show

  • Verify Permissions on Backup gshadow File

    To properly set the permissions of /etc/gshadow-, run the command: 
    $ sudo chmod 0640 /etc/gshadow-
    Rule Medium Severity
    Show

  • Verify Permissions on Backup passwd File

    To properly set the permissions of /etc/passwd-, run the command: 
    $ sudo chmod 0644 /etc/passwd-
    Rule Medium Severity
    Show

  • Verify Permissions on Backup shadow File

    To properly set the permissions of /etc/shadow-, run the command: 
    $ sudo chmod 0640 /etc/shadow-
    Rule Medium Severity
    Show

  • Verify Permissions on gshadow File

    To properly set the permissions of /etc/gshadow, run the command: 
    $ sudo chmod 0640 /etc/gshadow
    Rule Medium Severity
    Show

  • Verify Permissions on passwd File

    To properly set the permissions of /etc/passwd, run the command: 
    $ sudo chmod 0644 /etc/passwd
    Rule Medium Severity
    Show

  • Verify Permissions on Files within /var/log Directory

    The /var/log directory contains files with logs of error messages in the system and should only be accessed by authorized personnel.
    Group
    Show

  • Verify Group Who Owns /var/log Directory

    To properly set the group owner of /var/log, run the command: 
    $ sudo chgrp syslog /var/log
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules