Skip to content

Guide to the Secure Configuration of Ubuntu 16.04

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Configure NFS Clients

    The steps in this section are appropriate for systems which operate as NFS clients.
    Group
  • Disable NFS Server Daemons

    There is no need to run the NFS server daemons <code>nfs</code> and <code>rpcsvcgssd</code> except on a small number of properly secured systems de...
    Group
  • Mount Remote Filesystems with Restrictive Options

    Edit the file <code>/etc/fstab</code>. For each filesystem whose type (column 3) is <code>nfs</code> or <code>nfs4</code>, add the text <code>,node...
    Group
  • Configure NFS Servers

    The steps in this section are appropriate for systems which operate as NFS servers.
    Group
  • Ensure All-Squashing Disabled On All Exports

    The <code>all_squash</code> maps all uids and gids to an anonymous user. This should be disabled by removing any instances of the <code>all_squash<...
    Rule Low Severity
  • Configure the Exports File Restrictively

    Linux's NFS implementation uses the file <code>/etc/exports</code> to control what filesystems and directories may be accessed via NFS. (See the <c...
    Group
  • Export Filesystems Read-Only if Possible

    If a filesystem is being exported so that users can view the files in a convenient fashion, but there is no need for users to edit those files, exp...
    Group
  • Use Access Lists to Enforce Authorization Restrictions

    When configuring NFS exports, ensure that each export line in <code>/etc/exports</code> contains a list of hosts which are allowed to access that e...
    Group
  • Network Time Protocol

    The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...
    Group
  • Vendor Approved Time pools

    The list of vendor-approved pool servers
    Value
  • Vendor Approved Time Servers

    The list of vendor-approved time servers
    Value
  • Maximum NTP or Chrony Poll

    The maximum NTP or Chrony poll interval number in seconds specified as a power of two.
    Value
  • The Chrony package is installed

    System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or se...
    Rule Medium Severity
  • Install the ntp service

    The ntpd service should be installed.
    Rule High Severity
  • The Chronyd service is enabled

    chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a ...
    Rule Medium Severity
  • Enable the NTP Daemon

    The ntp service can be enabled with the following command:
    $ sudo systemctl enable ntp.service
    Rule High Severity
  • Enable systemd_timesyncd Service

    The systemd_timesyncd service can be enabled with the following command:
    $ sudo systemctl enable systemd_timesyncd.service
    Rule High Severity
  • Ensure Chrony is only configured with the server directive

    Check that Chrony only has time sources configured with the server directive.
    Rule Medium Severity
  • A remote time server for Chrony is configured

    <code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of s...
    Rule Medium Severity
  • Obsolete Services

    This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or...
    Group

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules