Guide to the Secure Configuration of Ubuntu 16.04
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Ensure SSH LoginGraceTime is configured
The <code>LoginGraceTime</code> parameter to the SSH server specifies the time allowed for successful authentication to the SSH server. The longer ...Rule Medium Severity -
Set LogLevel to INFO
The INFO parameter specifices that record login and logout activity will be logged. <br> The default SSH configuration sets the log level to INFO. ...Rule Low Severity -
Set SSH Daemon LogLevel to VERBOSE
The <code>VERBOSE</code> parameter configures the SSH daemon to record login and logout activity. To specify the log level in SSH, add or correct t...Rule Medium Severity -
Set SSH authentication attempt limit
The <code>MaxAuthTries</code> parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failur...Rule Medium Severity -
Set SSH MaxSessions limit
The <code>MaxSessions</code> parameter specifies the maximum number of open sessions permitted from a given connection. To set MaxSessions edit <co...Rule Medium Severity -
Ensure SSH MaxStartups is configured
The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be ...Rule Medium Severity -
Enable Use of Privilege Separation
When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH...Rule Medium Severity -
Strengthen Firewall Configuration if Possible
If the SSH server is expected to only receive connections from the local network, then strengthen the default firewall rule for the SSH service to ...Group -
System Security Services Daemon
The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red H...Group -
SSSD certificate_verification option
Value of the certificate_verification option in the SSSD config.Value -
SSSD memcache_timeout option
Value of the memcache_timeout option in the [nss] section of SSSD config /etc/sssd/sssd.conf.Value -
SSSD ssh_known_hosts_timeout option
Value of the ssh_known_hosts_timeout option in the [ssh] section of SSSD configuration file /etc/sssd/sssd.conf.Value -
System Security Services Daemon (SSSD) - LDAP
The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red H...Group -
SSSD LDAP Backend Client CA Certificate Location
Path of a directory that contains Certificate Authority certificates.Value -
USBGuard daemon
The USBGuard daemon enforces the USB device authorization policy for all USB devices.Group -
X Window System
The X Window System implementation included with the system is called X.org.Group -
Disable X Windows
Unless there is a mission-critical reason for the system to run a graphical user interface, ensure X is not set to start automatically at boot and ...Group -
Introduction
The purpose of this guidance is to provide security configuration recommendations and baselines for the Ubuntu 16.04 operating system. Recommended ...Group -
General Principles
The following general principles motivate much of the advice in this guide and should also influence any configuration decisions that are not expli...Group -
Encrypt Transmitted Data Whenever Possible
Data transmitted over a network, whether wired or wireless, is susceptible to passive monitoring. Whenever practical solutions for encrypting such ...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.