Guide to the Secure Configuration of Ubuntu 16.04
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Disable Recovery Booting
Ubuntu 16.04 systems support an "recovery boot" option that can be used to prevent services from being started. The <code>GRUB_DISABLE_RECOVERY</code> configuration option in <code>/etc/default/gru...Rule Medium Severity -
IOMMU configuration directive
On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some of the system critical units such as the memory. To ensure that <code>iomm...Rule Unknown Severity -
Configure L1 Terminal Fault mitigations
L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged speculative access to data which is available in the Level 1 Data Cache when the page table entry isn't present. Sele...Rule High Severity -
Ensure SMEP is not disabled during boot
The SMEP is used to prevent the supervisor mode from executing user space code, it is enabled by default since Linux kernel 3.0. But it could be disabled through kernel boot parameters. Ensure tha...Rule Medium Severity -
Enforce Spectre v2 mitigation
Spectre V2 is an indirect branch poisoning attack that can lead to data leakage. An exploit for Spectre V2 tricks the indirect branch predictor into executing code from a future indirect branch cho...Rule High Severity -
Verify Permissions on System.map Files
The System.map files are symbol map files generated during the compilation of the Linux kernel. They contain the mapping between kernel symbols and their corresponding memory addresses. In general,...Rule Low Severity -
Verify Group Who Owns passwd File
To properly set the group owner of/etc/passwd, run the command:$ sudo chgrp root /etc/passwd
Rule Medium Severity -
Configure Syslog
The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lack of authentication for received messages, and lac...Group -
Ensure Proper Configuration of Log Files
The file <code>/etc/rsyslog.conf</code> controls where log message are written. These are controlled by lines called <i>rules</i>, which consist of a <i>selector</i> and an <i>action</i>. These rul...Group -
Ensure Rsyslog Authenticates Off-Loaded Audit Records
Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this uti...Rule Medium Severity -
Ensure Rsyslog Encrypts Off-Loaded Audit Records
Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this uti...Rule Medium Severity -
Ensure Log Files Are Owned By Appropriate Group
The group-owner of all log files written by <code>rsyslog</code> should be <code>adm</code>. These log files are determined by the second part of each Rule line in <code>/etc/rsyslog.conf</code> an...Rule Medium Severity -
Ensure All Logs are Rotated by logrotate
Edit the file <code>/etc/logrotate.d/rsyslog</code>. Find the first line, which should look like this (wrapped for clarity): <pre>/var/log/messages /var/log/secure /var/log/maillog /var/log/spool...Group -
Verify Group Who Owns shadow File
To properly set the group owner of/etc/shadow, run the command:$ sudo chgrp shadow /etc/shadow
Rule Medium Severity -
Ensure Logs Sent To Remote Host
To configure rsyslog to send logs to a remote log server, open <code>/etc/rsyslog.conf</code> and read and understand the last section of the file, which describes the multiple directives necessary...Rule Medium Severity -
Strengthen the Default Ruleset
The default rules can be strengthened. The system scripts that activate the firewall rules expect them to be defined in the configuration files <code>iptables</code> and <code>ip6tables</code> in t...Group -
Disable Accepting Packets Routed Between Local Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.accept_local</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.accept_local=0</pre> To make sure t...Rule Medium Severity -
Configure ARP filtering for All IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.arp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.arp_filter=<xccdf-1.2:sub idref="xccd...Rule Medium Severity -
Disable RDS Support
The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications between nodes in a cluster. To configure the syst...Rule Low Severity -
File Permissions and Masks
Traditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from reading or modifying files to which they should not have access. <br> <br> Severa...Group -
Verify that All World-Writable Directories Have Sticky Bits Set
When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may ...Rule Medium Severity -
Verify that Shared Library Directories Have Restrictive Permissions
System-wide shared library directories, which contain are linked to executables during process load time or run time, are stored in the following directories by default: <pre>/lib /lib64 /usr/lib /...Rule Medium Severity -
Kernel panic on oops
To set the runtime status of the <code>kernel.panic_on_oops</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.panic_on_oops=1</pre> To make sure that the setting is p...Rule Medium Severity -
Disable Core Dumps
A core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases, only software developers legitimately need to acc...Group -
Restrict Exposed Kernel Pointer Addresses Access
To set the runtime status of the <code>kernel.kptr_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kptr_restrict=<xccdf-1.2:sub idref="xccdf_org.ssgproject...Rule Medium Severity -
Ensure SELinux State is Enforcing
The SELinux state should be set to <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"></xccdf-1.2:sub></code> at system boot time. In the file <code>/et...Rule High Severity -
Services
The best protection against vulnerable software is running less software. This section describes how to review the software which Ubuntu 16.04 installs on a system and disable software which is not...Group -
Disable Avahi Publishing
To prevent Avahi from publishing its records, edit <code>/etc/avahi/avahi-daemon.conf</code> and ensure the following line appears in the <code>[publish]</code> section: <pre>disable-publishing=yes...Rule Low Severity -
DHCP
The Dynamic Host Configuration Protocol (DHCP) allows systems to request and obtain an IP address and other configuration parameters from a server. <br> <br> This guide recommends configuring...Group -
Minimize the DHCP-Configured Options
Create the file <code>/etc/dhcp/dhclient.conf</code>, and add an appropriate setting for each of the ten configuration settings which can be obtained via DHCP. For each setting, do one of the follo...Rule Unknown Severity -
FTP Server
FTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data transmitted during the session can be captured an...Group -
Configure Firewalls to Protect the FTP Server
By default, <code>iptables</code> blocks access to the ports used by the web server. To configure <code>iptables</code> to allow port 21 traffic, one must edit <code>/etc/sysconfig/iptables</code>...Rule Unknown Severity -
Ensure LDAP client is not installed
The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. The <code>lapd-utils</code> package can be removed with the ...Rule Low Severity -
Mail Server Software
Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious targets of network attack. Ensure that systems are not r...Group -
Configure System to Forward All Mail From Postmaster to The Root Account
Verify the administrators are notified in the event of an audit processing failure. Check that the "/etc/aliases" file has a defined value for "root". <pre>$ sudo grep "postmaster:\s*root$" /etc/al...Rule Medium Severity -
Disable Network File Systems (netfs)
The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be di...Rule Unknown Severity -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...Group -
Enable the NTP Daemon
Thentpservice can be enabled with the following command:$ sudo systemctl enable ntp.service
Rule High Severity -
Obsolete Services
This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best a...Group -
Remove Rsh Trust Files
The files <code>/etc/hosts.equiv</code> and <code>~/.rhosts</code> (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To re...Rule High Severity -
SSH is required to be installed
Specify if the Policy requires SSH to be installed. Used by SSH Rules to determine if SSH should be uninstalled or configured.<br> A value of 0 means that the policy doesn't care if OpenSSH server ...Value -
Remove SSH Server iptables Firewall exception (Unusual)
By default, inbound connections to SSH's port are allowed. If the SSH server is not being used, this exception should be removed from the firewall configuration. <br> <br> Edit the files <co...Rule Unknown Severity -
Set SSH Client Alive Interval
SSH allows administrators to set a network responsiveness timeout interval. After this interval has passed, the unresponsive client will be automatically logged out. <br> <br> To set this t...Rule Medium Severity -
Disable Kerberos Authentication
Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos. <br> The default SSH configuration disallows authentication validation through Kerberos. The ...Rule Medium Severity -
Disable X11 Forwarding
The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. SSH has the capability to encrypt remote X11 connections when SSH...Rule Medium Severity -
Enable GSSAPI Authentication
Sites setup to use Kerberos or other GSSAPI Authenticaion require setting sshd to accept this authentication. To enable GSSAPI authentication, add or correct the following line in <code>/etc/ssh/...Rule Medium Severity -
Enable SSH Print Last Log
Ensure that SSH will display the date and time of the last successful account logon. <br> The default SSH configuration enables print of the date and time of the last login. The appropriate configu...Rule Medium Severity -
Force frequent session key renegotiation
The <code>RekeyLimit</code> parameter specifies how often the session key of the is renegotiated, both in terms of amount of data that may be transmitted and the time elapsed.<br> To decrease the d...Rule Medium Severity -
Configure auditd Data Retention
The audit system writes data to <code>/var/log/audit/audit.log</code>. By default, <code>auditd</code> rotates 5 logs by size (6MB), retaining a maximum of 30MB of data in total, and refuses to wri...Group -
Make the auditd Configuration Immutable
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <cod...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules