Skip to content
ATO Pathways
  Log In

Guide to the Secure Configuration of Ubuntu 18.04

Rules, Groups, and Values defined within the XCCDF Benchmark

  • remember

    The last n passwords for each user are saved in <code>/etc/security/opasswd</code> in order to force password change history and keep the user from...
    Value
    Show

  • Action for auditd to take when disk is full

    'The setting for disk_full_action in /etc/audit/auditd.conf, if multiple values are allowed write them separated by pipes as in "syslog|single|halt...
    Value
    Show

  • Disallow Configuration to Bypass Password Requirements for Privilege Escalation

    Verify the operating system is not configured to bypass password requirements for privilege escalation. Check the configuration of the "/etc/pam.d/...
    Rule Medium Severity
    Show

  • Set Lockouts for Failed Password Attempts

    The <code>pam_faillock</code> PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentati...
    Group
    Show

  • fail_deny

    Number of failed login attempts before account lockout
    Value
    Show

  • faillock directory

    The directory where the user files with the failure records are kept
    Value
    Show

  • fail_interval

    Interval for counting failed login attempts before account lockout
    Value
    Show

  • fail_unlock_time

    Seconds before automatic unlocking or permanently locking after excessive failed logins
    Value
    Show

  • tally2_unlock_time

    Seconds before automatic unlocking or permanently locking after excessive failed logins
    Value
    Show

  • faildelay_delay

    Delay next login attempt after a failed login
    Value
    Show

  • pwhistory_remember

    Prevent password re-use using password history lookup
    Value
    Show

  • PAM pwhistory remember - control flag

    'Specify the control flag required for password remember requirement. If multiple values are allowed write them separated by commas as in "required...
    Value
    Show

  • tally2

    Number of failed login attempts
    Value
    Show

  • Account Lockouts Must Be Logged

    PAM faillock locks an account due to excessive password failures, this event must be logged.
    Rule Medium Severity
    Show

  • Account Lockouts Must Persist

    By setting a `dir` in the faillock configuration account lockouts will persist across reboots.
    Rule Medium Severity
    Show

  • Account Lockouts Must Be Logged

    PAM faillock locks an account due to excessive password failures, this event must be logged.
    Rule Medium Severity
    Show

  • Set Password Quality Requirements

    The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure pas...
    Group
    Show

  • Set Password Quality Requirements, if using pam_cracklib

    The <code>pam_cracklib</code> PAM module can be configured to meet requirements for a variety of policies. <br><br> For example, to configure <code...
    Group
    Show

  • Set Password Quality Requirements with pam_pwquality

    The <code>pam_pwquality</code> PAM module can be configured to meet requirements for a variety of policies. <br><br> For example, to configure <cod...
    Group
    Show

  • dcredit

    Minimum number of digits in password
    Value
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules