Skip to content

Guide to the Secure Configuration of Ubuntu 20.04

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces

    To set the runtime status of the <code>net.ipv4.conf.all.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w n...
    Rule Medium Severity
  • Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

    To set the runtime status of the <code>net.ipv4.conf.default.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl ...
    Rule Medium Severity
  • Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces

    To set the runtime status of the <code>net.ipv4.ip_forward</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.ip_fo...
    Rule Medium Severity
  • authlogin_yubikey SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
  • nftables

    <code>If firewalld or iptables are being used in your environment, please follow the guidance in their respective section and pass-over the guidanc...
    Group
  • Nftables Base Chain Hooks

    The possible hooks which can be used to configure the base chain are: <code>ingress</code> (only in netdev family since Linux kernel 4.2, and inet ...
    Value
  • Nftables Chain Names

    The rules in nftables are attached to chains. Unlike in iptables, there are no predefined chains like INPUT, OUTPUT, etc. Instead, to filter pack...
    Value
  • Nftables Base Chain Policies

    This is the default verdict that will be applied to packets reaching the end of the chain (i.e, no more rules to be evaluated against). Currently ...
    Value
  • Nftables Base Chain Priorities

    Each nftables base chain is assigned a priority that defines its ordering among other base chains, flowtables, and Netfilter internal operations a...
    Value
  • Nftables Base Chain Types

    Base chains are those that are registered into the Netfilter hooks, i.e. these chains see packets flowing through the Linux TCP/IP stack. The poss...
    Value
  • Nftables Families

    Netfilter enables filtering at multiple networking levels. With iptables there is a separate tool for each level: iptables, ip6tables, arptables, ...
    Value
  • Nftables Master configuration file

    The file which contains top level configuration for nftables service, and with which, the service is started.
    Value
  • Nftables Tables

    Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six fami...
    Value
  • Verify ufw Enabled

    The ufw service can be enabled with the following command:
    $ sudo systemctl enable ufw.service
    Rule Medium Severity
  • Install nftables Package

    nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace ...
    Rule Medium Severity
  • Uninstall nftables package

    nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to ipta...
    Rule Medium Severity
  • Verify nftables Service is Enabled

    The nftables service allows for the loading of nftables rulesets during boot, or starting on the nftables service The <code>nftables</code> servic...
    Rule Medium Severity
  • Verify nftables Service is Disabled

    nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to ipta...
    Rule Medium Severity
  • Ensure nftables Rules are Permanent

    nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. The nftables service reads ...
    Rule Medium Severity
  • Ensure Base Chains Exist for Nftables

    Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six famil...
    Rule Medium Severity
  • Set nftables Configuration for Loopback Traffic

    Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.
    Rule Medium Severity
  • Ensure a Table Exists for Nftables

    Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six famil...
    Rule Medium Severity
  • SuSEfirewall2

    The SuSEfirewall2 provides a managed firewall.
    Group
  • Uncomplicated Firewall (ufw)

    The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the ip...
    Group
  • Install ufw Package

    The ufw package can be installed with the following command:
    $ apt-get install ufw
    Rule Medium Severity
  • Ensure ufw Default Deny Firewall Policy

    A default deny policy on connections ensures that any unconfigured network usage will be rejected. Note: Any port or protocol without a explicit a...
    Rule Medium Severity
  • Set UFW Loopback Traffic

    Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.
    Rule Medium Severity
  • Only Allow Authorized Network Services in ufw

    Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services by running the following command: <...
    Rule Medium Severity
  • ufw Must rate-limit network interfaces

    The operating system must configure the uncomplicated firewall to rate-limit impacted network interfaces.
    Rule Medium Severity
  • Ensure ufw Firewall Rules Exist for All Open Ports

    Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.
    Rule Medium Severity
  • Uncommon Network Protocols

    The system includes support for several network protocols which are not commonly used. Although security vulnerabilities in kernel networking code ...
    Group
  • Disable DCCP Support

    The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. T...
    Rule Medium Severity
  • Disable RDS Support

    The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications ...
    Rule Low Severity
  • Disable SCTP Support

    The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with...
    Rule Medium Severity
  • Disable TIPC Support

    The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the sys...
    Rule Low Severity
  • Verify User Who Owns group File

    To properly set the owner of /etc/group, run the command:
    $ sudo chown root /etc/group 
    Rule Medium Severity
  • Wireless Networking

    Wireless networking, such as 802.11 (WiFi) and Bluetooth, can present a security risk to sensitive or classified systems and networks. Wireless net...
    Group
  • Disable Wireless Through Software Configuration

    If it is impossible to remove the wireless hardware from the device in question, disable as much of it as possible through software. The following ...
    Group
  • Deactivate Wireless Network Interfaces

    Deactivating wireless network interfaces should prevent normal usage of the wireless capability. <br><br> Configure the system to disable all wire...
    Rule Medium Severity
  • Disable Unused Interfaces

    Network interfaces expand the attack surface of the system. Unused interfaces are not monitored or controlled, and should be disabled. <br><br> If...
    Group
  • Transport Layer Security Support

    Support for Transport Layer Security (TLS), and its predecessor, the Secure Sockets Layer (SSL), is included in Red Hat Enterprise Linux in the Ope...
    Group
  • Only Allow DoD PKI-established CAs

    The operating system must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sess...
    Rule Medium Severity
  • File Permissions and Masks

    Traditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from reading or modifying files to which t...
    Group
  • Verify Permissions on Important Files and Directories

    Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses impo...
    Group
  • Verify permissions of log files

    Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of err...
    Rule Medium Severity
  • Verify Permissions on /etc/audit/auditd.conf

    To properly set the permissions of /etc/audit/auditd.conf, run the command:
    $ sudo chmod 0640 /etc/audit/auditd.conf
    Rule Medium Severity
  • Verify Permissions on /etc/audit/rules.d/*.rules

    To properly set the permissions of /etc/audit/rules.d/*.rules, run the command:
    $ sudo chmod 0640 /etc/audit/rules.d/*.rules
    Rule Medium Severity
  • Verify that local System.map file (if exists) is readable only by root

    Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need ...
    Rule Unknown Severity
  • Ensure No World-Writable Files Exist

    It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific a...
    Rule Medium Severity
  • Ensure All Files Are Owned by a Group

    If any file is not group-owned by a group present in /etc/group, the cause of the lack of group-ownership must be investigated. Following this, tho...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules