Guide to the Secure Configuration of Ubuntu 20.04
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.default.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0</pre...Rule Medium Severity -
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
To set the runtime status of the <code>net.ipv4.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=...Rule Medium Severity -
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default
To set the runtime status of the <code>net.ipv4.conf.default.log_martians</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.log_martians=1</pre> To mak...Rule Unknown Severity -
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
To set the runtime status of the <code>net.ipv4.conf.default.rp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1</pre> To make sure...Rule Medium Severity -
Remove ufw Package
Theufwpackage can be removed with the following command:$ apt-get remove ufw
Rule Medium Severity -
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.icmp_echo_ignore_broadcasts</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1</pre> To...Rule Medium Severity -
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.icmp_ignore_bogus_error_responses</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_response...Rule Unknown Severity -
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
To set the runtime status of the <code>net.ipv4.tcp_syncookies</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.tcp_syncookies=1</pre> To make sure that the settin...Rule Medium Severity -
Network Parameters for Hosts Only
If the system is not going to be used as a router, then setting certain kernel parameters ensure that the host will not perform routing of network traffic.Group -
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
To set the runtime status of the <code>net.ipv4.conf.default.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0</pre> To...Rule Medium Severity -
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.ip_forward</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.ip_forward=0</pre> To make sure that the setting is per...Rule Medium Severity -
Nftables Base Chain Hooks
The possible hooks which can be used to configure the base chain are: <code>ingress</code> (only in netdev family since Linux kernel 4.2, and inet family since Linux kernel 5.10): sees packets imm...Value -
Nftables Chain Names
The rules in nftables are attached to chains. Unlike in iptables, there are no predefined chains like INPUT, OUTPUT, etc. Instead, to filter packets at a particular processing step, a base chain ...Value -
Nftables Base Chain Policies
This is the default verdict that will be applied to packets reaching the end of the chain (i.e, no more rules to be evaluated against). Currently there are 2 policies: <code>accept</code> this ve...Value -
Nftables Base Chain Priorities
Each nftables base chain is assigned a priority that defines its ordering among other base chains, flowtables, and Netfilter internal operations at the same hook. For example, a chain on the prer...Value -
Nftables Base Chain Types
Base chains are those that are registered into the Netfilter hooks, i.e. these chains see packets flowing through the Linux TCP/IP stack. The possible chain types are: <code>filter</code>, which i...Value -
Nftables Families
Netfilter enables filtering at multiple networking levels. With iptables there is a separate tool for each level: iptables, ip6tables, arptables, ebtables. With nftables the multiple networking l...Value -
Nftables Master configuration file
The file which contains top level configuration for nftables service, and with which, the service is started.Value -
Nftables Tables
Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six families.Value -
Verify ufw Enabled
Theufwservice can be enabled with the following command:$ sudo systemctl enable ufw.service
Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.