Guide to the Secure Configuration of Ubuntu 20.04
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Configure Backups of User Data
The operating system must conduct backups of user data contained in the operating system. The operating system provides utilities for automating backups of user data. Commercial and open-source pro...Rule Medium Severity -
McAfee Endpoint Security Software
In DoD environments, McAfee Host-based Security System (HBSS) and VirusScan Enterprise for Linux (VSEL) is required to be installed on all systems.Group -
McAfee Endpoint Security for Linux (ENSL)
McAfee Endpoint Security for Linux (ENSL) is a suite of software applications used to monitor, detect, and defend computer networks and systems.Group -
Install McAfee Endpoint Security for Linux (ENSL)
Install McAfee Endpoint Security for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem. The <code>mfetp</code> ...Rule Medium Severity -
McAfee Host-Based Intrusion Detection Software (HBSS)
McAfee Host-based Security System (HBSS) is a suite of software applications used to monitor, detect, and defend computer networks and systems.Group -
Install the Host Intrusion Prevention System (HIPS) Module
Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely necessary. If SELinux is enabled, do not install or enable this module.Rule Medium Severity -
Ensure /home Located On Separate Partition
If user home directories will be stored locally, create a separate partition for <code>/home</code> at installation time (or migrate it later using LVM). If <code>/home</code> will be mounted from ...Rule Low Severity -
Ensure /srv Located On Separate Partition
If a file server (FTP, TFTP...) is hosted locally, create a separate partition for <code>/srv</code> at installation time (or migrate it later using LVM). If <code>/srv</code> will be mounted from ...Rule Unknown Severity -
Ensure /tmp Located On Separate Partition
The/tmpdirectory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.Rule Low Severity -
Ensure /var Located On Separate Partition
The <code>/var</code> directory is used by daemons and other system services to store frequently-changing data. Ensure that <code>/var</code> has its own partition or logical volume at installation...Rule Low Severity -
Ensure /var/log Located On Separate Partition
System logs are stored in the/var/logdirectory. Ensure that/var/loghas its own partition or logical volume at installation time, or migrate it using LVM.Rule Low Severity -
Ensure /var/log/audit Located On Separate Partition
Audit logs are stored in the <code>/var/log/audit</code> directory. Ensure that <code>/var/log/audit</code> has its own partition or logical volume at installation time, or migrate it using LVM. M...Rule Low Severity -
Ensure /var/tmp Located On Separate Partition
The/var/tmpdirectory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.Rule Medium Severity -
Ensure Sudo Logfile Exists - sudo logfile
A custom log sudo file can be configured with the 'logfile' tag. This rule configures a sudo custom logfile at the default location suggested by CIS, which uses /var/log/sudo.log.Rule Low Severity -
Configure GNOME3 DConf User Profile
By default, DConf provides a standard user profile. This profile contains a list of DConf configuration databases. The user profile and database always take the highest priority. As such the DConf ...Rule High Severity -
Configure GNOME Login Screen
In the default GNOME desktop, the login is displayed after system boot and can display user accounts, allow users to reboot the system, and allow users to login automatically and/or with a guest ac...Group -
Disable the GNOME3 Login User List
In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled by setting <code>di...Rule Medium Severity -
Disable XDMCP in GDM
XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g. <a href="https://help.gnome.org/admin/gdm/stable/security.html.en_GB#xdmcpsecurity">XDMCP Gnome docs</a>. To dis...Rule High Severity -
Configure GNOME Screen Locking
In the default GNOME3 desktop, the screen can be locked by selecting the user name in the far right corner of the main panel and selecting <b>Lock</b>. <br> <br> The following sections deta...Group -
Enable GNOME3 Screensaver Lock After Idle Period
To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set <code>lock-enabled</code> to <code>true</code> in <code>/etc/dconf/db/local.d/00-security-settings</co...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.