Guide to the Secure Configuration of Ubuntu 20.04
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Set nftables Configuration for Loopback Traffic
Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.Rule Medium Severity -
Ensure a Table Exists for Nftables
Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six famil...Rule Medium Severity -
SuSEfirewall2
The SuSEfirewall2 provides a managed firewall.Group -
Uncomplicated Firewall (ufw)
The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the ip...Group -
Install ufw Package
Theufwpackage can be installed with the following command:$ apt-get install ufw
Rule Medium Severity -
Ensure ufw Default Deny Firewall Policy
A default deny policy on connections ensures that any unconfigured network usage will be rejected. Note: Any port or protocol without a explicit a...Rule Medium Severity -
Set UFW Loopback Traffic
Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.Rule Medium Severity -
Only Allow Authorized Network Services in ufw
Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services by running the following command: <...Rule Medium Severity -
ufw Must rate-limit network interfaces
The operating system must configure the uncomplicated firewall to rate-limit impacted network interfaces.Rule Medium Severity -
Ensure ufw Firewall Rules Exist for All Open Ports
Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.Rule Medium Severity -
Uncommon Network Protocols
The system includes support for several network protocols which are not commonly used. Although security vulnerabilities in kernel networking code ...Group -
Disable DCCP Support
The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. T...Rule Medium Severity -
Disable RDS Support
The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications ...Rule Low Severity -
Disable SCTP Support
The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with...Rule Medium Severity -
Disable TIPC Support
The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the sys...Rule Low Severity -
Verify User Who Owns group File
To properly set the owner of/etc/group, run the command:$ sudo chown root /etc/group
Rule Medium Severity -
Wireless Networking
Wireless networking, such as 802.11 (WiFi) and Bluetooth, can present a security risk to sensitive or classified systems and networks. Wireless net...Group -
Disable Wireless Through Software Configuration
If it is impossible to remove the wireless hardware from the device in question, disable as much of it as possible through software. The following ...Group -
Deactivate Wireless Network Interfaces
Deactivating wireless network interfaces should prevent normal usage of the wireless capability. <br><br> Configure the system to disable all wire...Rule Medium Severity -
Disable Unused Interfaces
Network interfaces expand the attack surface of the system. Unused interfaces are not monitored or controlled, and should be disabled. <br><br> If...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.