Guide to the Secure Configuration of Ubuntu 20.04
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Remove SSH Server iptables Firewall exception (Unusual)
By default, inbound connections to SSH's port are allowed. If the SSH server is not being used, this exception should be removed from the firewall configuration. <br> <br> Edit the files <co...Rule Unknown Severity -
Set SSH Client Alive Interval
SSH allows administrators to set a network responsiveness timeout interval. After this interval has passed, the unresponsive client will be automatically logged out. <br> <br> To set this t...Rule Medium Severity -
Disable Host-Based Authentication
SSH's cryptographic host-based authentication is more secure than <code>.rhosts</code> authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organ...Rule Medium Severity -
Disable SSH Support for Rhosts RSA Authentication
SSH can allow authentication through the obsolete rsh command through the use of the authenticating user's SSH keys. This should be disabled. <br> <br> To ensure this behavior is disabled, ...Rule Medium Severity -
Disable SSH Support for User Known Hosts
SSH can allow system users to connect to systems if a cache of the remote systems public keys is available. This should be disabled. <br> <br> To ensure this behavior is disabled, add or c...Rule Medium Severity -
Disable X11 Forwarding
The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. SSH has the capability to encrypt remote X11 connections when SSH...Rule Medium Severity -
Do Not Allow SSH Environment Options
Ensure that users are not able to override environment variables of the SSH daemon. <br> The default SSH configuration disables environment processing. The appropriate configuration is used if no v...Rule Medium Severity -
Enable Use of Strict Mode Checking
SSHs <code>StrictModes</code> option checks file and ownership permissions in the user's home directory <code>.ssh</code> folder before accepting login. If world- writable permissions are found, lo...Rule Medium Severity -
Set SSH Daemon LogLevel to VERBOSE
The <code>VERBOSE</code> parameter configures the SSH daemon to record login and logout activity. To specify the log level in SSH, add or correct the following line in <code>/etc/ssh/sshd_config....Rule Medium Severity -
Use Only FIPS 140-2 Validated Ciphers
Limit the ciphers to those algorithms which are FIPS-approved. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of FIPS-approved ciphers: <pre>Ciphers <xccdf-1.2:sub idref="...Rule Medium Severity -
Configure SSSD to Expire Offline Credentials
SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set <code>offline_credentials_expiration</code> to <code>1</code> under the <c...Rule Medium Severity -
Remove the X Windows Package Group
By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the s...Rule Medium Severity -
System Accounting with auditd
The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and certain types of security-relevant events such as s...Group -
Ensure the default plugins for the audit dispatcher are Installed
The audit-audispd-plugins package should be installed.Rule Medium Severity -
Ensure the audit Subsystem is Installed
The audit package should be installed.Rule Medium Severity -
Extend Audit Backlog Limit for the Audit Daemon
To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument <code>audit_backlog_limit=8192</code> to the default GRUB 2 command lin...Rule Low Severity -
Audit Configuration Files Permissions are 640 or More Restrictive
All audit configuration files permissions must be 640 or more restrictive.chmod 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*Rule Medium Severity -
Make the auditd Configuration Immutable
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <cod...Rule Medium Severity -
Record Events that Modify the System's Mandatory Access Controls
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <cod...Rule Medium Severity -
Record Events that Modify the System's Mandatory Access Controls in usr/share
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <cod...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.