Skip to content

Guide to the Secure Configuration of Ubuntu 20.04

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Ensure All-Squashing Disabled On All Exports

    The <code>all_squash</code> maps all uids and gids to an anonymous user. This should be disabled by removing any instances of the <code>all_squash<...
    Rule Low Severity
  • Configure the Exports File Restrictively

    Linux's NFS implementation uses the file <code>/etc/exports</code> to control what filesystems and directories may be accessed via NFS. (See the <c...
    Group
  • Export Filesystems Read-Only if Possible

    If a filesystem is being exported so that users can view the files in a convenient fashion, but there is no need for users to edit those files, exp...
    Group
  • Use Access Lists to Enforce Authorization Restrictions

    When configuring NFS exports, ensure that each export line in <code>/etc/exports</code> contains a list of hosts which are allowed to access that e...
    Group
  • Network Time Protocol

    The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...
    Group
  • Vendor Approved Time pools

    The list of vendor-approved pool servers
    Value
  • Vendor Approved Time Servers

    The list of vendor-approved time servers
    Value
  • Maximum NTP or Chrony Poll

    The maximum NTP or Chrony poll interval number in seconds specified as a power of two.
    Value
  • The Chrony package is installed

    System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or se...
    Rule Medium Severity
  • Install the ntp service

    The ntpd service should be installed.
    Rule High Severity
  • Install the systemd_timesyncd Service

    The systemd_timesyncd service should be installed.
    Rule High Severity
  • The Chronyd service is enabled

    chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a ...
    Rule Medium Severity
  • Enable the NTP Daemon

    The ntp service can be enabled with the following command:
    $ sudo systemctl enable ntp.service
    Rule High Severity
  • Enable systemd_timesyncd Service

    The systemd_timesyncd service can be enabled with the following command:
    $ sudo systemctl enable systemd_timesyncd.service
    Rule High Severity
  • Configure Time Service Maxpoll Interval

    The <code>maxpoll</code> should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" use="legacy...
    Rule Medium Severity
  • Ensure that chronyd is running under chrony user account

    chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and us...
    Rule Medium Severity
  • Ensure Chrony is only configured with the server directive

    Check that Chrony only has time sources configured with the server directive.
    Rule Medium Severity
  • A remote time server for Chrony is configured

    <code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of s...
    Rule Medium Severity
  • Synchronize internal information system clocks

    Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems...
    Rule Medium Severity
  • Uninstall rsh Package

    The rsh-client package contains the client commands for the rsh services
    Rule Unknown Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules