Skip to content

Guide to the Secure Configuration of Ubuntu 20.04

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Limit Users' SSH Access

    By default, the SSH configuration allows any user with an account to access the system. There are several options available to limit which users an...
    Rule Unknown Severity
  • Enable SSH Print Last Log

    Ensure that SSH will display the date and time of the last successful account logon. <br> The default SSH configuration enables print of the date a...
    Rule Medium Severity
  • Ensure SSH LoginGraceTime is configured

    The <code>LoginGraceTime</code> parameter to the SSH server specifies the time allowed for successful authentication to the SSH server. The longer ...
    Rule Medium Severity
  • Set SSH Daemon LogLevel to VERBOSE

    The <code>VERBOSE</code> parameter configures the SSH daemon to record login and logout activity. To specify the log level in SSH, add or correct t...
    Rule Medium Severity
  • Set SSH authentication attempt limit

    The <code>MaxAuthTries</code> parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failur...
    Rule Medium Severity
  • Set SSH MaxSessions limit

    The <code>MaxSessions</code> parameter specifies the maximum number of open sessions permitted from a given connection. To set MaxSessions edit <co...
    Rule Medium Severity
  • Ensure SSH MaxStartups is configured

    The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be ...
    Rule Medium Severity
  • Use Only FIPS 140-2 Validated Ciphers

    Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The foll...
    Rule Medium Severity
  • Use Only FIPS 140-2 Validated Ciphers

    Limit the ciphers to those algorithms which are FIPS-approved. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of FIPS-app...
    Rule Medium Severity
  • Use Only FIPS 140-2 Validated Key Exchange Algorithms

    Limit the key exchange algorithms to those which are FIPS-approved. Add or modify the following line in <code>/etc/ssh/sshd_config</code> <pre>Kex...
    Rule Medium Severity
  • Use Only FIPS 140-2 Validated MACs

    Limit the MACs to those hash algorithms which are FIPS-approved. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of FIPS-a...
    Rule Medium Severity
  • Use Only FIPS 140-2 Validated MACs

    Limit the MACs to those hash algorithms which are FIPS-approved. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of FIPS-a...
    Rule Medium Severity
  • Enable Use of Privilege Separation

    When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH...
    Rule Medium Severity
  • Use Only Strong Key Exchange algorithms

    Limit the Key Exchange to strong algorithms. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of those: <pre>KexAlgorithms ...
    Rule Medium Severity
  • Strengthen Firewall Configuration if Possible

    If the SSH server is expected to only receive connections from the local network, then strengthen the default firewall rule for the SSH service to ...
    Group
  • System Security Services Daemon

    The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red H...
    Group
  • SSSD certificate_verification option

    Value of the certificate_verification option in the SSSD config.
    Value
  • Configure SSSD to Expire Offline Credentials

    SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set <code>offline_credential...
    Rule Medium Severity
  • System Security Services Daemon (SSSD) - LDAP

    The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red H...
    Group
  • SSSD LDAP Backend Client CA Certificate Location

    Path of a directory that contains Certificate Authority certificates.
    Value

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules