Guide to the Secure Configuration of Ubuntu 20.04
Rules, Groups, and Values defined within the XCCDF Benchmark
-
net.ipv4.conf.all.accept_source_route
Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected.Value -
net.ipv4.conf.default.arp_filter
Controls whether the ARP filter is enabled or not. 1 - Allows you to have multiple network interfaces on the same subnet, and have the ARPs for each interface be answered based on whether or not t...Value -
net.ipv4.conf.default.arp_ignore
Control the response modes for ARP queries that resolve local target IP addresses: 0 - (default): reply for any local target IP address, configured on any interface 1 - reply only if the target IP...Value -
net.ipv4.conf.all.log_martians
Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect PacketsValue -
net.ipv4.conf.all.rp_filter
Enable to enforce sanity checking, also called ingress filtering or egress filtering. The point is to drop a packet if the source and destination IP addresses in the IP header do not make sense whe...Value -
net.ipv4.conf.all.secure_redirects
Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure ICMP redirected packets on all interfaces.Value -
net.ipv4.conf.all.shared_media
Controls whether the system can send (router) or accept (host) RFC1620 shared media redirects. <code>shared_media</code> for the interface will be enabled if at least one of conf/{all,interface}/sh...Value -
net.ipv4.conf.default.accept_redirects
Disable ICMP Redirect Acceptance?Value -
net.ipv4.conf.default.accept_source_route
Disable IP source routing?Value -
net.ipv4.conf.default.log_martians
Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect PacketsValue -
net.ipv4.conf.default.shared_media
Controls whether the system can send(router) or accept(host) RFC1620 shared media redirects. <code>shared_media</code> for the interface will be enabled if at least one of conf/{all,interface}/shar...Value -
net.ipv4.icmp_echo_ignore_broadcasts
Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicastValue -
net.ipv4.icmp_ignore_bogus_error_responses
Enable to prevent unnecessary loggingValue -
net.ipv4.tcp_syncookies
Enable to turn on TCP SYN Cookie ProtectionValue -
Disable Accepting ICMP Redirects for All IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0</pre> To mak...Rule Medium Severity -
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0</pre> ...Rule Medium Severity -
Configure ARP filtering for All IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.arp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.arp_filter=<xccdf-1.2:sub idref="xccd...Rule Medium Severity -
Configure Response Mode of ARP Requests for All IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.arp_ignore</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.arp_ignore=<xccdf-1.2:sub idref="xccd...Rule Medium Severity -
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.log_martians</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.log_martians=1</pre> To make sure t...Rule Unknown Severity -
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.secure_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0</pre> To mak...Rule Medium Severity -
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.default.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0</pre...Rule Medium Severity -
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
To set the runtime status of the <code>net.ipv4.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=...Rule Medium Severity -
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default
To set the runtime status of the <code>net.ipv4.conf.default.log_martians</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.log_martians=1</pre> To mak...Rule Unknown Severity -
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
To set the runtime status of the <code>net.ipv4.conf.default.rp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1</pre> To make sure...Rule Medium Severity -
Remove ufw Package
Theufwpackage can be removed with the following command:$ apt-get remove ufw
Rule Medium Severity -
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.icmp_echo_ignore_broadcasts</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1</pre> To...Rule Medium Severity -
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.icmp_ignore_bogus_error_responses</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_response...Rule Unknown Severity -
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
To set the runtime status of the <code>net.ipv4.tcp_syncookies</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.tcp_syncookies=1</pre> To make sure that the settin...Rule Medium Severity -
Network Parameters for Hosts Only
If the system is not going to be used as a router, then setting certain kernel parameters ensure that the host will not perform routing of network traffic.Group -
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
To set the runtime status of the <code>net.ipv4.conf.default.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0</pre> To...Rule Medium Severity -
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.ip_forward</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.ip_forward=0</pre> To make sure that the setting is per...Rule Medium Severity -
Nftables Base Chain Hooks
The possible hooks which can be used to configure the base chain are: <code>ingress</code> (only in netdev family since Linux kernel 4.2, and inet family since Linux kernel 5.10): sees packets imm...Value -
Nftables Chain Names
The rules in nftables are attached to chains. Unlike in iptables, there are no predefined chains like INPUT, OUTPUT, etc. Instead, to filter packets at a particular processing step, a base chain ...Value -
Nftables Base Chain Policies
This is the default verdict that will be applied to packets reaching the end of the chain (i.e, no more rules to be evaluated against). Currently there are 2 policies: <code>accept</code> this ve...Value -
Nftables Base Chain Priorities
Each nftables base chain is assigned a priority that defines its ordering among other base chains, flowtables, and Netfilter internal operations at the same hook. For example, a chain on the prer...Value -
Nftables Base Chain Types
Base chains are those that are registered into the Netfilter hooks, i.e. these chains see packets flowing through the Linux TCP/IP stack. The possible chain types are: <code>filter</code>, which i...Value -
Nftables Families
Netfilter enables filtering at multiple networking levels. With iptables there is a separate tool for each level: iptables, ip6tables, arptables, ebtables. With nftables the multiple networking l...Value -
Nftables Master configuration file
The file which contains top level configuration for nftables service, and with which, the service is started.Value -
Nftables Tables
Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six families.Value -
Verify ufw Enabled
Theufwservice can be enabled with the following command:$ sudo systemctl enable ufw.service
Rule Medium Severity -
Uninstall nftables package
nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables. The <code>nftables</code> package can be rem...Rule Medium Severity -
Verify nftables Service is Enabled
The nftables service allows for the loading of nftables rulesets during boot, or starting on the nftables service The <code>nftables</code> service can be enabled with the following command: <pre>...Rule Medium Severity -
Verify nftables Service is Disabled
nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables. The <code>nftables</code> service can be dis...Rule Medium Severity -
Ensure nftables Rules are Permanent
nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. The nftables service reads the <xccdf-1.2:sub xmlns:xccdf-1.2="http://checkli...Rule Medium Severity -
Ensure Base Chains Exist for Nftables
Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six families. Chains are containers for rules. They exist i...Rule Medium Severity -
Set nftables Configuration for Loopback Traffic
Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.Rule Medium Severity -
Ensure a Table Exists for Nftables
Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six families.Rule Medium Severity -
Uncomplicated Firewall (ufw)
The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the iptables suite of commands. iptables provide a compl...Group -
Install ufw Package
Theufwpackage can be installed with the following command:$ apt-get install ufw
Rule Medium Severity -
Ensure ufw Default Deny Firewall Policy
A default deny policy on connections ensures that any unconfigured network usage will be rejected. Note: Any port or protocol without a explicit allow before the default deny will be blocked.Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.