Guide to the Secure Configuration of Ubuntu 22.04
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Set Lockouts for Failed Password Attempts
The <code>pam_faillock</code> PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentation is available in <code>/usr/share/doc/pam-VERSIO...Group -
Enforce Delay After Failed Logon Attempts
To configure the system to introduce a delay after failed logon attempts, add or correct the <code>pam_faildelay</code> settings in <code>/etc/pam.d/common-auth</code> to make sure its <code>delay<...Rule Medium Severity -
Configure Periodic Execution of AIDE
At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to <code>/etc/crontab</code>: <pre>05 4 * * * root ...Rule Medium Severity -
Endpoint Protection Software
Endpoint protection security software that is not provided or supported by Canonical can be installed to provide complementary or duplicative security capabilities to those provided by the base p...Group -
Install McAfee Endpoint Security for Linux (ENSL)
Install McAfee Endpoint Security for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem. The <code>mfetp</code> ...Rule Medium Severity -
Disk Partitioning
To ensure separation and protection of data, there are top-level system directories which should be placed on their own physical partition or logical volume. The installer's default partitioning sc...Group -
GNOME Desktop Environment
GNOME is a graphical desktop environment bundled with many Linux distributions that allow users to easily interact with the operating system graphically rather than textually. The GNOME Graphical D...Group -
Configure GNOME3 DConf User Profile
By default, DConf provides a standard user profile. This profile contains a list of DConf configuration databases. The user profile and database always take the highest priority. As such the DConf ...Rule High Severity -
Configure GNOME Screen Locking
In the default GNOME3 desktop, the screen can be locked by selecting the user name in the far right corner of the main panel and selecting <b>Lock</b>. <br> <br> The following sections deta...Group -
Verify Groupowner on the journalctl command
Verify that the "journalctl" command is group-owned by "root" by using the following command: <pre> $ sudo find /usr/bin/journalctl -exec stat -c "%n %G" {} \; </pre> If any output returned is not ...Rule Medium Severity -
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3
By default, <code>GNOME</code> will reboot the system if the <code>Ctrl-Alt-Del</code> key sequence is pressed. <br> <br> To configure the system to ignore the <code>Ctrl-Alt-Del</code> ke...Rule High Severity -
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the <code>!authe...Rule Medium Severity -
Ensure Users Re-Authenticate for Privilege Escalation - sudo
The sudo <code>NOPASSWD</code> and <code>!authenticate</code> option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making ...Rule Medium Severity -
Explicit arguments in sudo specifications
All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user. If the command is supposed to be executed only without arguments, pass "" as an argument in...Rule Medium Severity -
Ensure gnutls-utils is installed
Thegnutls-utilspackage can be installed with the following command:$ apt-get install gnutls-utils
Rule Medium Severity -
Updating Software
The <code>apt_get</code> command line tool is used to install and update software packages. The system also provides a graphical software update tool in the <b>System</b> menu, in the <b>Administra...Group -
Modify the System Login Banner
To configure the system login banner edit <code>/etc/issue</code>. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is ei...Rule Medium Severity -
Modify the System Login Banner for Remote Connections
To configure the system login banner edit <code>/etc/issue.net</code>. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is ...Rule Medium Severity -
Verify permissions on System Login Banner
To properly set the permissions of/etc/issue, run the command:$ sudo chmod 0644 /etc/issue
Rule Medium Severity -
Verify permissions on System Login Banner for Remote Connections
To properly set the permissions of/etc/issue.net, run the command:$ sudo chmod 0644 /etc/issue.net
Rule Medium Severity -
Enable GNOME3 Login Warning Banner
In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting <code>banner-message-enable</code> ...Rule Medium Severity -
Protect Accounts by Configuring PAM
PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and configurable architecture for authentication, and it sh...Group -
Password Hashing algorithm for pam_unix.so
Specify the system default encryption algorithm for encrypting passwords. Defines the hashing algorithm to be used in pam_unix.so.Value -
Install pam_pwquality Package
Thelibpam-pwqualitypackage can be installed with the following command:$ apt-get install libpam-pwquality
Rule Medium Severity -
Lock Accounts After Failed Password Attempts
This rule configures the system to lock out accounts after a number of incorrect login attempts using <code>pam_faillock.so</code>. pam_faillock.so module requires multiple entries in pam files. Th...Rule Medium Severity -
Do Not Show System Messages When Unsuccessful Logon Attempts Occur
This rule ensures the system prevents informative messages from being presented to the user pertaining to logon information after a number of incorrect login attempts using <code>pam_faillock.so</c...Rule Medium Severity -
Set Lockout Time for Failed Password Attempts
This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using <code>pam_faillock.so</code>. Ensure that the file <code>/etc/s...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
The pam_pwquality module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many ...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words
The pam_pwquality module'sdictcheckcheck if passwords contains dictionary words. Whendictcheckis set to1passwords will be checked for dictionary words.Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Different Characters
The pam_pwquality module's <code>difok</code> parameter sets the number of characters in a password that must not be present in and old password during a password change. <br> <br> Modify...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Enforcing
Verify that the operating system uses "pwquality" to enforce the password complexity rules. Verify the pwquality module is being enforced by operating system by running the following command: <pre...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Different Categories
The pam_pwquality module's <code>minclass</code> parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is consider...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
The pam_pwquality module's <code>ucredit=</code> parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contai...Rule Medium Severity -
Set PAM''s Password Hashing Algorithm
The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/common-password", the <code>password</code> section of the file controls which PAM modu...Rule Medium Severity -
Check that vlock is installed to allow session locking
The Ubuntu 22.04 operating system must have vlock installed to allow for session locking. The <code>vlock</code> package can be installed with the following command: <pre> $ apt-get install vlock...Rule Medium Severity -
Install the opensc Package For Multifactor Authentication
Theopensc-pkcs11package can be installed with the following command:$ apt-get install opensc-pkcs11
Rule Medium Severity -
Install Smart Card Packages For Multifactor Authentication
Configure the operating system to implement multifactor authentication by installing the required package with the following command: The <code>libpam-pkcs11</code> package can be installed with t...Rule Medium Severity -
Configure Smart Card Certificate Authority Validation
Configure the operating system to do certificate status checking for PKI authentication. Modify all of the <code>cert_policy</code> lines in <code>/etc/pam_pkcs11/pam_pkcs11.conf</code> to include ...Rule Medium Severity -
Configure Smart Card Certificate Status Checking
Configure the operating system to do certificate status checking for PKI authentication. Modify all of the <code>cert_policy</code> lines in <code>/etc/pam_pkcs11/pam_pkcs11.conf</code> to include ...Rule Medium Severity -
Configure Smart Card Local Cache of Revocation Data
Configure the operating system for PKI-based authentication to use local revocation data when unable to access the network to obtain it remotely. Modify all of the <code>cert_policy</code> lines in...Rule Medium Severity -
Enable Smart Card Logins in PAM
This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to a...Rule Medium Severity -
Verify that 'use_mappers' is set to 'pwent' in PAM
The operating system must map the authenticated identity to the user or group account for PKI-based authentication. Verify that <code>use_mappers</code> is set to <code>pwent</code> in <code>/etc/...Rule Low Severity -
Set Account Expiration Parameters
Accounts can be configured to be automatically disabled after a certain time period, meaning that they will require administrator interaction to become usable again. Expiration of accounts after in...Group -
Set Account Expiration Following Inactivity
To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following line in <code>/etc/default/useradd</code>:...Rule Medium Severity -
Assign Expiration Date to Temporary Accounts
Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts. In the event temporary accounts are required, configure the system t...Rule Medium Severity -
Set Password Expiration Parameters
The file <code>/etc/login.defs</code> controls several password-related settings. Programs such as <code>passwd</code>, <code>su</code>, and <code>login</code> consult <code>/etc/login.defs</code> ...Group -
Set Password Minimum Length in login.defs
To specify password length requirements for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_LEN <xccdf-1.2:sub idref="xccdf_org.ssgproj...Rule Medium Severity -
Ensure sudo group has only necessary members
Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software developmen...Rule Medium Severity -
Ensure no duplicate UIDs exist
Although the useradd program will not let you create a duplicate User ID (UID), it is possible for an administrator to manually edit the /etc/passwd file and change the UID field. Users must be ass...Rule Medium Severity -
Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty
Ensure that the group <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_pam_wheel_group_for_su" use="legacy"></xccdf-1.2:sub></code> referenced by <code>var_pam_wheel_group_for_su<...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.