Guide to the Secure Configuration of Ubuntu 22.04
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Direct root Logins Not Allowed
To further limit access to the <code>root</code> account, administrators can disable root logins at the console by editing the <code>/etc/securetty</code> file. This file lists all devices the root...Rule Medium Severity -
Ensure that System Accounts Do Not Run a Shell Upon Login
Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. Should an attacker be able to log into these accounts, they should not be grant...Rule Medium Severity -
Limit the Number of Concurrent Login Sessions Allowed Per User
Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurr...Rule Low Severity -
Set Interactive Session Timeout
Setting the <code>TMOUT</code> option in <code>/etc/profile</code> ensures that all user sessions will terminate based on inactivity. The value of TMOUT should be exported and read only. The <code>...Rule Medium Severity -
All Interactive Users Home Directories Must Exist
Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in <code>/etc/pass...Rule Medium Severity -
Ensure that No Dangerous Directories Exist in Root's Path
The active path of the root account can be obtained by starting a new root shell and running: <pre># echo $PATH</pre> This will produce a colon-separated list of directories in the path. <br> ...Group -
Verify Owner on the journalctl Command
Verify that the "journalctl" command is owned by "root" by using the following command: <pre> $ sudo find /usr/bin/journalctl -exec stat -c "%n %U" {} \; </pre> If any output returned is not owned ...Rule Medium Severity -
Ensure that Users Have Sensible Umask Values
The umask setting controls the default permissions for the creation of new files. With a default <code>umask</code> setting of 077, files and directories created by users will not be readable by an...Group -
Ensure the Default Umask is Set Correctly in /etc/profile
To ensure the default umask controlled by <code>/etc/profile</code> is set properly, add or correct the <code>umask</code> setting in <code>/etc/profile</code> to read as follows: <pre>umask <xccdf...Rule Medium Severity -
AppArmor
Many security vulnerabilities result from bugs in trusted programs. A trusted program runs with privileges that attackers want to possess. The program fails to keep that trust if there is a bug in ...Group -
Ensure AppArmor is Active and Configured
Verify that the Apparmor tool is configured to control whitelisted applications and user home directory access control.<br> <br> The <code>apparmor</code> service can be enabled with the fo...Rule Medium Severity -
Disable Recovery Booting
Ubuntu 22.04 systems support an "recovery boot" option that can be used to prevent services from being started. The <code>GRUB_DISABLE_RECOVERY</code> configuration option in <code>/etc/default/gru...Rule Medium Severity -
IOMMU configuration directive
On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some of the system critical units such as the memory. To ensure that <code>iomm...Rule Unknown Severity -
Configure L1 Terminal Fault mitigations
L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged speculative access to data which is available in the Level 1 Data Cache when the page table entry isn't present. Sele...Rule High Severity -
Ensure SMEP is not disabled during boot
The SMEP is used to prevent the supervisor mode from executing user space code, it is enabled by default since Linux kernel 3.0. But it could be disabled through kernel boot parameters. Ensure tha...Rule Medium Severity -
Disable merging of slabs with similar size
The kernel may merge similar slabs together to reduce overhead and increase cache hotness of objects. Disabling merging of slabs keeps the slabs separate and reduces the risk of kernel heap overflo...Rule Medium Severity -
Configure Speculative Store Bypass Mitigation
Certain CPUs are vulnerable to an exploit against a common wide industry wide performance optimization known as Speculative Store Bypass (SSB). In such cases, recent stores to the same memory loca...Rule Medium Severity -
Ensure Solid State Drives Do Not Contribute To Random-Number Entropy Pool
For each solid-state drive on the system, run:# echo 0 > /sys/block/DRIVE/queue/add_random
Rule Medium Severity -
Configure Low Address Space To Protect From User Allocation
This is the portion of low virtual memory which should be protected from userspace allocation. This configuration is available from kernel 3.14, but may be available if backported by distros. The ...Rule Medium Severity -
Configure Syslog
The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lack of authentication for received messages, and lac...Group -
Verify Group Who Owns the system journal
Verify the /run/log/journal and /var/log/journal files are group-owned by "systemd-journal" by using the following command: <pre> $ sudo find /run/log/journal /var/log/journal -type f -exec stat -...Rule Medium Severity -
Ensure Proper Configuration of Log Files
The file <code>/etc/rsyslog.conf</code> controls where log message are written. These are controlled by lines called <i>rules</i>, which consist of a <i>selector</i> and an <i>action</i>. These rul...Group -
Ensure Rsyslog Authenticates Off-Loaded Audit Records
Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this uti...Rule Medium Severity -
Ensure Log Files Are Owned By Appropriate Group
The group-owner of all log files written by <code>rsyslog</code> should be <code>adm</code>. These log files are determined by the second part of each Rule line in <code>/etc/rsyslog.conf</code> an...Rule Medium Severity -
Ensure remote access methods are monitored in Rsyslog
Logging of remote access methods must be implemented to help identify cyber attacks and ensure ongoing compliance with remote access policies are being audited and upheld. An examples of a remote a...Rule Medium Severity -
Verify group-owner of system journal directories
Verify the /run/log/journal and /var/log/journal directories are group-owned by "systemd-journal" by using the following command: <pre> $ sudo find /run/log/journal /var/log/journal -type d -exec ...Rule Medium Severity -
Verify owner of system journal directories
Verify the /run/log/journal and /var/log/journal directories are owned by "root" by using the following command: <pre> $ sudo find /run/log/journal /var/log/journal -type d -exec stat -c "%n %U" {...Rule Medium Severity -
Verify Permissions on the system journal directories
Verify the /run/log/journal and /var/log/journal directories have permissions set to "2750" or less permissive by using the following command: <pre> $ sudo find /run/log/journal /var/log/journal -...Rule Medium Severity -
Verify Owner on the system journal
Verify the /run/log/journal and /var/log/journal files are owned by "root" by using the following command: <pre> $ sudo find /run/log/journal /var/log/journal -type f -exec stat -c "%n %U" {} \; <...Rule Medium Severity -
Verify Permissions on the journal command
Verify that the "journalctl" command has a permission set of "740" by using the following command: <pre> $ sudo find /usr/bin/journalctl -exec stat -c "%n %a" {} \; </pre> If "journalctl" is not s...Rule Medium Severity -
Verify Permissions on the system journal
Verify all files in the /run/log/journal and /var/log/journal directories have permissions set to "640" or less permissive by using the following command: <pre> $ sudo find /run/log/journal /var/lo...Rule Medium Severity -
Ensure All Logs are Rotated by logrotate
Edit the file <code>/etc/logrotate.d/syslog</code>. Find the first line, which should look like this (wrapped for clarity): <pre>/var/log/messages /var/log/secure /var/log/maillog /var/log/spoole...Group -
Enable rsyslog to Accept Messages via TCP, if Acting As Log Server
The <code>rsyslog</code> daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to <code>/etc/r...Rule Unknown Severity -
Enable rsyslog to Accept Messages via UDP, if Acting As Log Server
The <code>rsyslog</code> daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to <code>/etc/r...Rule Unknown Severity -
iptables and ip6tables
A host-based firewall called <code>netfilter</code> is included as part of the Linux kernel distributed with the system. It is activated by default. This firewall is controlled by the program <code...Group -
Inspect and Activate Default Rules
View the currently-enforced <code>iptables</code> rules by running the command: <pre>$ sudo iptables -nL --line-numbers</pre> The command is analogous for <code>ip6tables</code>. <br> <br> ...Group -
Strengthen the Default Ruleset
The default rules can be strengthened. The system scripts that activate the firewall rules expect them to be defined in the configuration files <code>iptables</code> and <code>ip6tables</code> in t...Group -
Configure Accepting Router Advertisements on All IPv6 Interfaces
To set the runtime status of the <code>net.ipv6.conf.all.accept_ra</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0</pre> To make sure that th...Rule Medium Severity -
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
To set the runtime status of the <code>net.ipv6.conf.all.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0</pre> ...Rule Medium Severity -
Disable Accepting Packets Routed Between Local Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.accept_local</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.accept_local=0</pre> To make sure t...Rule Medium Severity -
Disable Accepting ICMP Redirects for All IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0</pre> To mak...Rule Medium Severity -
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0</pre> ...Rule Medium Severity -
Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.shared_media</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.shared_media=<xccdf-1.2:sub idref="...Rule Medium Severity -
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
To set the runtime status of the <code>net.ipv4.tcp_syncookies</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.tcp_syncookies=1</pre> To make sure that the settin...Rule Medium Severity -
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
To set the runtime status of the <code>net.ipv4.conf.default.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0</pre> To...Rule Medium Severity -
Install nftables Package
nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Ne...Rule Medium Severity -
Ensure a Table Exists for Nftables
Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six families.Rule Medium Severity -
Verify ufw Active
Verify the ufw is enabled on the system with the following command:# sudo ufw status
If the above command returns the status as "inactive" or any type of error, this is a finding.Rule Medium Severity -
Only Allow Authorized Network Services in ufw
Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services by running the following command: <pre>$ sudo ufw show raw Chain OUTPUT (policy ACCEP...Rule Medium Severity -
Enable Kernel Parameter to Enforce DAC on Hardlinks
To set the runtime status of the <code>fs.protected_hardlinks</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.protected_hardlinks=1</pre> To make sure that the setting ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules