Guide to the Secure Configuration of Ubuntu 22.04
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Install ufw Package
Theufwpackage can be installed with the following command:$ apt-get install ufw
Rule Medium Severity -
Remove ufw Package
Theufwpackage can be removed with the following command:$ apt-get remove ufw
Rule Medium Severity -
Verify ufw Enabled
Theufwservice can be enabled with the following command:$ sudo systemctl enable ufw.service
Rule Medium Severity -
Ensure ufw Default Deny Firewall Policy
A default deny policy on connections ensures that any unconfigured network usage will be rejected. Note: Any port or protocol without a explicit allow before the default deny will be blocked.Rule Medium Severity -
Set UFW Loopback Traffic
Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.Rule Medium Severity -
Ensure ufw Firewall Rules Exist for All Open Ports
Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.Rule Medium Severity -
Uncommon Network Protocols
The system includes support for several network protocols which are not commonly used. Although security vulnerabilities in kernel networking code are not frequently discovered, the consequences ca...Group -
Disable RDS Support
The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications between nodes in a cluster. To configure the syst...Rule Low Severity -
Disable SCTP Support
The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection...Rule Medium Severity -
Disable TIPC Support
The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the <code>tipc</code> kernel module...Rule Low Severity -
Disable Wireless Through Software Configuration
If it is impossible to remove the wireless hardware from the device in question, disable as much of it as possible through software. The following methods can disable software support for wireless ...Group -
Deactivate Wireless Network Interfaces
Deactivating wireless network interfaces should prevent normal usage of the wireless capability. <br> <br> Verify that there are no wireless interfaces configured on the system with the f...Rule Medium Severity -
Transport Layer Security Support
Support for Transport Layer Security (TLS), and its predecessor, the Secure Sockets Layer (SSL), is included in Red Hat Enterprise Linux in the OpenSSL software (RPM package <code>openssl</code>). ...Group -
Only Allow DoD PKI-established CAs
The operating system must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.Rule Medium Severity -
Verify Permissions on Important Files and Directories
Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verifie...Group -
Verify Permissions on /etc/audit/auditd.conf
To properly set the permissions of/etc/audit/auditd.conf, run the command:$ sudo chmod 0640 /etc/audit/auditd.conf
Rule Medium Severity -
Verify Permissions on /etc/audit/rules.d/*.rules
To properly set the permissions of/etc/audit/rules.d/*.rules, run the command:$ sudo chmod 0640 /etc/audit/rules.d/*.rules
Rule Medium Severity -
Verify Permissions on System.map Files
The System.map files are symbol map files generated during the compilation of the Linux kernel. They contain the mapping between kernel symbols and their corresponding memory addresses. In general,...Rule Low Severity -
Ensure No World-Writable Files Exist
It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor f...Rule Medium Severity -
Verify Group Who Owns passwd File
To properly set the group owner of/etc/passwd, run the command:$ sudo chgrp root /etc/passwd
Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.