Guide to the Secure Configuration of Ubuntu 22.04
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Enable PAM
UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will enable PAM authentication using ChallengeResponseAuthentica...Rule Medium Severity -
Enable Use of Strict Mode Checking
SSHs <code>StrictModes</code> option checks file and ownership permissions in the user's home directory <code>.ssh</code> folder before accepting l...Rule Medium Severity -
Enable SSH Warning Banner
To enable the warning banner and ensure it is consistent across the system, add or correct the following line in <code>/etc/ssh/sshd_config.d/00-...Rule Medium Severity -
Enable SSH Warning Banner
To enable the warning banner and ensure it is consistent across the system, add or correct the following line in <code>/etc/ssh/sshd_config</code>...Rule Medium Severity -
Enable Encrypted X11 Forwarding
By default, remote X11 connections are not encrypted when initiated by users. SSH has the capability to encrypt remote X11 connections when SSH's <...Rule High Severity -
Limit Users' SSH Access
By default, the SSH configuration allows any user with an account to access the system. There are several options available to limit which users an...Rule Unknown Severity -
Enable SSH Print Last Log
Ensure that SSH will display the date and time of the last successful account logon. <br> The default SSH configuration enables print of the date a...Rule Medium Severity -
Force frequent session key renegotiation
The <code>RekeyLimit</code> parameter specifies how often the session key of the is renegotiated, both in terms of amount of data that may be trans...Rule Medium Severity -
Test in Non-Production Environment
This guidance should always be tested in a non-production environment before deployment. This test environment should simulate the setup in which t...Group -
Ensure SSH LoginGraceTime is configured
The <code>LoginGraceTime</code> parameter to the SSH server specifies the time allowed for successful authentication to the SSH server. The longer ...Rule Medium Severity -
Set SSH Daemon LogLevel to VERBOSE
The <code>VERBOSE</code> parameter configures the SSH daemon to record login and logout activity. To specify the log level in SSH, add or correct t...Rule Medium Severity -
Set SSH authentication attempt limit
The <code>MaxAuthTries</code> parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failur...Rule Medium Severity -
Set SSH MaxSessions limit
The <code>MaxSessions</code> parameter specifies the maximum number of open sessions permitted from a given connection. To set MaxSessions edit <co...Rule Medium Severity -
Ensure SSH MaxStartups is configured
The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be ...Rule Medium Severity -
Use Only FIPS 140-2 Validated Ciphers
Limit the ciphers to those algorithms which are FIPS-approved. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of FIPS-app...Rule Medium Severity -
Enable Use of Privilege Separation
When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH...Rule Medium Severity -
Use Only Strong Ciphers
Limit the ciphers to strong algorithms. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in <code>/et...Rule Medium Severity -
Use Only Strong Key Exchange algorithms
Limit the Key Exchange to strong algorithms. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of those: <pre>KexAlgorithms ...Rule Medium Severity -
Strengthen Firewall Configuration if Possible
If the SSH server is expected to only receive connections from the local network, then strengthen the default firewall rule for the SSH service to ...Group -
System Security Services Daemon
The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red H...Group -
SSSD certificate_verification option
Value of the certificate_verification option in the SSSD config.Value -
SSSD memcache_timeout option
Value of the memcache_timeout option in the [nss] section of SSSD config /etc/sssd/sssd.conf.Value -
SSSD ssh_known_hosts_timeout option
Value of the ssh_known_hosts_timeout option in the [ssh] section of SSSD configuration file /etc/sssd/sssd.conf.Value -
Configure SSSD to Expire Offline Credentials
SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set <code>offline_credential...Rule Medium Severity -
System Security Services Daemon (SSSD) - LDAP
The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red H...Group -
SSSD LDAP Backend Client CA Certificate Location
Path of a directory that contains Certificate Authority certificates.Value -
USBGuard daemon
The USBGuard daemon enforces the USB device authorization policy for all USB devices.Group -
X Window System
The X Window System implementation included with the system is called X.org.Group -
Disable X Windows
Unless there is a mission-critical reason for the system to run a graphical user interface, ensure X is not set to start automatically at boot and ...Group -
Remove the X Windows Package Group
By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot ...Rule Medium Severity -
Introduction
The purpose of this guidance is to provide security configuration recommendations and baselines for the Ubuntu 22.04 operating system. Recommended ...Group -
General Principles
The following general principles motivate much of the advice in this guide and should also influence any configuration decisions that are not expli...Group -
Encrypt Transmitted Data Whenever Possible
Data transmitted over a network, whether wired or wireless, is susceptible to passive monitoring. Whenever practical solutions for encrypting such ...Group -
Least Privilege
Grant the least privilege necessary for user accounts and software to perform tasks. For example, <code>sudo</code> can be implemented to limit aut...Group -
Minimize Software to Minimize Vulnerability
The simplest way to avoid vulnerabilities in software is to avoid installing that software. On Ubuntu 22.04,the Package Manager (originally <a href...Group -
Run Different Network Services on Separate Systems
Whenever possible, a server should be dedicated to serving exactly one network service. This limits the number of other services that can be compro...Group -
Configure Security Tools to Improve System Robustness
Several tools exist which can be effectively used to improve a system's resistance to and detection of unknown attacks. These tools can improve rob...Group -
How to Use This Guide
Readers should heed the following points when using the guide.Group -
Formatting Conventions
Commands intended for shell execution, as well as configuration file text, are featured in a <code>monospace font</code>. <i>Italics</i> are used t...Group -
Read Sections Completely and in Order
Each section may build on information and recommendations discussed in prior sections. Each section should be read and understood completely; instr...Group -
Reboot Required
A system reboot is implicitly required after some actions in order to complete the reconfiguration of the system. In many cases, the changes will n...Group -
SSH Strong MACs by FIPS
Specify the FIPS approved MACs (Message Authentication Code) algorithms that are used for data integrity protection by the SSH server.Value -
Enforce Usage of pam_wheel with Group Parameter for su Authentication
To ensure that only users who are members of the group set in the <code>group</code> option of <code>pam_wheel.so</code> module can run commands wi...Rule Medium Severity -
Ensure users own their home directories
The user home directory is space defined for the particular user to set local environment variables and to store personal files. Since the user is ...Rule Medium Severity -
Ensure /dev/shm is configured
The <code>/dev/shm</code> is a traditional shared memory concept. One program will create a memory portion, which other processes (if permitted) ca...Rule Low Severity -
Ensure PAM Displays Last Logon/Access Notification
To configure the system to notify users of last logon/access using <code>pam_lastlog</code>, add or correct the <code>pam_lastlog</code> settings i...Rule Low Severity -
Prevent Login to Accounts With Empty Password
If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without ...Rule High Severity -
Verify No .forward Files Exist
The.forwardfile specifies an email address to forward the user's mail to.Rule Medium Severity -
Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty
Ensure that the group <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_pam_wheel_group_for_su" use="legacy"></xccdf-1.2:sub></cod...Rule Medium Severity -
Ensure auditd Collects Information on Kernel Module Unloading - delete_module
To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.