Guide to the Secure Configuration of Ubuntu 22.04
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Verify ownership of Message of the Day Banner
To properly set the owner of/etc/motd, run the command:$ sudo chown root /etc/motd
Rule Medium Severity -
Action for auditd to take when disk errors
'The setting for disk_error_action in /etc/audit/auditd.conf, if multiple values are allowed write them separated by pipes as in "syslog|single|hal...Value -
Verify permissions on System Login Banner
To properly set the permissions of/etc/issue, run the command:$ sudo chmod 0644 /etc/issue
Rule Medium Severity -
Verify permissions on System Login Banner for Remote Connections
To properly set the permissions of/etc/issue.net, run the command:$ sudo chmod 0644 /etc/issue.net
Rule Medium Severity -
Verify permissions on Message of the Day Banner
To properly set the permissions of/etc/motd, run the command:$ sudo chmod 0644 /etc/motd
Rule Medium Severity -
Implement a GUI Warning Banner
In the default graphical environment, users logging directly into the system are greeted with a login screen provided by the GNOME Display Manager ...Group -
Enable GNOME3 Login Warning Banner
In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login scr...Rule Medium Severity -
Set the GNOME3 Login Warning Banner Text
In the default graphical environment, configuring the login warning banner text in the GNOME Display Manager's login screen can be configured on th...Rule Medium Severity -
Protect Accounts by Configuring PAM
PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and confi...Group -
Password Hashing algorithm
Specify the system default encryption algorithm for encrypting passwords. Defines the value set as ENCRYPT_METHOD in /etc/login.defs.Value -
remember
The last n passwords for each user are saved in <code>/etc/security/opasswd</code> in order to force password change history and keep the user from...Value -
Action for auditd to take when disk is full
'The setting for disk_full_action in /etc/audit/auditd.conf, if multiple values are allowed write them separated by pipes as in "syslog|single|halt...Value -
Disallow Configuration to Bypass Password Requirements for Privilege Escalation
Verify the operating system is not configured to bypass password requirements for privilege escalation. Check the configuration of the "/etc/pam.d/...Rule Medium Severity -
Set Lockouts for Failed Password Attempts
The <code>pam_faillock</code> PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentati...Group -
fail_deny
Number of failed login attempts before account lockoutValue -
faillock directory
The directory where the user files with the failure records are keptValue -
fail_interval
Interval for counting failed login attempts before account lockoutValue -
fail_unlock_time
Seconds before automatic unlocking or permanently locking after excessive failed loginsValue -
tally2_unlock_time
Seconds before automatic unlocking or permanently locking after excessive failed loginsValue -
faildelay_delay
Delay next login attempt after a failed loginValue -
pwhistory_remember
Prevent password re-use using password history lookupValue -
PAM pwhistory remember - control flag
'Specify the control flag required for password remember requirement. If multiple values are allowed write them separated by commas as in "required...Value -
tally2
Number of failed login attemptsValue -
Account Lockouts Must Be Logged
PAM faillock locks an account due to excessive password failures, this event must be logged.Rule Medium Severity -
Account Lockouts Must Persist
By setting a `dir` in the faillock configuration account lockouts will persist across reboots.Rule Medium Severity -
Limit Password Reuse
Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_unix</code> or <...Rule Medium Severity -
Account Lockouts Must Be Logged
PAM faillock locks an account due to excessive password failures, this event must be logged.Rule Medium Severity -
Lock Accounts After Failed Password Attempts
This rule configures the system to lock out accounts after a number of incorrect login attempts using <code>pam_faillock.so</code>. pam_faillock.so...Rule Medium Severity -
Auditd priority for flushing data to disk
The setting for flush in /etc/audit/auditd.confValue -
Set Interval For Counting Failed Password Attempts
Utilizing <code>pam_faillock.so</code>, the <code>fail_interval</code> directive configures the system to lock out an account after a number of inc...Rule Medium Severity -
Set Lockout Time for Failed Password Attempts
This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using <code>pam_fail...Rule Medium Severity -
Set Password Quality Requirements
The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure pas...Group -
Set Password Quality Requirements, if using pam_cracklib
The <code>pam_cracklib</code> PAM module can be configured to meet requirements for a variety of policies. <br><br> For example, to configure <code...Group -
Set Password Quality Requirements with pam_pwquality
The <code>pam_pwquality</code> PAM module can be configured to meet requirements for a variety of policies. <br><br> For example, to configure <cod...Group -
dcredit
Minimum number of digits in passwordValue -
dictcheck
Prevent the use of dictionary words for passwords.Value -
difok
Minimum number of characters not present in old passwordValue -
lcredit
Minimum number of lower case in passwordValue -
maxclassrepeat
Maximum Number of Consecutive Repeating Characters in a Password From the Same Character ClassValue -
maxrepeat
Maximum Number of Consecutive Repeating Characters in a PasswordValue -
minclass
Minimum number of categories of characters that must exist in a passwordValue -
minlen
Minimum number of characters in passwordValue -
ocredit
Minimum number of other (special characters) in passwordValue -
retry
Number of retry attempts before erroring outValue -
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
The pam_pwquality module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, a...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
The pam_pwquality module's <code>lcredit</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negativ...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Different Categories
The pam_pwquality module's <code>minclass</code> parameter controls requirements for usage of different character classes, or types, of character t...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Length
The pam_pwquality module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xcc...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Special Characters
The pam_pwquality module's <code>ocredit=</code> parameter controls requirements for usage of special (or "other") characters in a password. When s...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
To configure the number of retry prompts that are permitted per-session: Edit the <code>pam_pwquality.so</code> statement in <code>/etc/pam.d/com...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.