Skip to content
Log In

Guide to the Secure Configuration of Ubuntu 22.04

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Ensure journald is configured to compress large log files

    The journald system can compress large log files to avoid fill the system disk.
    Rule Medium Severity
    Show

  • Ensure journald is configured to write log files to persistent disk

    The journald system may store log files in volatile memory or locally on disk. If the logs are only stored in volatile memory they will we lost upon reboot.
    Rule Medium Severity
    Show

  • Disable systemd-journal-remote Socket

    Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. NOTE: The same package, systemd-journal-remot...
    Rule Medium Severity
    Show

  • Ensure logrotate is Installed

    logrotate is installed by default. The logrotate package can be installed with the following command: 
     $ apt-get install logrotate
    Rule Medium Severity
    Show

  • Ensure Logrotate Runs Periodically

    The <code>logrotate</code> utility allows for the automatic rotation of log files. The frequency of rotation is specified in <code>/etc/logrotate.conf</code>, which triggers a cron task or a timer...
    Rule Medium Severity
    Show

  • Configure rsyslogd to Accept Remote Messages If Acting as a Log Server

    By default, <code>rsyslog</code> does not listen over the network for log messages. If needed, modules can be enabled to allow the rsyslog daemon to receive messages from other systems and for the ...
    Group
    Show

  • Ensure syslog-ng is Installed

    syslog-ng can be installed in replacement of rsyslog. The syslog-ng-core package can be installed with the following command: 
    $ apt-get install syslog-ng-core
    Rule Medium Severity
    Show

  • Enable syslog-ng Service

    The <code>syslog-ng</code> service (in replacement of rsyslog) provides syslog-style logging by default on Debian. The <code>syslog-ng</code> service can be enabled with the following command: <pr...
    Rule Medium Severity
    Show

  • Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server

    The <code>rsyslog</code> daemon should not accept remote messages unless the system acts as a log server. To ensure that it is not listening on the network, ensure any of the following lines are <i...
    Rule Medium Severity
    Show

  • Rsyslog Logs Sent To Remote Host

    If system logs are to be useful in detecting malicious activities, it is necessary to send logs to a remote server. An intruder who has compromised the root account on a system may delete the log e...
    Group
    Show

  • Remote Log Server

    Specify an URI or IP address of a remote host where the log messages will be sent and stored.
    Value
    Show

  • Ensure Logs Sent To Remote Host

    To configure rsyslog to send logs to a remote log server, open <code>/etc/rsyslog.conf</code> and read and understand the last section of the file, which describes the multiple directives necessary...
    Rule Medium Severity
    Show

  • Network Configuration and Firewalls

    Most systems must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses the security impact of decisions about networking wh...
    Group
    Show

  • Install iptables-persistent Package

    The iptables-persistent package can be installed with the following command: 
    $ apt-get install iptables-persistent
    Rule Medium Severity
    Show

  • Install iptables Package

    The iptables package can be installed with the following command: 
    $ apt-get install iptables
    Rule Medium Severity
    Show

  • Remove iptables-persistent Package

    The iptables-persistent package can be removed with the following command: 
    $ apt-get remove iptables-persistent
    Rule Medium Severity
    Show

  • Verify ip6tables Enabled if Using IPv6

    The ip6tables service can be enabled with the following command: 
    $ sudo systemctl enable ip6tables.service
    Rule Medium Severity
    Show

  • Verify iptables Enabled

    The iptables service can be enabled with the following command: 
    $ sudo systemctl enable iptables.service
    Rule Medium Severity
    Show

  • Set Default ip6tables Policy for Incoming Packets

    To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in <code>/etc/sysconfig/ip6tables</code>: <pre...
    Rule Medium Severity
    Show

  • Set configuration for IPv6 loopback traffic

    Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.
    Rule Medium Severity
    Show

  • Kernel Parameters Which Affect Networking

    The sysctl utility is used to set parameters which affect the operation of the Linux kernel. Kernel parameters which affect networking and have security implications are described here.
    Group
    Show

  • Set configuration for loopback traffic

    Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.
    Rule Medium Severity
    Show

  • Ensure ip6tables Firewall Rules Exist for All Open Ports

    Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.
    Rule Medium Severity
    Show

  • Ensure iptables Firewall Rules Exist for All Open Ports

    Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.
    Rule Medium Severity
    Show

  • Set Default iptables Policy for Incoming Packets

    To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in <code>/etc/sysconfig/iptables</code>: <pre>...
    Rule Medium Severity
    Show

  • Set Default iptables Policy for Forwarded Packets

    To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line ...
    Rule Medium Severity
    Show

  • Disable IPv6 Networking Support Automatic Loading

    To prevent the IPv6 kernel module (<code>ipv6</code>) from binding to the IPv6 networking stack, add the following line to <code>/etc/modprobe.d/disabled.conf</code> (or another file in <code>/etc/...
    Rule Medium Severity
    Show

  • Disable IPv6 Addressing on All IPv6 Interfaces

    To disable support for (<code>ipv6</code>) addressing on all interface add the following line to <code>/etc/sysctl.d/ipv6.conf</code> (or another file in <code>/etc/sysctl.d</code>): <pre>net.ipv6....
    Rule Medium Severity
    Show

  • Disable IPv6 Addressing on IPv6 Interfaces by Default

    To disable support for (<code>ipv6</code>) addressing on interfaces by default add the following line to <code>/etc/sysctl.d/ipv6.conf</code> (or another file in <code>/etc/sysctl.d</code>): <pre>n...
    Rule Medium Severity
    Show

  • Configure IPv6 Settings if Necessary

    A major feature of IPv6 is the extent to which systems implementing it can automatically configure their networking devices using information from the network. From a security perspective, manually...
    Group
    Show

  • net.ipv6.conf.all.accept_ra

    Accept all router advertisements?
    Value
    Show

  • net.ipv6.conf.all.accept_redirects

    Toggle ICMP Redirect Acceptance
    Value
    Show

  • net.ipv6.conf.all.accept_source_route

    Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected.
    Value
    Show

  • net.ipv6.conf.all.forwarding

    Toggle IPv6 Forwarding
    Value
    Show

  • net.ipv6.conf.default.accept_ra

    Accept default router advertisements by default?
    Value
    Show

  • net.ipv6.conf.default.accept_redirects

    Toggle ICMP Redirect Acceptance By Default
    Value
    Show

  • net.ipv6.conf.default.accept_source_route

    Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected.
    Value
    Show

  • Disable Accepting ICMP Redirects for All IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.all.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0</pre> To mak...
    Rule Medium Severity
    Show

  • Disable Kernel Parameter for IPv6 Forwarding

    To set the runtime status of the <code>net.ipv6.conf.all.forwarding</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.forwarding=0</pre> To make sure that ...
    Rule Medium Severity
    Show

  • Disable Accepting Router Advertisements on all IPv6 Interfaces by Default

    To set the runtime status of the <code>net.ipv6.conf.default.accept_ra</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0</pre> To make sure...
    Rule Medium Severity
    Show

  • Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.default.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0</pre...
    Rule Medium Severity
    Show

  • Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default

    To set the runtime status of the <code>net.ipv6.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=...
    Rule Medium Severity
    Show

  • net.ipv4.conf.default.arp_filter

    Controls whether the ARP filter is enabled or not. 1 - Allows you to have multiple network interfaces on the same subnet, and have the ARPs for each interface be answered based on whether or not t...
    Value
    Show

  • net.ipv4.conf.default.arp_ignore

    Control the response modes for ARP queries that resolve local target IP addresses: 0 - (default): reply for any local target IP address, configured on any interface 1 - reply only if the target IP...
    Value
    Show

  • net.ipv4.conf.all.log_martians

    Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect Packets
    Value
    Show

  • net.ipv4.conf.all.rp_filter

    Enable to enforce sanity checking, also called ingress filtering or egress filtering. The point is to drop a packet if the source and destination IP addresses in the IP header do not make sense whe...
    Value
    Show

  • net.ipv4.conf.all.secure_redirects

    Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure ICMP redirected packets on all interfaces.
    Value
    Show

  • net.ipv4.conf.all.shared_media

    Controls whether the system can send (router) or accept (host) RFC1620 shared media redirects. <code>shared_media</code> for the interface will be enabled if at least one of conf/{all,interface}/sh...
    Value
    Show

  • net.ipv4.conf.default.accept_redirects

    Disable ICMP Redirect Acceptance?
    Value
    Show

  • net.ipv4.conf.default.accept_source_route

    Disable IP source routing?
    Value
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules