Guide to the Secure Configuration of Ubuntu 22.04
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Enact SMTP Relay Restrictions
To configure Postfix to restrict addresses to which it will send mail, see: <a href="http://www.postfix.org/SMTPD_ACCESS_README.html#danger">h...Group -
Use TLS for SMTP AUTH
Postfix provides options to use TLS for certificate-based authentication and encrypted sessions. An encrypted session protects the information that...Group -
Configure Trusted Networks and Hosts
Edit <code>/etc/postfix/main.cf</code>, and configure the contents of the <code>mynetworks</code> variable in one of the following ways: <ul> <li>I...Group -
Require SMTP AUTH Before Relaying from Untrusted Clients
SMTP authentication allows remote clients to relay mail safely by requiring them to authenticate before submitting mail. Postfix's SMTP AUTH uses a...Group -
NFS and RPC
The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circ...Group -
Uninstall nfs-kernel-server Package
Thenfs-kernel-serverpackage can be removed with the following command:$ apt-get remove nfs-kernel-server
Rule Low Severity -
Disable All NFS Services if Possible
If there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable sub...Group -
Disable netfs if Possible
To determine if any network filesystems handled by netfs are currently mounted on the system execute the following command: <pre>$ mount -t nfs,nfs...Group -
Disable Network File Systems (netfs)
The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these fil...Rule Unknown Severity -
Disable Services Used Only by NFS
If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd. <br><br> All of these daemons run with elevated privileges, a...Group -
Uninstall rpcbind Package
The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they a...Rule Low Severity -
Configure All Systems which Use NFS
The steps in this section are appropriate for all systems which run NFS, whether they operate as clients or as servers.Group -
Make Each System a Client or a Server, not Both
If NFS must be used, it should be deployed in the simplest configuration possible to avoid maintainability problems which may lead to unnecessary s...Group -
Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2)
Firewalling should be done at each host and at the border firewalls to protect the NFS daemons from remote access, since NFS servers should never b...Group -
Mount Remote Filesystems with Restrictive Options
Edit the file <code>/etc/fstab</code>. For each filesystem whose type (column 3) is <code>nfs</code> or <code>nfs4</code>, add the text <code>,node...Group -
Configure NFS Servers
The steps in this section are appropriate for systems which operate as NFS servers.Group -
Ensure All-Squashing Disabled On All Exports
The <code>all_squash</code> maps all uids and gids to an anonymous user. This should be disabled by removing any instances of the <code>all_squash<...Rule Low Severity -
Configure the Exports File Restrictively
Linux's NFS implementation uses the file <code>/etc/exports</code> to control what filesystems and directories may be accessed via NFS. (See the <c...Group -
Export Filesystems Read-Only if Possible
If a filesystem is being exported so that users can view the files in a convenient fashion, but there is no need for users to edit those files, exp...Group -
Use Access Lists to Enforce Authorization Restrictions
When configuring NFS exports, ensure that each export line in <code>/etc/exports</code> contains a list of hosts which are allowed to access that e...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.