Guide to the Secure Configuration of UnionTech OS Server 20
Rules, Groups, and Values defined within the XCCDF Benchmark
-
systemd-journald
systemd-journald is a system service that collects and stores logging data. It creates and maintains structured, indexed journals based on logging information that is received from a variety of sou...Group -
Remote Log Server
Specify an URI or IP address of a remote host where the log messages will be sent and stored.Value -
IPSec Support
Support for Internet Protocol Security (IPsec) is provided with Libreswan.Group -
net.ipv4.conf.default.shared_media
Controls whether the system can send(router) or accept(host) RFC1620 shared media redirects. <code>shared_media</code> for the interface will be enabled if at least one of conf/{all,interface}/shar...Value -
IPv6
The system includes support for Internet Protocol version 6. A major and often-mentioned improvement over IPv4 is its enormous increase in the number of available addresses. Another important featu...Group -
Disable Support for IPv6 Unless Needed
Despite configuration that suggests support for IPv6 has been disabled, link-local IPv6 address auto-configuration occurs even when only an IPv4 address is assigned. The only way to effectively pre...Group -
Disable IPv6 Networking Support Automatic Loading
To prevent the IPv6 kernel module (<code>ipv6</code>) from binding to the IPv6 networking stack, add the following line to <code>/etc/modprobe.d/disabled.conf</code> (or another file in <code>/etc/...Rule Medium Severity -
Disable IPv6 Addressing on All IPv6 Interfaces
To disable support for (<code>ipv6</code>) addressing on all interface add the following line to <code>/etc/sysctl.d/ipv6.conf</code> (or another file in <code>/etc/sysctl.d</code>): <pre>net.ipv6....Rule Medium Severity -
Disable IPv6 Addressing on IPv6 Interfaces by Default
To disable support for (<code>ipv6</code>) addressing on interfaces by default add the following line to <code>/etc/sysctl.d/ipv6.conf</code> (or another file in <code>/etc/sysctl.d</code>): <pre>n...Rule Medium Severity -
Kernel Parameters Which Affect Networking
Thesysctlutility is used to set parameters which affect the operation of the Linux kernel. Kernel parameters which affect networking and have security implications are described here.Group -
Network Related Kernel Runtime Parameters for Hosts and Routers
Certain kernel parameters should be set for systems which are acting as either hosts or routers to improve the system's ability defend against certain types of IPv4 protocol attacks.Group -
net.ipv4.conf.default.arp_filter
Controls whether the ARP filter is enabled or not. 1 - Allows you to have multiple network interfaces on the same subnet, and have the ARPs for each interface be answered based on whether or not t...Value -
net.ipv4.conf.default.arp_ignore
Control the response modes for ARP queries that resolve local target IP addresses: 0 - (default): reply for any local target IP address, configured on any interface 1 - reply only if the target IP...Value -
net.ipv4.conf.all.shared_media
Controls whether the system can send (router) or accept (host) RFC1620 shared media redirects. <code>shared_media</code> for the interface will be enabled if at least one of conf/{all,interface}/sh...Value -
Uncomplicated Firewall (ufw)
The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the iptables suite of commands. iptables provide a compl...Group -
Verify Permissions on Important Files and Directories
Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verifie...Group -
Ensure All SUID Executables Are Authorized
The SUID (set user id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SUID files is determine if any were not installe...Rule Medium Severity -
Ensure No World-Writable Files Exist
It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor f...Rule Medium Severity -
Verify Permissions on Files with Local Account Information and Credentials
The default restrictive permissions for files which act as important security databases such as <code>passwd</code>, <code>shadow</code>, <code>group</code>, and <code>gshadow</code> files must be ...Group -
Verify Permissions on /var/log/syslog File
To properly set the permissions of/var/log/syslog, run the command:$ sudo chmod 0640 /var/log/syslog
Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.