Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The Ubuntu operating system must retain a users session lock until that user reestablishes access using established identification and authentication procedures.
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary...Rule Medium Severity -
The Ubuntu operating system must be configured for users to directly initiate a session lock for all connection types.
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary...Rule Medium Severity -
The Ubuntu operating system must monitor remote access methods.
Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access man...Rule Medium Severity -
The Ubuntu operating system must enforce SSHv2 for network access to all accounts.
A replay attack may enable an unauthorized user to gain access to the operating system. Authentication sessions between the authenticator and the operating system validating the user credentials mu...Rule High Severity -
The Ubuntu operating system must immediately terminate all network connections associated with SSH traffic after a period of inactivity.
Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i....Rule Medium Severity -
The Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entit...Rule Medium Severity -
The Ubuntu operating system must implement smart card logins for multifactor authentication for access to accounts.
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authenticat...Rule Medium Severity -
The Apparmor module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.
Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users wi...Rule Medium Severity -
The Ubuntu operating system must automatically expire temporary accounts within 72 hours.
Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware configuration or an incident response, where the nee...Rule Low Severity -
The Ubuntu operating system default filesystem permissions must be defined in such a way that all authenticated users can only read and modify their own files.
Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.