Skip to content
Log In

Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-OS-000070-GPOS-00038

    Group
    Show

  • SRG-OS-000071-GPOS-00039

    Group
    Show

  • The Ubuntu operating system must enforce password complexity by requiring that at least one numeric character be used.

    Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...
    Rule Low Severity
    Show

  • SRG-OS-000072-GPOS-00040

    Group
    Show

  • The Ubuntu operating system must require the change of at least 8 characters when passwords are changed.

    If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attemp...
    Rule Low Severity
    Show

  • SRG-OS-000078-GPOS-00046

    Group
    Show

  • The Ubuntu operating system must enforce a minimum 15-character password length.

    The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effective...
    Rule Medium Severity
    Show

  • SRG-OS-000266-GPOS-00101

    Group
    Show

  • The Ubuntu operating system must enforce password complexity by requiring that at least one special character be used.

    Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting ...
    Rule Low Severity
    Show

  • SRG-OS-000480-GPOS-00225

    Group
    Show

  • SRG-OS-000480-GPOS-00225

    Group
    Show

  • SRG-OS-000066-GPOS-00034

    Group
    Show

  • The Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

    Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative ent...
    Rule Medium Severity
    Show

  • SRG-OS-000375-GPOS-00160

    Group
    Show

  • SRG-OS-000376-GPOS-00161

    Group
    Show

  • The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials.

    The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication...
    Rule Medium Severity
    Show

  • SRG-OS-000377-GPOS-00162

    Group
    Show

  • The Ubuntu operating system must electronically verify Personal Identity Verification (PIV) credentials.

    The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication...
    Rule Medium Severity
    Show

  • SRG-OS-000077-GPOS-00045

    Group
    Show

  • SRG-OS-000329-GPOS-00128

    Group
    Show

  • The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.

    By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the a...
    Rule Low Severity
    Show

  • SRG-OS-000446-GPOS-00200

    Group
    Show

  • SRG-OS-000480-GPOS-00226

    Group
    Show

  • The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.

    Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.
    Rule Low Severity
    Show

  • SRG-OS-000004-GPOS-00004

    Group
    Show

  • The Ubuntu operating system must permit only authorized groups ownership of the audit log files.

    Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit rec...
    Rule Medium Severity
    Show

  • SRG-OS-000059-GPOS-00029

    Group
    Show

  • SRG-OS-000004-GPOS-00004

    Group
    Show

  • The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

    Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an acco...
    Rule Medium Severity
    Show

  • SRG-OS-000004-GPOS-00004

    Group
    Show

  • The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

    Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an acco...
    Rule Medium Severity
    Show

  • SRG-OS-000004-GPOS-00004

    Group
    Show

  • The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

    Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an acco...
    Rule Medium Severity
    Show

  • SRG-OS-000004-GPOS-00004

    Group
    Show

  • The Ubuntu operating system must be configured so that the audit log directory is not write-accessible by unauthorized users.

    If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity...
    Rule Medium Severity
    Show

  • SRG-OS-000046-GPOS-00022

    Group
    Show

  • The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

    It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an ...
    Rule Medium Severity
    Show

  • SRG-OS-000047-GPOS-00023

    Group
    Show

  • SRG-OS-000057-GPOS-00027

    Group
    Show

  • The Ubuntu operating system must be configured so that audit log files are not read or write-accessible by unauthorized users.

    Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit rec...
    Rule Medium Severity
    Show

  • SRG-OS-000057-GPOS-00027

    Group
    Show

  • The Ubuntu operating system must be configured to permit only authorized users ownership of the audit log files.

    Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit rec...
    Rule Medium Severity
    Show

  • SRG-OS-000057-GPOS-00027

    Group
    Show

  • SRG-OS-000063-GPOS-00032

    Group
    Show

  • The Ubuntu operating system must permit only authorized accounts to own the audit configuration files.

    Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured ...
    Rule Medium Severity
    Show

  • SRG-OS-000063-GPOS-00032

    Group
    Show

  • The Ubuntu operating system must permit only authorized groups to own the audit configuration files.

    Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured ...
    Rule Medium Severity
    Show

  • SRG-OS-000064-GPOS-00033

    Group
    Show

  • The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the su command.

    Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...
    Rule Medium Severity
    Show

  • SRG-OS-000064-GPOS-00033

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules