Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000142-GPOS-00071
Group -
The Ubuntu operating system must be configured to use TCP syncookies.
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing ...Rule Medium Severity -
SRG-OS-000184-GPOS-00078
Group -
The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state if system initialization fails, shutdown fails or aborts fail.
Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by e...Rule Medium Severity -
SRG-OS-000185-GPOS-00079
Group -
SRG-OS-000205-GPOS-00083
Group -
The Ubuntu operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by th...Rule Medium Severity -
SRG-OS-000206-GPOS-00084
Group -
The Ubuntu operating system must configure the /var/log directory to be group-owned by syslog.
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or pla...Rule Medium Severity -
SRG-OS-000206-GPOS-00084
Group -
SRG-OS-000206-GPOS-00084
Group -
SRG-OS-000206-GPOS-00084
Group -
The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by adm.
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or pla...Rule Medium Severity -
SRG-OS-000206-GPOS-00084
Group -
The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog.
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or pla...Rule Medium Severity -
SRG-OS-000206-GPOS-00084
Group -
The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less permissive.
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or pla...Rule Medium Severity -
SRG-OS-000258-GPOS-00099
Group -
SRG-OS-000258-GPOS-00099
Group -
The Ubuntu operating system must have directories that contain system commands owned by root.
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operatio...Rule Medium Severity -
SRG-OS-000258-GPOS-00099
Group -
SRG-OS-000259-GPOS-00100
Group -
The Ubuntu operating system library files must have mode 0755 or less permissive.
If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part...Rule Medium Severity -
SRG-OS-000259-GPOS-00100
Group -
SRG-OS-000259-GPOS-00100
Group -
The Ubuntu operating system library files must be owned by root.
If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part...Rule Medium Severity -
SRG-OS-000259-GPOS-00100
Group -
The Ubuntu operating system library files must be group-owned by root or a system account.
If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part...Rule Medium Severity -
SRG-OS-000259-GPOS-00100
Group -
The Ubuntu operating system library directories must be group-owned by root.
If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part...Rule Medium Severity -
SRG-OS-000269-GPOS-00103
Group -
The Ubuntu operating system must be configured to preserve log records from failure events.
Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, i...Rule Medium Severity -
SRG-OS-000297-GPOS-00115
Group -
SRG-OS-000297-GPOS-00115
Group -
SRG-OS-000355-GPOS-00143
Group -
The Ubuntu operating system must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when condu...Rule Medium Severity -
SRG-OS-000356-GPOS-00144
Group -
The Ubuntu operating system must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when condu...Rule Low Severity -
SRG-OS-000366-GPOS-00153
Group -
The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has bee...Rule Medium Severity -
SRG-OS-000368-GPOS-00154
Group -
SRG-OS-000383-GPOS-00166
Group -
The Ubuntu operating system must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.
If cached authentication information is out-of-date, the validity of the authentication information may be questionable.Rule Low Severity -
SRG-OS-000396-GPOS-00176
Group -
SRG-OS-000403-GPOS-00182
Group -
The Ubuntu operating system must use DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient secur...Rule Medium Severity -
SRG-OS-000420-GPOS-00186
Group -
The Ubuntu operating system must configure the uncomplicated firewall to rate-limit impacted network interfaces.
Denial of service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded cap...Rule Medium Severity -
SRG-OS-000433-GPOS-00192
Group -
SRG-OS-000433-GPOS-00193
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.