Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000163-GPOS-00072
<GroupDescription></GroupDescription>Group -
Ubuntu 22.04 LTS must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.
<VulnDiscussion>Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personn...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
Ubuntu 22.04 LTS must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
<VulnDiscussion>The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH clien...Rule High Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
Ubuntu 22.04 LTS SSH daemon must prevent remote hosts from connecting to the proxy display.
<VulnDiscussion>When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display ...Rule Medium Severity -
SRG-OS-000033-GPOS-00014
<GroupDescription></GroupDescription>Group -
SRG-OS-000378-GPOS-00163
<GroupDescription></GroupDescription>Group -
Ubuntu 22.04 LTS must require users to reauthenticate for privilege escalation or when changing roles.
<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When op...Rule Medium Severity -
Ubuntu 22.04 LTS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
<VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potenti...Rule Medium Severity -
SRG-OS-000250-GPOS-00093
<GroupDescription></GroupDescription>Group -
Ubuntu 22.04 LTS must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-3-approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.
<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote...Rule Medium Severity -
SRG-OS-000033-GPOS-00014
<GroupDescription></GroupDescription>Group -
Ubuntu 22.04 LTS SSH server must be configured to use only FIPS-validated key exchange algorithms.
<VulnDiscussion>Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed an...Rule Medium Severity -
SRG-OS-000125-GPOS-00065
<GroupDescription></GroupDescription>Group -
Ubuntu 22.04 LTS must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions.
<VulnDiscussion>Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network,...Rule Medium Severity -
SRG-OS-000023-GPOS-00006
<GroupDescription></GroupDescription>Group -
SRG-OS-000002-GPOS-00002
<GroupDescription></GroupDescription>Group -
Ubuntu 22.04 LTS must enable the graphical user logon banner to display the Standard Mandatory DOD Notice and Consent Banner before granting local access to the system via a graphical user logon.
<VulnDiscussion>Display of a standardized and approved use notification before granting access to Ubuntu 22.04 LTS ensures privacy and securi...Rule Medium Severity -
SRG-OS-000023-GPOS-00006
<GroupDescription></GroupDescription>Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.