Skip to content

Standard System Security Profile for Ubuntu 16.04

Rules and Groups employed by this XCCDF Profile

  • System Settings

    Contains rules that check correct system settings.
    Group
  • Installing and Maintaining Software

    The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of s...
    Group
  • Disk Partitioning

    To ensure separation and protection of data, there are top-level system directories which should be placed on their own physical partition or logic...
    Group
  • Ensure /home Located On Separate Partition

    If user home directories will be stored locally, create a separate partition for <code>/home</code> at installation time (or migrate it later using...
    Rule Low Severity
  • Ensure /tmp Located On Separate Partition

    The <code>/tmp</code> directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at...
    Rule Low Severity
  • Ensure /var Located On Separate Partition

    The <code>/var</code> directory is used by daemons and other system services to store frequently-changing data. Ensure that <code>/var</code> has i...
    Rule Low Severity
  • Ensure /var/log Located On Separate Partition

    System logs are stored in the <code>/var/log</code> directory. Ensure that <code>/var/log</code> has its own partition or logical volume at instal...
    Rule Low Severity
  • Ensure /var/log/audit Located On Separate Partition

    Audit logs are stored in the <code>/var/log/audit</code> directory. Ensure that <code>/var/log/audit</code> has its own partition or logical volum...
    Rule Low Severity
  • System Accounting with auditd

    The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and c...
    Group
  • Ensure the audit Subsystem is Installed

    The audit package should be installed.
    Rule Medium Severity
  • Enable auditd Service

    The <code>auditd</code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to...
    Rule Medium Severity
  • Configure Syslog

    The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lac...
    Group
  • Ensure rsyslog is Installed

    Rsyslog is installed by default. The rsyslog package can be installed with the following command:
     $ apt-get install rsyslog
    Rule Medium Severity
  • Enable rsyslog Service

    The <code>rsyslog</code> service provides syslog-style logging by default on Ubuntu 16.04. The <code>rsyslog</code> service can be enabled with th...
    Rule Medium Severity
  • Ensure Proper Configuration of Log Files

    The file <code>/etc/rsyslog.conf</code> controls where log message are written. These are controlled by lines called <i>rules</i>, which consist of...
    Group
  • Ensure Log Files Are Owned By Appropriate Group

    The group-owner of all log files written by <code>rsyslog</code> should be <code>adm</code>. These log files are determined by the second part of e...
    Rule Medium Severity
  • Ensure Log Files Are Owned By Appropriate User

    The owner of all log files written by <code>rsyslog</code> should be <code>adm</code>. These log files are determined by the second part of each ...
    Rule Medium Severity
  • Ensure System Log Files Have Correct Permissions

    The file permissions for all log files written by <code>rsyslog</code> should be set to 640, or more restrictive. These log files are determined by...
    Rule Medium Severity
  • Ensure All Logs are Rotated by logrotate

    Edit the file <code>/etc/logrotate.d/rsyslog</code>. Find the first line, which should look like this (wrapped for clarity): <pre>/var/log/messag...
    Group
  • Ensure Logrotate Runs Periodically

    The <code>logrotate</code> utility allows for the automatic rotation of log files. The frequency of rotation is specified in <code>/etc/logrotate....
    Rule Medium Severity
  • File Permissions and Masks

    Traditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from reading or modifying files to which t...
    Group
  • Verify Permissions on Important Files and Directories

    Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses impo...
    Group
  • Verify that local System.map file (if exists) is readable only by root

    Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need ...
    Rule Unknown Severity
  • Enable Kernel Parameter to Enforce DAC on Hardlinks

    To set the runtime status of the <code>fs.protected_hardlinks</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.protecte...
    Rule Medium Severity
  • Enable Kernel Parameter to Enforce DAC on Symlinks

    To set the runtime status of the <code>fs.protected_symlinks</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.protected...
    Rule Medium Severity
  • Verify Permissions on Files with Local Account Information and Credentials

    The default restrictive permissions for files which act as important security databases such as <code>passwd</code>, <code>shadow</code>, <code>gro...
    Group
  • Verify Group Who Owns group File

    To properly set the group owner of /etc/group, run the command:
    $ sudo chgrp root /etc/group
    Rule Medium Severity
  • Verify Group Who Owns gshadow File

    To properly set the group owner of /etc/gshadow, run the command:
    $ sudo chgrp shadow /etc/gshadow
    Rule Medium Severity
  • Verify Group Who Owns passwd File

    To properly set the group owner of /etc/passwd, run the command:
    $ sudo chgrp root /etc/passwd
    Rule Medium Severity
  • Verify Group Who Owns shadow File

    To properly set the group owner of /etc/shadow, run the command:
    $ sudo chgrp shadow /etc/shadow
    Rule Medium Severity
  • Verify User Who Owns group File

    To properly set the owner of /etc/group, run the command:
    $ sudo chown root /etc/group 
    Rule Medium Severity
  • Verify User Who Owns gshadow File

    To properly set the owner of /etc/gshadow, run the command:
    $ sudo chown root /etc/gshadow 
    Rule Medium Severity
  • Verify User Who Owns passwd File

    To properly set the owner of /etc/passwd, run the command:
    $ sudo chown root /etc/passwd 
    Rule Medium Severity
  • Verify User Who Owns shadow File

    To properly set the owner of /etc/shadow, run the command:
    $ sudo chown root /etc/shadow 
    Rule Medium Severity
  • Verify Permissions on group File

    To properly set the permissions of /etc/group, run the command:
    $ sudo chmod 0644 /etc/group
    Rule Medium Severity
  • Verify Permissions on gshadow File

    To properly set the permissions of /etc/gshadow, run the command:
    $ sudo chmod 0640 /etc/gshadow
    Rule Medium Severity
  • Verify Permissions on passwd File

    To properly set the permissions of /etc/passwd, run the command:
    $ sudo chmod 0644 /etc/passwd
    Rule Medium Severity
  • Verify Permissions on shadow File

    To properly set the permissions of /etc/shadow, run the command:
    $ sudo chmod 0640 /etc/shadow
    Rule Medium Severity
  • Restrict Programs from Dangerous Execution Patterns

    The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution ar...
    Group
  • Disable Core Dumps

    A core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases,...
    Group
  • Disable Core Dumps for SUID programs

    To set the runtime status of the <code>fs.suid_dumpable</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.suid_dumpable=...
    Rule Medium Severity
  • Enable ExecShield

    ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These featu...
    Group
  • Enable Randomized Layout of Virtual Address Space

    To set the runtime status of the <code>kernel.randomize_va_space</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.r...
    Rule Medium Severity
  • Services

    The best protection against vulnerable software is running less software. This section describes how to review the software which Ubuntu 16.04 inst...
    Group
  • Cron and At Daemons

    The cron and at services are used to allow commands to be executed at a later time. The cron service is required by almost all systems to perform n...
    Group
  • Install the cron service

    The Cron service should be installed.
    Rule Medium Severity
  • Enable cron Service

    The <code>crond</code> service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary mainte...
    Rule Medium Severity
  • Deprecated services

    Some deprecated software services impact the overall system security due to their behavior (leak of confidentiality in network exchange, usage as u...
    Group
  • Uninstall the inet-based telnet server

    The inet-based telnet daemon should be uninstalled.
    Rule High Severity
  • Uninstall the nis package

    The support for Yellowpages should not be installed unless it is required.
    Rule Low Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules