Skip to content

CIS Ubuntu 18.04 LTS Benchmark

Rules and Groups employed by this XCCDF Profile

  • SSH Server

    The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between tw...
    Group
  • Configure OpenSSH Server if Necessary

    If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_confi...
    Group
  • Set SSH Client Alive Count Max to zero

    The SSH server sends at most <code>ClientAliveCountMax</code> messages during a SSH session and waits for a response from the SSH client. The optio...
    Rule Medium Severity
  • Set SSH Client Alive Interval

    SSH allows administrators to set a network responsiveness timeout interval. After this interval has passed, the unresponsive client will be automat...
    Rule Medium Severity
  • Disable Host-Based Authentication

    SSH's cryptographic host-based authentication is more secure than <code>.rhosts</code> authentication. However, it is not recommended that hosts un...
    Rule Medium Severity
  • Disable SSH Access via Empty Passwords

    Disallow SSH login with empty passwords. The default SSH configuration disables logins with empty passwords. The appropriate configuration is used ...
    Rule High Severity
  • Disable SSH Support for .rhosts Files

    SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via <code>.rhosts</code> fil...
    Rule Medium Severity
  • Disable SSH Root Login

    The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following lin...
    Rule Medium Severity
  • Do Not Allow SSH Environment Options

    Ensure that users are not able to override environment variables of the SSH daemon. <br> The default SSH configuration disables environment process...
    Rule Medium Severity
  • Enable SSH Warning Banner

    To enable the warning banner and ensure it is consistent across the system, add or correct the following line in <code>/etc/ssh/sshd_config</code...
    Rule Medium Severity
  • Set LogLevel to INFO

    The INFO parameter specifices that record login and logout activity will be logged. <br> The default SSH configuration sets the log level to INFO. ...
    Rule Low Severity
  • Set SSH authentication attempt limit

    The <code>MaxAuthTries</code> parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failur...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules