CIS Ubuntu 20.04 Level 1 Server Benchmark
Rules and Groups employed by this XCCDF Profile
-
Configure OpenLDAP Clients
This section provides information on which security settings are important to configure in OpenLDAP clients by manually editing the appropriate con...Group -
Ensure LDAP client is not installed
The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. The <code>...Rule Low Severity -
Configure OpenLDAP Server
This section details some security-relevant settings for an OpenLDAP server.Group -
Uninstall openldap-servers Package
The slapd package is not installed by default on a Ubuntu 20.04 system. It is needed only by the OpenLDAP server, not by the clients which use LDAP...Rule Low Severity -
Mail Server Software
Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious target...Group -
Ensure Mail Transfer Agent is not Listening on any non-loopback Address
Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or...Rule Medium Severity -
Configure SMTP For Mail Clients
This section discusses settings for Postfix in a submission-only e-mail configuration.Group -
Disable Postfix Network Listening
Edit the file <code>/etc/postfix/main.cf</code> to ensure that only the following <code>inet_interfaces</code> line appears: <pre>inet_interfaces =...Rule Medium Severity -
NFS and RPC
The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circ...Group -
Uninstall nfs-kernel-server Package
Thenfs-kernel-server
package can be removed with the following command:$ apt-get remove nfs-kernel-server
Rule Low Severity -
Disable All NFS Services if Possible
If there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable sub...Group -
Disable Services Used Only by NFS
If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd. <br><br> All of these daemons run with elevated privileges, a...Group -
Uninstall rpcbind Package
The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they a...Rule Low Severity -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...Group -
The Chrony package is installed
System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or se...Rule Medium Severity -
The Chronyd service is enabled
chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a ...Rule Medium Severity -
Enable the NTP Daemon
Thentp
service can be enabled with the following command:$ sudo systemctl enable ntp.service
Rule High Severity -
Enable systemd_timesyncd Service
Thesystemd_timesyncd
service can be enabled with the following command:$ sudo systemctl enable systemd_timesyncd.service
Rule High Severity -
Ensure that chronyd is running under chrony user account
chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and us...Rule Medium Severity -
A remote time server for Chrony is configured
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of s...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.