CIS Ubuntu 20.04 Level 2 Workstation Benchmark
Rules and Groups employed by this XCCDF Profile
-
Configure auditd max_log_file_action Upon Reaching Maximum Log Size
The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action ta...Rule Medium Severity -
Configure auditd space_left Action on Low Disk Space
The <code>auditd</code> service can be configured to take an action when disk space <i>starts</i> to run low. Edit the file <code>/etc/audit/auditd...Rule Medium Severity -
AppArmor
Many security vulnerabilities result from bugs in trusted programs. A trusted program runs with privileges that attackers want to possess. The prog...Group -
Ensure AppArmor is installed
AppArmor provide Mandatory Access Controls.Rule Medium Severity -
Enforce all AppArmor Profiles
AppArmor profiles define what resources applications are able to access. To set all profiles to enforce mode run the following command: <pre>$ sudo...Rule Medium Severity -
All AppArmor Profiles are in enforce or complain mode
AppArmor profiles define what resources applications are able to access. To set all profiles to either <code>enforce</code> or <code>complain</code...Rule Medium Severity -
Ensure AppArmor is enabled in the bootloader configuration
Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Note: This recommenda...Rule Medium Severity -
GRUB2 bootloader configuration
During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows ...Group -
Non-UEFI GRUB2 bootloader configuration
Non-UEFI GRUB2 bootloader configurationGroup -
Verify /boot/grub/grub.cfg User Ownership
The file <code>/boot/grub/grub.cfg</code> should be owned by the <code>root</code> user to prevent destruction or modification of the file. To pro...Rule Medium Severity -
Verify /boot/grub/grub.cfg Permissions
File permissions for <code>/boot/grub/grub.cfg</code> should be set to 600. To properly set the permissions of <code>/boot/grub/grub.cfg</code>, r...Rule Medium Severity -
Set Boot Loader Password in grub2
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br><br> Since plaintext passw...Rule High Severity -
UEFI GRUB2 bootloader configuration
UEFI GRUB2 bootloader configurationGroup -
Set the UEFI Boot Loader Password
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br><br> Since plaintext passw...Rule High Severity -
Configure Syslog
The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lac...Group -
Ensure rsyslog is Installed
Rsyslog is installed by default. Thersyslogpackage can be installed with the following command:$ apt-get install rsyslog
Rule Medium Severity -
Enable rsyslog Service
The <code>rsyslog</code> service provides syslog-style logging by default on Ubuntu 20.04. The <code>rsyslog</code> service can be enabled with th...Rule Medium Severity -
Ensure rsyslog Default File Permissions Configured
rsyslog will create logfiles that do not already exist on the system. This settings controls what permissions will be applied to these newly create...Rule Medium Severity -
systemd-journald
systemd-journald is a system service that collects and stores logging data. It creates and maintains structured, indexed journals based on logging ...Group -
Ensure journald is configured to compress large log files
The journald system can compress large log files to avoid fill the system disk.Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.