Standard System Security Profile for Ubuntu 20.04
Rules and Groups employed by this XCCDF Profile
-
Verify Permissions on shadow File
To properly set the permissions of/etc/shadow
, run the command:$ sudo chmod 0640 /etc/shadow
Rule Medium Severity -
Restrict Programs from Dangerous Execution Patterns
The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution ar...Group -
Disable Core Dumps
A core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases,...Group -
Disable Core Dumps for SUID programs
To set the runtime status of the <code>fs.suid_dumpable</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.suid_dumpable=...Rule Medium Severity -
Enable ExecShield
ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These featu...Group -
Enable Randomized Layout of Virtual Address Space
To set the runtime status of the <code>kernel.randomize_va_space</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.r...Rule Medium Severity -
Services
The best protection against vulnerable software is running less software. This section describes how to review the software which Ubuntu 20.04 inst...Group -
Apport Service
The Apport service provides debugging and crash reporting features on Ubuntu distributions.Group -
Disable Apport Service
The Apport modifies certain kernel configuration values at runtime which may decrease the overall security of the system and expose sensitive data....Rule Unknown Severity -
Cron and At Daemons
The cron and at services are used to allow commands to be executed at a later time. The cron service is required by almost all systems to perform n...Group -
Install the cron service
The Cron service should be installed.Rule Medium Severity -
Enable cron Service
The <code>crond</code> service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary mainte...Rule Medium Severity -
Deprecated services
Some deprecated software services impact the overall system security due to their behavior (leak of confidentiality in network exchange, usage as u...Group -
Uninstall the inet-based telnet server
The inet-based telnet daemon should be uninstalled.Rule High Severity -
Uninstall the nis package
The support for Yellowpages should not be installed unless it is required.Rule Low Severity -
Uninstall the ntpdate package
ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled.Rule Low Severity -
Uninstall the ssl compliant telnet server
Thetelnet
daemon, even with ssl support, should be uninstalled.Rule High Severity -
Uninstall the telnet server
The telnet daemon should be uninstalled.Rule High Severity -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...Group -
Install the systemd_timesyncd Service
The systemd_timesyncd service should be installed.Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.