Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide (STIG) V1R12
Rules and Groups employed by this XCCDF Profile
-
Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems
Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Int...Group -
Enable NX or XD Support in the BIOS
Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located under a Security section....Rule Medium Severity -
Services
The best protection against vulnerable software is running less software. This section describes how to review the software which Ubuntu 20.04 installs on a system and disable software which is not...Group -
APT service configuration
The apt service manage the package management and update of the whole system. Its configuration need to be properly defined to ensure efficient security updates, packages and repository authenticat...Group -
Disable unauthenticated repositories in APT configuration
Unauthenticated repositories should not be used for updates.Rule Unknown Severity -
Base Services
This section addresses the base services that are installed on a Ubuntu 20.04 default installation which are not covered in other sections. Some of these services listen on the network and should b...Group -
Disable KDump Kernel Crash Analyzer (kdump)
The <code>kdump-tools</code> service provides a kernel crash dump analyzer. It uses the <code>kexec</code> system call to boot a secondary kernel ("capture" kernel) following a system crash, which ...Rule Medium Severity -
Deprecated services
Some deprecated software services impact the overall system security due to their behavior (leak of confidentiality in network exchange, usage as uncontrolled communication channel, risk associated...Group -
Uninstall the telnet server
The telnet daemon should be uninstalled.Rule High Severity -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can...Group -
The Chrony package is installed
System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize th...Rule Medium Severity -
Configure Time Service Maxpoll Interval
The <code>maxpoll</code> should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" use="legacy"></xccdf-1.2:sub> in <code>/etc/ntp.conf</code> o...Rule Medium Severity -
Synchronize internal information system clocks
Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.Rule Medium Severity -
Obsolete Services
This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best a...Group -
Rlogin, Rsh, and Rexec
The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.Group -
Uninstall rsh-server Package
Thersh-serverpackage can be removed with the following command:$ apt-get remove rsh-server
Rule High Severity -
SSH Server
The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between two systems, as well as server authentication, throu...Group -
Install the OpenSSH Server Package
Theopenssh-serverpackage should be installed. Theopenssh-serverpackage can be installed with the following command:$ apt-get install openssh-server
Rule Medium Severity -
Enable the OpenSSH Service
The SSH server service, sshd, is commonly needed. Thesshdservice can be enabled with the following command:$ sudo systemctl enable sshd.service
Rule Medium Severity -
Configure OpenSSH Server if Necessary
If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_config</code>. The following recommendations can be app...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules