Skip to content
ATO Pathways
  Log In

CIS Ubuntu 22.04 Level 1 Workstation Benchmark

Rules and Groups employed by this XCCDF Profile

  • Uninstall bind Package

    The <code>named</code> service is provided by the <code>bind</code> package. The <code>bind</code> package can be removed with the following comman...
    Rule Low Severity
    Show

  • FTP Server

    FTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data...
    Group
    Show

  • Disable vsftpd if Possible

    To minimize attack surface, disable vsftpd if at all possible.
    Group
    Show

  • Uninstall vsftpd Package

    The vsftpd package can be removed with the following command: 
     $ apt-get remove vsftpd
    Rule High Severity
    Show

  • Web Server

    The web server is responsible for providing access to content via the HTTP protocol. Web servers represent a significant security risk because: <br...
    Group
    Show

  • Disable Apache if Possible

    If Apache was installed and activated, but the system does not need to act as a web server, then it should be disabled and removed from the system.
    Group
    Show

  • Uninstall httpd Package

    The apache2 package can be removed with the following command: 
    $ apt-get remove apache2
    Rule Unknown Severity
    Show

  • Disable NGINX if Possible

    If NGINX was installed and activated, but the system does not need to act as a web server, then it should be removed from the system.
    Group
    Show

  • Uninstall nginx Package

    The nginx package can be removed with the following command: 
    $ apt-get remove nginx
    Rule Unknown Severity
    Show

  • IMAP and POP3 Server

    Dovecot provides IMAP and POP3 services. It is not installed by default. The project page at <a href="http://www.dovecot.org">http://www.dovec...
    Group
    Show

  • Disable Cyrus IMAP

    If the system does not need to operate as an IMAP or POP3 server, the Cyrus IMAP software should be removed.
    Group
    Show

  • Uninstall cyrus-imapd Package

    The cyrus-imapd package can be removed with the following command: 
    $ apt-get remove cyrus-imapd
    Rule Unknown Severity
    Show

  • Disable Dovecot

    If the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed.
    Group
    Show

  • Uninstall dovecot Package

    The dovecot-core package can be removed with the following command: 
    $ apt-get remove dovecot-core
    Rule Unknown Severity
    Show

  • LDAP

    LDAP is a popular directory service, that is, a standardized way of looking up information from a central database. Ubuntu 22.04 includes software ...
    Group
    Show

  • Configure OpenLDAP Clients

    This section provides information on which security settings are important to configure in OpenLDAP clients by manually editing the appropriate con...
    Group
    Show

  • Ensure LDAP client is not installed

    The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. The <code>...
    Rule Low Severity
    Show

  • Configure OpenLDAP Server

    This section details some security-relevant settings for an OpenLDAP server.
    Group
    Show

  • Uninstall openldap-servers Package

    The slapd package is not installed by default on a Ubuntu 22.04 system. It is needed only by the OpenLDAP server, not by the clients which use LDAP...
    Rule Low Severity
    Show

  • Mail Server Software

    Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious target...
    Group
    Show

  • Ensure Mail Transfer Agent is not Listening on any non-loopback Address

    Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or...
    Rule Medium Severity
    Show

  • Configure SMTP For Mail Clients

    This section discusses settings for Postfix in a submission-only e-mail configuration.
    Group
    Show

  • Disable Postfix Network Listening

    Edit the file <code>/etc/postfix/main.cf</code> to ensure that only the following <code>inet_interfaces</code> line appears: <pre>inet_interfaces =...
    Rule Medium Severity
    Show

  • NFS and RPC

    The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circ...
    Group
    Show

  • Uninstall nfs-kernel-server Package

    The nfs-kernel-server package can be removed with the following command: 
    $ apt-get remove nfs-kernel-server
    Rule Low Severity
    Show

  • Disable All NFS Services if Possible

    If there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable sub...
    Group
    Show

  • Disable Services Used Only by NFS

    If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd. <br><br> All of these daemons run with elevated privileges, a...
    Group
    Show

  • Uninstall rpcbind Package

    The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they a...
    Rule Low Severity
    Show

  • Network Time Protocol

    The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...
    Group
    Show

  • Install the systemd_timesyncd Service

    The systemd_timesyncd service should be installed.
    Rule High Severity
    Show

  • The Chronyd service is enabled

    chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a ...
    Rule Medium Severity
    Show

  • Enable the NTP Daemon

    The ntp service can be enabled with the following command: 
    $ sudo systemctl enable ntp.service
    Rule High Severity
    Show

  • Enable systemd_timesyncd Service

    The systemd_timesyncd service can be enabled with the following command: 
    $ sudo systemctl enable systemd_timesyncd.service
    Rule High Severity
    Show

  • Ensure that chronyd is running under chrony user account

    chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and us...
    Rule Medium Severity
    Show

  • Configure server restrictions for ntpd

    ntpd is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use ...
    Rule Medium Severity
    Show

  • Configure ntpd To Run As ntp User

    ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a...
    Rule Medium Severity
    Show

  • Obsolete Services

    This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or...
    Group
    Show

  • Uninstall rsync Package

    The rsyncd service can be used to synchronize files between systems over network links. The <code>rsync</code> package can be removed with the foll...
    Rule Medium Severity
    Show

  • Rlogin, Rsh, and Rexec

    The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.
    Group
    Show

  • Uninstall rsh Package

    The rsh-client package contains the client commands for the rsh services
    Rule Unknown Severity
    Show

  • Remove Rsh Trust Files

    The files <code>/etc/hosts.equiv</code> and <code>~/.rhosts</code> (in each user's home directory) list remote hosts and users that are trusted by ...
    Rule High Severity
    Show

  • Chat/Messaging Services

    The talk software makes it possible for users to send and receive messages across systems through a terminal session.
    Group
    Show

  • Uninstall talk Package

    The <code>talk</code> package contains the client program for the Internet talk protocol, which allows the user to chat with other users on differe...
    Rule Medium Severity
    Show

  • Telnet

    The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication informat...
    Group
    Show

  • Remove telnet Clients

    The telnet client allows users to start connections to other systems via the telnet protocol.
    Rule Low Severity
    Show

  • Print Support

    The Common Unix Printing System (CUPS) service provides both local and network printing support. A system running the CUPS service can accept print...
    Group
    Show

  • Uninstall CUPS Package

    The cups package can be removed with the following command: 
    $ apt-get remove cups
    Rule Unknown Severity
    Show

  • Proxy Server

    A proxy server is a very desirable target for a potential adversary because much (or all) sensitive data for a given infrastructure may flow throug...
    Group
    Show

  • Disable Squid if Possible

    If Squid was installed and activated, but the system does not need to act as a proxy server, then it should be disabled and removed.
    Group
    Show

  • Uninstall squid Package

    The squid package can be removed with the following command: 
     $ apt-get remove squid
    Rule Unknown Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules