Skip to content

II - Mission Support Sensitive

Rules and Groups employed by this XCCDF Profile

  • SRG-OS-000355-GPOS-00143

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS must, for networked systems, compare internal information system clocks at least every 24 hours with a server synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).

    &lt;VulnDiscussion&gt;Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the cor...
    Rule Low Severity
  • SRG-OS-000356-GPOS-00144

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.

    &lt;VulnDiscussion&gt;Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the cor...
    Rule Low Severity
  • SRG-OS-000359-GPOS-00146

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC).

    &lt;VulnDiscussion&gt;If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analys...
    Rule Low Severity
  • SRG-OS-000142-GPOS-00071

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS must be configured to use TCP syncookies.

    &lt;VulnDiscussion&gt;DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot ac...
    Rule Medium Severity
  • SRG-OS-000423-GPOS-00187

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS must have SSH installed.

    &lt;VulnDiscussion&gt;Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected commu...
    Rule High Severity
  • SRG-OS-000423-GPOS-00187

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS must use SSH to protect the confidentiality and integrity of transmitted information.

    &lt;VulnDiscussion&gt;Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected commu...
    Rule High Severity
  • SRG-OS-000023-GPOS-00006

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS must display the Standard Mandatory DOD Notice and Consent Banner before granting any local or remote connection to the system.

    &lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the publicly accessible operating system en...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00229

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS must not allow unattended or automatic login via SSH.

    &lt;VulnDiscussion&gt;Failure to restrict system access to authenticated users negatively impacts Ubuntu 22.04 LTS security.&lt;/VulnDiscussion&gt;...
    Rule High Severity
  • SRG-OS-000126-GPOS-00066

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.

    &lt;VulnDiscussion&gt;Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personn...
    Rule Medium Severity
  • SRG-OS-000163-GPOS-00072

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.

    &lt;VulnDiscussion&gt;Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personn...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.

    &lt;VulnDiscussion&gt;The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH clien...
    Rule High Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS SSH daemon must prevent remote hosts from connecting to the proxy display.

    &lt;VulnDiscussion&gt;When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display ...
    Rule Medium Severity
  • SRG-OS-000033-GPOS-00014

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS must configure the SSH daemon to use FIPSĀ 140-3-approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.

    &lt;VulnDiscussion&gt;Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote...
    Rule Medium Severity
  • SRG-OS-000250-GPOS-00093

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-3-approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.

    &lt;VulnDiscussion&gt;Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote...
    Rule Medium Severity
  • SRG-OS-000033-GPOS-00014

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS SSH server must be configured to use only FIPS-validated key exchange algorithms.

    &lt;VulnDiscussion&gt;Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed an...
    Rule Medium Severity
  • SRG-OS-000125-GPOS-00065

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions.

    &lt;VulnDiscussion&gt;Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network,...
    Rule Medium Severity
  • SRG-OS-000023-GPOS-00006

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS must enable the graphical user logon banner to display the Standard Mandatory DOD Notice and Consent Banner before granting local access to the system via a graphical user logon.

    &lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to Ubuntu 22.04 LTS ensures privacy and securi...
    Rule Medium Severity
  • SRG-OS-000023-GPOS-00006

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS must display the Standard Mandatory DOD Notice and Consent Banner before granting local access to the system via a graphical user logon.

    &lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to Ubuntu 22.04 LTS ensures privacy and securi...
    Rule Medium Severity
  • SRG-OS-000028-GPOS-00009

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS must retain a user's session lock until that user reestablishes access using established identification and authentication procedures.

    &lt;VulnDiscussion&gt;A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the ...
    Rule Medium Severity
  • SRG-OS-000029-GPOS-00010

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS must initiate a graphical session lock after 15 minutes of inactivity.

    &lt;VulnDiscussion&gt;A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the ...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.

    &lt;VulnDiscussion&gt;A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as...
    Rule High Severity
  • SRG-OS-000378-GPOS-00163

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS must disable automatic mounting of Universal Serial Bus (USB) mass storage driver.

    &lt;VulnDiscussion&gt;Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. ...
    Rule Medium Severity
  • SRG-OS-000481-GPOS-00481

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS must disable all wireless network adapters.

    &lt;VulnDiscussion&gt;Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unpr...
    Rule Medium Severity
  • SRG-OS-000109-GPOS-00056

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS must prevent direct login into the root account.

    &lt;VulnDiscussion&gt;To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and...
    Rule Medium Severity
  • SRG-OS-000104-GPOS-00051

    <GroupDescription></GroupDescription>
    Group
  • Ubuntu 22.04 LTS must uniquely identify interactive users.

    &lt;VulnDiscussion&gt;To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to pre...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules