Skip to content

Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG) V2R1

Rules and Groups employed by this XCCDF Profile

  • Non-UEFI GRUB2 bootloader configuration

    Non-UEFI GRUB2 bootloader configuration
    Group
  • Set Boot Loader Password in grub2

    The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br> <br> Since plaintext passwords are a security risk, generate a hash...
    Rule High Severity
  • UEFI GRUB2 bootloader configuration

    UEFI GRUB2 bootloader configuration
    Group
  • Set the UEFI Boot Loader Password

    The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br> <br> Since plaintext passwords are a security risk, generate a hash...
    Rule High Severity
  • Configure Syslog

    The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lack of authentication for received messages, and lac...
    Group
  • Enable rsyslog Service

    The <code>rsyslog</code> service provides syslog-style logging by default on Ubuntu 22.04. The <code>rsyslog</code> service can be enabled with the following command: <pre>$ sudo systemctl enable ...
    Rule Medium Severity
  • Ensure real-time clock is set to UTC

    Ensure that the system real-time clock (RTC) is set to Coordinated Universal Time (UTC).
    Rule High Severity
  • Ensure Proper Configuration of Log Files

    The file <code>/etc/rsyslog.conf</code> controls where log message are written. These are controlled by lines called <i>rules</i>, which consist of a <i>selector</i> and an <i>action</i>. These rul...
    Group
  • Ensure remote access methods are monitored in Rsyslog

    Logging of remote access methods must be implemented to help identify cyber attacks and ensure ongoing compliance with remote access policies are being audited and upheld. An examples of a remote a...
    Rule Medium Severity
  • systemd-journald

    systemd-journald is a system service that collects and stores logging data. It creates and maintains structured, indexed journals based on logging information that is received from a variety of sou...
    Group
  • Network Configuration and Firewalls

    Most systems must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses the security impact of decisions about networking wh...
    Group
  • Kernel Parameters Which Affect Networking

    The sysctl utility is used to set parameters which affect the operation of the Linux kernel. Kernel parameters which affect networking and have security implications are described here.
    Group
  • Network Related Kernel Runtime Parameters for Hosts and Routers

    Certain kernel parameters should be set for systems which are acting as either hosts or routers to improve the system's ability defend against certain types of IPv4 protocol attacks.
    Group
  • Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces

    To set the runtime status of the <code>net.ipv4.tcp_syncookies</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.tcp_syncookies=1</pre> To make sure that the settin...
    Rule Medium Severity
  • Uncomplicated Firewall (ufw)

    The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the iptables suite of commands. iptables provide a compl...
    Group
  • Install ufw Package

    The ufw package can be installed with the following command:
    $ apt-get install ufw
    Rule Medium Severity
  • Verify ufw Enabled

    The ufw service can be enabled with the following command:
    $ sudo systemctl enable ufw.service
    Rule Medium Severity
  • Wireless Networking

    Wireless networking, such as 802.11 (WiFi) and Bluetooth, can present a security risk to sensitive or classified systems and networks. Wireless networking hardware is much more likely to be include...
    Group
  • Disable Wireless Through Software Configuration

    If it is impossible to remove the wireless hardware from the device in question, disable as much of it as possible through software. The following methods can disable software support for wireless ...
    Group
  • Deactivate Wireless Network Interfaces

    Deactivating wireless network interfaces should prevent normal usage of the wireless capability. <br> <br> Verify that there are no wireless interfaces configured on the system with the f...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules