Scribd
Upload
111 views5 pages

Ubuntu 22

The document outlines a comprehensive set of security guidelines and configurations for a Linux system. It includes checks for kernel module availability, partitioning, access controls, firewall configurations, SSH settings, and auditing practices. The aim is to enhance the overall security posture of the system by ensuring best practices are followed across various components.

Uploaded by

Barak Vazquez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
111 views5 pages

Ubuntu 22

The document outlines a comprehensive set of security guidelines and configurations for a Linux system. It includes checks for kernel module availability, partitioning, access controls, firewall configurations, SSH settings, and auditing practices. The aim is to enhance the overall security posture of the system by ensuring best practices are followed across various components.

Uploaded by

Barak Vazquez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 5

1.1.1.

1 Ensure cramfs kernel module is not available


1.1.1.2 Ensure freevxfs kernel module is not available
1.1.1.3 Ensure hfs kernel module is not available
1.1.1.4 Ensure hfsplus kernel module is not available
1.1.1.5 Ensure jffs2 kernel module is not available
1.1.1.6 Ensure squashfs kernel module is not available
1.1.1.7 Ensure udf kernel module is not available
1.1.1.8 Ensure usb-storage kernel module is not available
1.1.2.1.1 Ensure /tmp is a separate partition
1.1.2.1.2 Ensure nodev option set on /tmp partition
1.1.2.1.3 Ensure nosuid option set on /tmp partition
1.1.2.1.4 Ensure noexec option set on /tmp partition
1.1.2.2.1 Ensure /dev/shm is a separate partition
1.1.2.2.2 Ensure nodev option set on /dev/shm partition
1.1.2.2.3 Ensure nosuid option set on /dev/shm partition
1.1.2.2.4 Ensure noexec option set on /dev/shm partition
1.1.2.3.1 Ensure separate partition exists for /home
1.1.2.3.2 Ensure nodev option set on /home partition
1.1.2.3.3 Ensure nosuid option set on /home partition
1.1.2.4.1 Ensure separate partition exists for /var
1.1.2.4.2 Ensure nodev option set on /var partition
1.1.2.4.3 Ensure nosuid option set on /var partition
1.1.2.5.1 Ensure separate partition exists for /var/tmp
1.1.2.5.2 Ensure nodev option set on /var/tmp partition
1.1.2.5.3 Ensure nosuid option set on /var/tmp partition
1.1.2.5.4 Ensure noexec option set on /var/tmp partition
1.1.2.6.1 Ensure separate partition exists for /var/log
1.1.2.6.2 Ensure nodev option set on /var/log partition
1.1.2.6.3 Ensure nosuid option set on /var/log partition
1.1.2.6.4 Ensure noexec option set on /var/log partition
1.1.2.7.1 Ensure separate partition exists for /var/log/audit
1.1.2.7.2 Ensure nodev option set on /var/log/audit partition
1.1.2.7.3 Ensure nosuid option set on /var/log/audit partition
1.1.2.7.4 Ensure noexec option set on /var/log/audit partition
1.2.1.1 Ensure GPG keys are configured
1.2.1.2 Ensure package manager repositories are configured
1.2.2.1 Ensure updates, patches, and additional security software are installed
1.3.1.1 Ensure AppArmor is installed
1.3.1.2 Ensure AppArmor is enabled in the bootloader configuration
1.3.1.3 Ensure all AppArmor Profiles are in enforce or complain mode
1.3.1.4 Ensure all AppArmor Profiles are enforcing
1.4.1 Ensure bootloader password is set
1.4.2 Ensure access to bootloader config is configured
1.5.1 Ensure address space layout randomization is enabled
1.5.2 Ensure ptrace_scope is restricted
1.5.5 Ensure Automatic Error Reporting is not enabled
1.6.4 Ensure access to /etc/motd is configured
1.6.5 Ensure access to /etc/issue is configured
1.6.6 Ensure access to /etc/issue.net is configured
1.7.1 Ensure GDM is removed
1.7.4 Ensure GDM screen locks when the user is idle
1.7.5 Ensure GDM screen locks cannot be overridden
1.7.6 Ensure GDM automatic mounting of removable media is disabled
1.7.8 Ensure GDM autorun-never is enabled
1.7.9 Ensure GDM autorun-never is not overridden
1.7.10 Ensure XDCMP is not enabled
2.1.1 Ensure autofs services are not in use
2.1.2 Ensure avahi daemon services are not in use
2.1.3 Ensure dhcp server services are not in use
2.1.4 Ensure dns server services are not in use
2.1.5 Ensure dnsmasq services are not in use
2.1.6 Ensure ftp server services are not in use
2.1.7 Ensure ldap server services are not in use
2.1.8 Ensure message access server services are not in use
2.1.9 Ensure network file system services are not in use
2.1.10 Ensure nis server services are not in use
2.1.11 Ensure print server services are not in use
2.1.12 Ensure rpcbind services are not in use
2.1.13 Ensure rsync services are not in use
2.1.14 Ensure samba file server services are not in use
2.1.15 Ensure snmp services are not in use
2.1.16 Ensure tftp server services are not in use
2.1.17 Ensure web proxy server services are not in use
2.1.18 Ensure web server services are not in use
2.1.19 Ensure xinetd services are not in use
2.1.20 Ensure X window server services are not in use
2.1.21 Ensure mail transfer agent is configured for local-only mode
2.1.22 Ensure only approved services are listening on a network interface
2.2.1 Ensure NIS Client is not installed
2.2.2 Ensure rsh client is not installed
2.2.3 Ensure talk client is not installed
2.2.4 Ensure telnet client is not installed
2.2.5 Ensure ldap client is not installed
2.2.6 Ensure ftp client is not installed
2.3.1.1 Ensure a single time synchronization daemon is in use
2.3.2.1 Ensure systemd-timesyncd configured with authorized timeserver
2.3.2.2 Ensure systemd-timesyncd is enabled and running
2.3.3.1 Ensure chrony is configured with authorized timeserver
2.3.3.2 Ensure chrony is running as user _chrony
2.3.3.3 Ensure chrony is enabled and running
2.4.1.2 Ensure permissions on /etc/crontab are configured
2.4.1.3 Ensure permissions on /etc/cron.hourly are configured
2.4.1.4 Ensure permissions on /etc/cron.daily are configured
2.4.1.5 Ensure permissions on /etc/cron.weekly are configured
2.4.1.6 Ensure permissions on /etc/cron.monthly are configured
2.4.1.7 Ensure permissions on /etc/cron.d are configured
2.4.1.8 Ensure crontab is restricted to authorized users
2.4.2.1 Ensure at is restricted to authorized users
3.1.1 Ensure IPv6 status is identified
3.1.2 Ensure wireless interfaces are disabled
3.1.3 Ensure bluetooth services are not in use
3.2.1 Ensure dccp kernel module is not available
3.2.2 Ensure tipc kernel module is not available
3.2.3 Ensure rds kernel module is not available
3.2.4 Ensure sctp kernel module is not available
3.3.1 Ensure ip forwarding is disabled
3.3.2 Ensure packet redirect sending is disabled
3.3.3 Ensure bogus icmp responses are ignored
3.3.4 Ensure broadcast icmp requests are ignored
3.3.5 Ensure icmp redirects are not accepted
3.3.6 Ensure secure icmp redirects are not accepted
3.3.7 Ensure reverse path filtering is enabled
3.3.8 Ensure source routed packets are not accepted
3.3.9 Ensure suspicious packets are logged
3.3.10 Ensure tcp syn cookies is enabled
3.3.11 Ensure ipv6 router advertisements are not accepted
4.1.1 Ensure ufw is installed
4.1.2 Ensure iptables-persistent is not installed with ufw
4.1.3 Ensure ufw service is enabled
4.1.4 Ensure ufw loopback traffic is configured
4.1.5 Ensure ufw outbound connections are configured
4.1.6 Ensure ufw firewall rules exist for all open ports
4.1.7 Ensure ufw default deny firewall policy
4.2.1 Ensure nftables is installed
4.2.2 Ensure ufw is uninstalled or disabled with nftables
4.2.3 Ensure iptables are flushed with nftables
4.2.4 Ensure a nftables table exists
4.2.5 Ensure nftables base chains exist
4.2.6 Ensure nftables loopback traffic is configured
4.2.7 Ensure nftables outbound and established connections are configured
4.2.8 Ensure nftables default deny firewall policy
4.2.9 Ensure nftables service is enabled
4.2.10 Ensure nftables rules are permanent
4.3.1.1 Ensure iptables packages are installed
4.3.1.2 Ensure nftables is not installed with iptables
4.3.1.3 Ensure ufw is uninstalled or disabled with iptables
4.3.2.1 Ensure iptables default deny firewall policy
4.3.2.2 Ensure iptables loopback traffic is configured
4.3.2.3 Ensure iptables outbound and established connections are configured
4.3.2.4 Ensure iptables firewall rules exist for all open ports
4.3.3.1 Ensure ip6tables default deny firewall policy
4.3.3.2 Ensure ip6tables loopback traffic is configured
4.3.3.3 Ensure ip6tables outbound and established connections are configured
4.3.3.4 Ensure ip6tables firewall rules exist for all open ports
5.1.1 Ensure permissions on /etc/ssh/sshd_config are configured
5.1.2 Ensure permissions on SSH private host key files are configured
5.1.3 Ensure permissions on SSH public host key files are configured
5.1.4 Ensure sshd access is configured
5.1.6 Ensure sshd Ciphers are configured
5.1.8 Ensure sshd DisableForwarding is enabled
5.1.9 Ensure sshd GSSAPIAuthentication is disabled
5.1.11 Ensure sshd IgnoreRhosts is enabled
5.1.12 Ensure sshd KexAlgorithms is configured
5.1.14 Ensure sshd LogLevel is configured
5.1.15 Ensure sshd MACs are configured
5.1.16 Ensure sshd MaxAuthTries is configured
5.1.19 Ensure sshd PermitEmptyPasswords is disabled
5.1.20 Ensure sshd PermitRootLogin is disabled
5.1.22 Ensure sshd UsePAM is enabled
5.2.1 Ensure sudo is installed
5.2.2 Ensure sudo commands use pty
5.2.3 Ensure sudo log file exists
5.2.4 Ensure users must provide password for privilege escalation
5.2.5 Ensure re-authentication for privilege escalation is not disabled globally
5.2.6 Ensure sudo authentication timeout is configured correctly
5.2.7 Ensure access to the su command is restricted
5.3.2.1 Ensure pam_unix module is enabled
5.3.2.2 Ensure pam_faillock module is enabled
5.3.2.3 Ensure pam_pwquality module is enabled
5.3.2.4 Ensure pam_pwhistory module is enabled
5.3.3.1.1 Ensure password failed attempts lockout is configured
5.3.3.1.2 Ensure password unlock time is configured
5.3.3.1.3 Ensure password failed attempts lockout includes root account
5.3.3.2.1 Ensure password number of changed characters is configured
5.3.3.2.2 Ensure minimum password length is configured
5.3.3.2.3 Ensure password complexity is configured
5.3.3.2.4 Ensure password same consecutive characters is configured
5.3.3.2.5 Ensure password maximum sequential characters is configured
5.3.3.2.6 Ensure password dictionary check is enabled
5.3.3.2.7 Ensure password quality checking is enforced
5.3.3.2.8 Ensure password quality is enforced for the root user
5.3.3.3.1 Ensure password history remember is configured
5.3.3.3.2 Ensure password history is enforced for the root user
5.3.3.3.3 Ensure pam_pwhistory includes use_authtok
5.3.3.4.1 Ensure pam_unix does not include nullok
5.3.3.4.2 Ensure pam_unix does not include remember
5.3.3.4.3 Ensure pam_unix includes a strong password hashing algorithm
5.3.3.4.4 Ensure pam_unix includes use_authtok
5.4.1.1 Ensure password expiration is configured
5.4.1.2 Ensure minimum password age is configured
5.4.1.3 Ensure password expiration warning days is configured
5.4.1.4 Ensure strong password hashing algorithm is configured
5.4.1.5 Ensure inactive password lock is configured
5.4.1.6 Ensure all users last password change date is in the past
5.4.2.2 Ensure root is the only GID 0 account
5.4.2.3 Ensure group root is the only GID 0 group
5.4.2.4 Ensure root password is set
5.4.2.6 Ensure root user umask is configured
5.4.2.7 Ensure system accounts do not have a valid login shell
5.4.2.8 Ensure accounts without a valid login shell are locked
5.4.3.2 Ensure default user shell timeout is configured
5.4.3.3 Ensure default user umask is configured
6.1.2 Ensure filesystem integrity is regularly checked
6.2.1.1.1 Ensure journald service is enabled and active
6.2.1.1.2 Ensure journald log file access is configured
6.2.1.1.3 Ensure journald log file rotation is configured
6.2.1.1.4 Ensure journald ForwardToSyslog is disabled
6.2.1.1.5 Ensure journald Storage is configured
6.2.1.1.6 Ensure journald Compress is configured
6.2.1.2.1 Ensure systemd-journal-remote is installed
6.2.1.2.2 Ensure systemd-journal-remote authentication is configured
6.2.1.2.3 Ensure systemd-journal-upload is enabled and active
6.2.1.2.4 Ensure systemd-journal-remote service is not in use
6.2.2.1 Ensure access to all logfiles has been configured
6.3.1.1 Ensure auditd packages are installed
6.3.1.2 Ensure auditd service is enabled and active
6.3.1.3 Ensure auditing for processes that start prior to auditd is enabled
6.3.1.4 Ensure audit_backlog_limit is sufficient
6.3.2.1 Ensure audit log storage size is configured
6.3.2.2 Ensure audit logs are not automatically deleted
6.3.2.3 Ensure system is disabled when audit logs are full
6.3.2.4 Ensure system warns when audit logs are low on space
6.3.3.1 Ensure changes to system administration scope (sudoers) is collected
6.3.3.2 Ensure actions as another user are always logged
6.3.3.3 Ensure events that modify the sudo log file are collected
6.3.3.4 Ensure events that modify date and time information are collected
6.3.3.5 Ensure events that modify the system's network environment are collected
6.3.3.6 Ensure use of privileged commands are collected
6.3.3.7 Ensure unsuccessful file access attempts are collected
6.3.3.8 Ensure events that modify user/group information are collected
6.3.3.9 Ensure discretionary access control permission modification events are
collected
6.3.3.10 Ensure successful file system mounts are collected
6.3.3.11 Ensure session initiation information is collected
6.3.3.12 Ensure login and logout events are collected
6.3.3.13 Ensure file deletion events by users are collected
6.3.3.14 Ensure events that modify the system's Mandatory Access Controls are
collected
6.3.3.15 Ensure successful and unsuccessful attempts to use the chcon command are
recorded
6.3.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are
recorded
6.3.3.17 Ensure successful and unsuccessful attempts to use the chacl command are
recorded
6.3.3.18 Ensure successful and unsuccessful attempts to use the usermod command are
recorded
6.3.3.19 Ensure kernel module loading unloading and modification is collected
6.3.3.20 Ensure the audit configuration is immutable
6.3.3.21 Ensure the running and on disk configuration is the same
6.3.4.1 Ensure audit log files mode is configured
6.3.4.2 Ensure audit log files owner is configured
6.3.4.3 Ensure audit log files group owner is configured
6.3.4.4 Ensure the audit log file directory mode is configured
6.3.4.5 Ensure audit configuration files mode is configured
6.3.4.6 Ensure audit configuration files owner is configured
6.3.4.7 Ensure audit configuration files group owner is configured
6.3.4.8 Ensure audit tools mode is configured
6.3.4.9 Ensure audit tools owner is configured
6.3.4.10 Ensure audit tools group owner is configured
7.1.1 Ensure permissions on /etc/passwd are configured
7.1.2 Ensure permissions on /etc/passwd- are configured
7.1.3 Ensure permissions on /etc/group are configured
7.1.4 Ensure permissions on /etc/group- are configured
7.1.5 Ensure permissions on /etc/shadow are configured
7.1.6 Ensure permissions on /etc/shadow- are configured
7.1.7 Ensure permissions on /etc/gshadow are configured
7.1.8 Ensure permissions on /etc/gshadow- are configured
7.1.9 Ensure permissions on /etc/shells are configured
7.1.10 Ensure permissions on /etc/security/opasswd are configured
7.1.11 Ensure world writable files and directories are secured
7.1.12 Ensure no files or directories without an owner and a group exist
7.1.13 Ensure SUID and SGID files are reviewed
7.2.1 Ensure accounts in /etc/passwd use shadowed passwords
7.2.2 Ensure /etc/shadow password fields are not empty
7.2.3 Ensure all groups in /etc/passwd exist in /etc/group
7.2.4 Ensure shadow group is empty
7.2.9 Ensure local interactive user home directories are configured
7.2.10 Ensure local interactive user dot files access is configured

You might also like