Ubuntu
The following are Delinea recommended best practices for hardening the Ubuntu Linux distribution running the PRA engine. Customers are responsible for managing their own servers.
System Ubuntu:
It is recommended that the Ubuntu operating system immediately notifies the SA and ISSO (at a minimum) when the allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
It is recommended that the Ubuntu operating system prevents direct login into the root account.
It is recommended that the Ubuntu operating system ensures only users who need access to security functions are part of sudo group.
It is recommended that the Ubuntu operating system encrypts all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
It is recommended that the Ubuntu operating system prevents all software from executing at higher privilege levels than users executing the software and the audit system is configured to audit the execution of privileged functions.
It is recommended that the operating system automatically terminates a user session after inactivity timeouts have expired.
It is recommended that Ubuntu operating systems, when booted, require authentication upon booting into single-user and maintenance modes.
It is recommended that the operating system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
(Setting limits file in /etc/security/limits.conf) It is recommended that the operating system limits the number of concurrent sessions to ten for all accounts and/or account types.
It is recommended that the Ubuntu operating system not have the telnet package installed.
It is recommended that the Ubuntu operating system is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in their vulnerability assessments.
It is recommended that the Ubuntu operating system is configured to use TCP syncookies.
It is recommended that the Ubuntu operating system disables kernel core dumps so that it can fail to a secure state if system initialization fails, shutdown fails or aborts fail.
It is recommended that the Ubuntu operating system deploys Endpoint Security for Linux Threat Prevention (ENSLTP).
It is recommended that the Ubuntu operating system is configured to preserve log records from failure events.
It is recommended that the Ubuntu operating system synchronizes internal information system clocks to the authoritative time source when the time difference is greater than one second.
It is recommended that the Ubuntu operating system's Advance Package Tool (APT) is configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
It is recommended that the Ubuntu operating system is configured to use a Linux Security Module implementation of name-based mandatory access controls.
It is recommended that the Ubuntu operating system implements address space layout randomization to protect its memory from unauthorized code execution.
It is recommended that the Ubuntu operating system, for networked systems, compares internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, and/or the Global Positioning System (GPS).
Directories, Files and Permissions
It is recommended that the /var/log directory is owned by root, group-owned by syslog and have mode "0755" or less permissive.
It is recommended that the /var/log/syslog file is owned by syslog, group-owned by adm and have mode 0640 or less permissive.
It is recommended that directories that contain system commands are owned by root, group-owned by root set to a mode of 0755 or less permissive.
It is recommended that the Ubuntu operating system library directories and files are owned by root, group-owned by root or a system account set to a mode of 0755 or less permissive.
