# 0309 ubuntu 16.04 掃描結果 [TOC]  ## Fail ### A session lock - Q: - All users must be able to directly initiate a session lock for all connection types. - Fail - A: - Install the "vlock" (if it is not already installed) package by running the following command:sudo apt-get install vlock ### 密碼規定 - Q: - The Ubuntu operating system must enforce password complexity by requiring that at least one upper-case character be used. - Fail - The Ubuntu operating system must enforce password complexity by requiring that at least one lower-case character be used. - Fail - The Ubuntu operating system must enforce password complexity by requiring that at least one numeric character be used. - Fail - All passwords must contain at least one special character. - Fail - A: - Configure the Ubuntu operating system to enforce password complexity by requiring that at least one lower-case character be used. - Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "lcredit" parameter:lcredit=-1 - Q: - Passwords for new users must have a 24 hours/1 day minimum password lifetime restriction. - Fail - Passwords for new users must have a 60-day maximum password lifetime restrictio - Passwords must have a minimum of 15-characters. - Fail - The Ubuntu operating system must prevent the use of dictionary words for passwords. - Fail - The Ubuntu operating system must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. - Fail - Ubuntu operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. - Fail ### Need A file integrity tool - Q: - A file integrity tool must be installed to verify correct operation of all security functions in the Ubuntu operating system. - Fail ### 有GUI 要禁用Ctrl-alt-Delete key - Q: - The x86 Ctrl-Alt-Delete key sequence in the Ubuntu operating system must be disabled if a Graphical User Interface is installed. - Fail ### 並需設定預設檔案權限 - Q: - Default permissions must be defined in such a way that all authenticated users can only read and modify their own files. - Fail ### 應該只有root 這個帳號可以無限制的使用檔案 - Q: - The root account must be the only account having unrestricted access to the system. - Fail ### 每個用戶創建時 都必須要有 /home - Q: - All local interactive user accounts, upon creation, must be assigned a home directory. - Fail ### Log 必須包含infomation - Q: - Audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. - Fail ### 缺少auditd service - Q: - The audit system must take appropriate action when the network cannot be used to off-load audit records. - Fail - Audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. - Fail - Audit tools must have a mode of 0755 or less permissive. - Fail - Audit tools must be owned by root. - Fail - Audit tools must be group-owned by root. - Fail - The audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software. - Fail - The audit system must be configured to audit any usage of the setxattr system call. - Fail - The audit system must be configured to audit any usage of the lsetxattr system call. - Fail - The audit system must be configured to audit any usage of the fsetxattr system call. - Fail - The audit system must be configured to audit any usage of the removexattr system call. - Fail - The audit system must be configured to audit any usage of the lremovexattr system call. - Fail - The audit system must be configured to audit any usage of the fremovexattr system call. - Fail - ### log 紀錄不足 - Q: - The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. - Fail - The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. - Fail - The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. - Fail - The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. - Fail - The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. - Fail - Successful/unsuccessful uses of the mount command must generate an audit record. - Fail - Successful/unsuccessful uses of the chown command must generate an audit record. - Fail - Successful/unsuccessful uses of the fchown command must generate an audit record. - Fail - Successful/unsuccessful uses of the fchownat command must generate an audit record. - Fail - Successful/unsuccessful uses of the lchown command must generate an audit record. - Fail - Successful/unsuccessful uses of the chmod command must generate an audit record. - Fail - Successful/unsuccessful uses of the fchmod command must generate an audit record. - Fail - Successful/unsuccessful uses of the fchmodat command must generate an audit record. - Fail - Successful/unsuccessful uses of the open command must generate an audit record. - Fail - Successful/unsuccessful uses of the truncate command must generate an audit record. - Fail - Successful/unsuccessful uses of the ftruncate command must generate an audit record. - Fail - Successful/unsuccessful uses of the creat command must generate an audit record. - Fail - Successful/unsuccessful uses of the openat command must generate an audit record. - Fail - Successful/unsuccessful uses of the open_by_handle_at command must generate an audit record. - Fail - Successful/unsuccessful uses of the sudo command must generate an audit record. - Fail - Successful/unsuccessful uses of the chsh command must generate an audit record. - Fail - Successful/unsuccessful uses of the newgrp command must generate an audit record. - Fail - Successful/unsuccessful uses of the chcon command must generate an audit record. - Fail - Successful/unsuccessful uses of the apparmor_parser command must generate an audit record. - Fail - Successful/unsuccessful modifications to the tallylog file must generate an audit record. - Fail - Successful/unsuccessful modifications to the faillog file must generate an audit record. - Fail - Successful/unsuccessful modifications to the lastlog file must generate an audit record. - Fail - Successful/unsuccessful uses of the passwd command must generate an audit record. - Fail - Successful/unsuccessful uses of the gpasswd command must generate an audit record. - Fail - Successful/unsuccessful uses of the chage command must generate an audit record. - Fail - Successful/unsuccessful uses of the crontab command must generate an audit record. - Fail - Successful/unsuccessful uses of the pam_timestamp_check command must generate an audit record. - Fail - Successful/unsuccessful uses of the init_module command must generate an audit record. - Fail - Successful/unsuccessful uses of the finit_module command must generate an audit record. - Fail - Successful/unsuccessful uses of the delete_module command must generate an audit record. - Fail ### 記憶體空間位置不夠隨機 - Q: - The Ubuntu operating system must implement address space layout randomization to protect its memory from unauthorized code execution. - Fail ### root 帳號不能透過ssh 使用 - Q: - The Ubuntu operating system must not permit direct logons to the root account using remote access via SSH. - Fail ### SSH 安全性 (加密,使用時長限制,不接受未知來ㄇ,禁用x連線) - Q: - The Ubuntu operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. - Fail - The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. - Fail - The Ubuntu operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements. - Fail - The SSH daemon must not allow authentication using known hosts authentication. - Fail - The SSH daemon must not allow compression or must only allow compression after successful authentication. - Fail - The Ubuntu operating system must be configured so that remote X connections are disabled unless to fulfill documented and validated mission requirements. - Fail - ### 不得轉發ipv4的限制 - Q: - he Ubuntu operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets. - Fail - The Ubuntu operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default. - Fail - The Ubuntu operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. - Fail - The Ubuntu operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted. - Fail - The Ubuntu operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. - Fail - The Ubuntu operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default. - Fail - The Ubuntu operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. - Fail - The Ubuntu operating system must not be performing packet forwarding unless the system is a router. - Fail ### 安裝包限制 - Q: - The Ubuntu operating system must have the packages required for multifactor authentication to be installed. - Fai ### 必須接受PIV(Personal Identity Verification)驗證,檢查多方驗證,PKI驗證來源 - Q: - The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. - Fail - The Ubuntu operating system must implement certificate status checking for multifactor authentication. - Fail - The Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. - Fail