Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide (STIG) V1R12
Rules and Groups employed by this XCCDF Profile
-
Install the opensc Package For Multifactor Authentication
Theopensc-pkcs11package can be installed with the following command:$ apt-get install opensc-pkcs11
Rule Medium Severity -
Install Smart Card Packages For Multifactor Authentication
Configure the operating system to implement multifactor authentication by installing the required package with the following command: The <code>libpam-pkcs11</code> package can be installed with t...Rule Medium Severity -
Configure Smart Card Certificate Authority Validation
Configure the operating system to do certificate status checking for PKI authentication. Modify all of the <code>cert_policy</code> lines in <code>/etc/pam_pkcs11/pam_pkcs11.conf</code> to include ...Rule Medium Severity -
Configure Smart Card Certificate Status Checking
Configure the operating system to do certificate status checking for PKI authentication. Modify all of the <code>cert_policy</code> lines in <code>/etc/pam_pkcs11/pam_pkcs11.conf</code> to include ...Rule Medium Severity -
Configure Smart Card Local Cache of Revocation Data
Configure the operating system for PKI-based authentication to use local revocation data when unable to access the network to obtain it remotely. Modify all of the <code>cert_policy</code> lines in...Rule Medium Severity -
Enable Smart Card Logins in PAM
This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to a...Rule Medium Severity -
Verify that 'use_mappers' is set to 'pwent' in PAM
The operating system must map the authenticated identity to the user or group account for PKI-based authentication. Verify that <code>use_mappers</code> is set to <code>pwent</code> in <code>/etc/...Rule Low Severity -
Protect Accounts by Restricting Password-Based Login
Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness using the <code>/etc/passwd</code> and <code>/etc/...Group -
Set Account Expiration Parameters
Accounts can be configured to be automatically disabled after a certain time period, meaning that they will require administrator interaction to become usable again. Expiration of accounts after in...Group -
Set Account Expiration Following Inactivity
To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following line in <code>/etc/default/useradd</code>:...Rule Medium Severity -
Assign Expiration Date to Temporary Accounts
Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts. In the event temporary accounts are required, configure the system t...Rule Medium Severity -
Policy Requires Immediate Change of Temporary Passwords
Temporary passwords for Ubuntu 20.04 operating system logons must require an immediate change to a permanent password. Verify that a policy exists that ensures when a user is created, it is creati...Rule Medium Severity -
Set Password Expiration Parameters
The file <code>/etc/login.defs</code> controls several password-related settings. Programs such as <code>passwd</code>, <code>su</code>, and <code>login</code> consult <code>/etc/login.defs</code> ...Group -
Set Password Maximum Age
To specify password maximum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MAX_DAYS <xccdf-1.2:sub idref="xccdf_org.ssgproject.con...Rule Medium Severity -
Set Password Minimum Age
To specify password minimum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_DAYS <xccdf-1.2:sub idref="xccdf_org.ssgproject.con...Rule Medium Severity -
Verify Proper Storage and Existence of Password Hashes
By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be readable only by processes running with root credent...Group -
Ensure sudo group has only necessary members
Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software developmen...Rule Medium Severity -
Ensure no duplicate UIDs exist
Although the useradd program will not let you create a duplicate User ID (UID), it is possible for an administrator to manually edit the /etc/passwd file and change the UID field. Users must be ass...Rule Medium Severity -
Prevent Login to Accounts With Empty Password
If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the <code>...Rule High Severity -
Ensure There Are No Accounts With Blank or Null Passwords
Check the "/etc/shadow" file for blank passwords with the following command: <pre>$ sudo awk -F: '!$2 {print $1}' /etc/shadow</pre> If the command returns any results, this is a finding. Configure ...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.