Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG) V2R1
Rules and Groups employed by this XCCDF Profile
-
Enable SSH Warning Banner
To enable the warning banner and ensure it is consistent across the system, add or correct the following line in <code>/etc/ssh/sshd_config</code>...Rule Medium Severity -
Use Only FIPS 140-2 Validated Ciphers
Limit the ciphers to those algorithms which are FIPS-approved. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of FIPS-app...Rule Medium Severity -
System Security Services Daemon
The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red H...Group -
Configure SSSD to Expire Offline Credentials
SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set <code>offline_credential...Rule Medium Severity -
Configure AIDE To Notify Personnel if Baseline Configurations Are Altered
The operating system file integrity tool must be configured to notify designated personnel of any changes to configurations.Rule Medium Severity -
Set GNOME3 Screensaver Inactivity Timeout
The idle time-out value for inactivity in the GNOME3 desktop is configured via the <code>idle-delay</code> setting must be set under an appropriate...Rule Medium Severity -
Install pam_pwquality Package
Thelibpam-pwqualitypackage can be installed with the following command:$ apt-get install libpam-pwquality
Rule Medium Severity -
Enforce Delay After Failed Logon Attempts
To configure the system to introduce a delay after failed logon attempts, add or correct the <code>pam_faildelay</code> settings in <code>/etc/pam....Rule Medium Severity -
Do Not Show System Messages When Unsuccessful Logon Attempts Occur
This rule ensures the system prevents informative messages from being presented to the user pertaining to logon information after a number of incor...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words
The pam_pwquality module's <code>dictcheck</code> check if passwords contains dictionary words. When <code>dictcheck</code> is set to <code>1</code...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Different Characters
The pam_pwquality module's <code>difok</code> parameter sets the number of characters in a password that must not be present in and old password du...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Enforcing
Verify that the operating system uses "pwquality" to enforce the password complexity rules. Verify the pwquality module is being enforced by opera...Rule Medium Severity -
Set PAM''s Password Hashing Algorithm
The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/common-password", the <code>password<...Rule Medium Severity -
Check that vlock is installed to allow session locking
The Ubuntu 22.04 operating system must have vlock installed to allow for session locking. The <code>vlock</code> package can be installed with th...Rule Medium Severity -
Install the opensc Package For Multifactor Authentication
Theopensc-pkcs11package can be installed with the following command:$ apt-get install opensc-pkcs11
Rule Medium Severity -
Install Smart Card Packages For Multifactor Authentication
Configure the operating system to implement multifactor authentication by installing the required package with the following command: The <code>li...Rule Medium Severity -
Configure Smart Card Certificate Authority Validation
Configure the operating system to do certificate status checking for PKI authentication. Modify all of the <code>cert_policy</code> lines in <code>...Rule Medium Severity -
Configure Smart Card Certificate Status Checking
Configure the operating system to do certificate status checking for PKI authentication. Modify all of the <code>cert_policy</code> lines in <code>...Rule Medium Severity -
Configure Smart Card Local Cache of Revocation Data
Configure the operating system for PKI-based authentication to use local revocation data when unable to access the network to obtain it remotely. M...Rule Medium Severity -
Enable Smart Card Logins in PAM
This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g....Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.