Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG) V2R1
Rules and Groups employed by this XCCDF Profile
-
Verify that 'use_mappers' is set to 'pwent' in PAM
The operating system must map the authenticated identity to the user or group account for PKI-based authentication. Verify that <code>use_mappers<...Rule Low Severity -
Assign Expiration Date to Temporary Accounts
Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts. In the event tempo...Rule Medium Severity -
Ensure sudo group has only necessary members
Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, discipli...Rule Medium Severity -
Ensure no duplicate UIDs exist
Although the useradd program will not let you create a duplicate User ID (UID), it is possible for an administrator to manually edit the /etc/passw...Rule Medium Severity -
Verify group-owner of system journal directories
Verify the /run/log/journal and /var/log/journal directories are group-owned by "systemd-journal" by using the following command: <pre> $ sudo find...Rule Medium Severity -
Verify owner of system journal directories
Verify the /run/log/journal and /var/log/journal directories are owned by "root" by using the following command: <pre> $ sudo find /run/log/journal...Rule Medium Severity -
Verify Permissions on the system journal directories
Verify the /run/log/journal and /var/log/journal directories have permissions set to "2750" or less permissive by using the following command: <pre...Rule Medium Severity -
Verify Groupowner on the journalctl command
Verify that the "journalctl" command is group-owned by "root" by using the following command: <pre> $ sudo find /usr/bin/journalctl -exec stat -c "...Rule Medium Severity -
Verify Group Who Owns the system journal
Verify the /run/log/journal and /var/log/journal files are group-owned by "systemd-journal" by using the following command: <pre> $ sudo find /run/...Rule Medium Severity -
Verify Owner on the journalctl Command
Verify that the "journalctl" command is owned by "root" by using the following command: <pre> $ sudo find /usr/bin/journalctl -exec stat -c "%n %U"...Rule Medium Severity -
Verify Owner on the system journal
Verify the /run/log/journal and /var/log/journal files are owned by "root" by using the following command: <pre> $ sudo find /run/log/journal /var/...Rule Medium Severity -
Verify Permissions on the journal command
Verify that the "journalctl" command has a permission set of "740" by using the following command: <pre> $ sudo find /usr/bin/journalctl -exec sta...Rule Medium Severity -
Verify Permissions on the system journal
Verify all files in the /run/log/journal and /var/log/journal directories have permissions set to "640" or less permissive by using the following c...Rule Medium Severity -
Verify ufw Active
Verify the ufw is enabled on the system with the following command: <pre># sudo ufw status</pre> If the above command returns the status as "inacti...Rule Medium Severity -
Only Allow Authorized Network Services in ufw
Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services by running the following command: <...Rule Medium Severity -
ufw Must rate-limit network interfaces
The operating system must configure the uncomplicated firewall to rate-limit impacted network interfaces. Check all the services listening to the ...Rule Medium Severity -
Verify Permissions on /etc/audit/audit.rules
To properly set the permissions of/etc/audit/audit.rules, run the command:$ sudo chmod 0640 /etc/audit/audit.rules
Rule Medium Severity -
Restrict Access to Kernel Message Buffer
To set the runtime status of the <code>kernel.dmesg_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.dmesg...Rule Low Severity -
Remove the ntp service
The ntpd service should not be installed.Rule Low Severity -
Remove the systemd_timesyncd Service
The systemd_timesyncd service should not be installed.Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.