Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG) V2R1
Rules and Groups employed by this XCCDF Profile
-
Ensure PAM Enforces Password Requirements - Minimum Different Characters
The pam_pwquality module's <code>difok</code> parameter sets the number of characters in a password that must not be present in and old password du...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Enforcing
Verify that the operating system uses "pwquality" to enforce the password complexity rules. Verify the pwquality module is being enforced by opera...Rule Medium Severity -
Set PAM''s Password Hashing Algorithm
The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/common-password", the <code>password<...Rule Medium Severity -
Check that vlock is installed to allow session locking
The Ubuntu 22.04 operating system must have vlock installed to allow for session locking. The <code>vlock</code> package can be installed with th...Rule Medium Severity -
Install the opensc Package For Multifactor Authentication
Theopensc-pkcs11package can be installed with the following command:$ apt-get install opensc-pkcs11
Rule Medium Severity -
Install Smart Card Packages For Multifactor Authentication
Configure the operating system to implement multifactor authentication by installing the required package with the following command: The <code>li...Rule Medium Severity -
Configure Smart Card Certificate Authority Validation
Configure the operating system to do certificate status checking for PKI authentication. Modify all of the <code>cert_policy</code> lines in <code>...Rule Medium Severity -
Configure Smart Card Certificate Status Checking
Configure the operating system to do certificate status checking for PKI authentication. Modify all of the <code>cert_policy</code> lines in <code>...Rule Medium Severity -
Configure Smart Card Local Cache of Revocation Data
Configure the operating system for PKI-based authentication to use local revocation data when unable to access the network to obtain it remotely. M...Rule Medium Severity -
Enable Smart Card Logins in PAM
This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g....Rule Medium Severity -
Verify that 'use_mappers' is set to 'pwent' in PAM
The operating system must map the authenticated identity to the user or group account for PKI-based authentication. Verify that <code>use_mappers<...Rule Low Severity -
Assign Expiration Date to Temporary Accounts
Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts. In the event tempo...Rule Medium Severity -
Ensure sudo group has only necessary members
Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, discipli...Rule Medium Severity -
Ensure no duplicate UIDs exist
Although the useradd program will not let you create a duplicate User ID (UID), it is possible for an administrator to manually edit the /etc/passw...Rule Medium Severity -
Verify group-owner of system journal directories
Verify the /run/log/journal and /var/log/journal directories are group-owned by "systemd-journal" by using the following command: <pre> $ sudo find...Rule Medium Severity -
Verify owner of system journal directories
Verify the /run/log/journal and /var/log/journal directories are owned by "root" by using the following command: <pre> $ sudo find /run/log/journal...Rule Medium Severity -
Verify Permissions on the system journal directories
Verify the /run/log/journal and /var/log/journal directories have permissions set to "2750" or less permissive by using the following command: <pre...Rule Medium Severity -
Verify Groupowner on the journalctl command
Verify that the "journalctl" command is group-owned by "root" by using the following command: <pre> $ sudo find /usr/bin/journalctl -exec stat -c "...Rule Medium Severity -
Verify Group Who Owns the system journal
Verify the /run/log/journal and /var/log/journal files are group-owned by "systemd-journal" by using the following command: <pre> $ sudo find /run/...Rule Medium Severity -
Verify Owner on the journalctl Command
Verify that the "journalctl" command is owned by "root" by using the following command: <pre> $ sudo find /usr/bin/journalctl -exec stat -c "%n %U"...Rule Medium Severity -
Verify Owner on the system journal
Verify the /run/log/journal and /var/log/journal files are owned by "root" by using the following command: <pre> $ sudo find /run/log/journal /var/...Rule Medium Severity -
Verify Permissions on the journal command
Verify that the "journalctl" command has a permission set of "740" by using the following command: <pre> $ sudo find /usr/bin/journalctl -exec sta...Rule Medium Severity -
Verify Permissions on the system journal
Verify all files in the /run/log/journal and /var/log/journal directories have permissions set to "640" or less permissive by using the following c...Rule Medium Severity -
Verify ufw Active
Verify the ufw is enabled on the system with the following command: <pre># sudo ufw status</pre> If the above command returns the status as "inacti...Rule Medium Severity -
Only Allow Authorized Network Services in ufw
Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services by running the following command: <...Rule Medium Severity -
ufw Must rate-limit network interfaces
The operating system must configure the uncomplicated firewall to rate-limit impacted network interfaces. Check all the services listening to the ...Rule Medium Severity -
Verify Permissions on /etc/audit/audit.rules
To properly set the permissions of/etc/audit/audit.rules, run the command:$ sudo chmod 0640 /etc/audit/audit.rules
Rule Medium Severity -
Restrict Access to Kernel Message Buffer
To set the runtime status of the <code>kernel.dmesg_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.dmesg...Rule Low Severity -
Remove the ntp service
The ntpd service should not be installed.Rule Low Severity -
Remove the systemd_timesyncd Service
The systemd_timesyncd service should not be installed.Rule Low Severity -
Enable the OpenSSH Service
The SSH server service, sshd, is commonly needed. The <code>sshd</code> service can be enabled with the following command: <pre>$ sudo systemctl e...Rule Medium Severity -
Use Only FIPS 140-2 Validated Key Exchange Algorithms
Limit the key exchange algorithms to those which are FIPS-approved. Add or modify the following line in <code>/etc/ssh/sshd_config</code> ...Rule Medium Severity -
Use Only FIPS 140-2 Validated MACs
Limit the MACs to those hash algorithms which are FIPS-approved. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of FIPS-a...Rule Medium Severity -
Prevent remote hosts from connecting to the proxy display
The SSH daemon should prevent remote hosts from connecting to the proxy display. <br> The default SSH configuration for <code>X11UseLocalhost</code...Rule Medium Severity -
Ensure the default plugins for the audit dispatcher are Installed
The audit-audispd-plugins package should be installed.Rule Medium Severity -
Ensure auditd Collects System Administrator Actions - /etc/sudoers
At a minimum, the audit system should collect administrator actions for all users and root. If the <code>auditd</code> daemon is configured to use ...Rule Medium Severity -
Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
At a minimum, the audit system should collect administrator actions for all users and root. If the <code>auditd</code> daemon is configured to use ...Rule Medium Severity -
Ensure auditd Collects records for events that affect "/var/log/journal"
Auditing the systemd journal files provides logging that can be used for forensic purposes. Verify the system generates audit records for all event...Rule Medium Severity -
System Audit Logs Must Be Group Owned By Root
All audit logs must be group owned by root user. Determine where the audit logs are stored with the following command: <pre>$ sudo grep -iw log_fi...Rule Medium Severity -
System Audit Logs Must Have Mode 0600 or Less Permissive
Determine where the audit logs are stored with the following command: <pre>$ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audi...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.