Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG) V2R1
Rules and Groups employed by this XCCDF Profile
-
Ensure Users Re-Authenticate for Privilege Escalation - sudo
The sudo <code>NOPASSWD</code> and <code>!authenticate</code> option, when specified, allows a user to execute commands using sudo without having t...Rule Medium Severity -
Updating Software
The <code>apt_get</code> command line tool is used to install and update software packages. The system also provides a graphical software update to...Group -
Ensure apt_get Removes Previous Package Versions
<code>apt_get</code> should be configured to remove previous software components after new versions have been installed. To configure <code>apt_get...Rule Low Severity -
Account and Access Control
In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which...Group -
Warning Banners for System Accesses
Each system should expose as little information about itself as possible. <br> <br> System banners, which are typically displayed just befor...Group -
Modify the System Login Banner for Remote Connections
To configure the system login banner edit <code>/etc/issue.net</code>. Replace the default text with a message compliant with the local site policy...Rule Medium Severity -
Implement a GUI Warning Banner
In the default graphical environment, users logging directly into the system are greeted with a login screen provided by the GNOME Display Manager ...Group -
Enable GNOME3 Login Warning Banner
In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login scr...Rule Medium Severity -
Set the GNOME3 Login Warning Banner Text
In the default graphical environment, configuring the login warning banner text in the GNOME Display Manager's login screen can be configured on th...Rule Medium Severity -
Protect Accounts by Configuring PAM
PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and confi...Group -
Ensure PAM Displays Last Logon/Access Notification
To configure the system to notify users of last logon/access using <code>pam_lastlog</code>, add or correct the <code>pam_lastlog</code> settings i...Rule Low Severity -
Set Lockouts for Failed Password Attempts
The <code>pam_faillock</code> PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentati...Group -
Account Lockouts Must Be Logged
PAM faillock locks an account due to excessive password failures, this event must be logged.Rule Medium Severity -
Lock Accounts After Failed Password Attempts
This rule configures the system to lock out accounts after a number of incorrect login attempts using <code>pam_faillock.so</code>. pam_faillock.so...Rule Medium Severity -
Set Interval For Counting Failed Password Attempts
Utilizing <code>pam_faillock.so</code>, the <code>fail_interval</code> directive configures the system to lock out an account after a number of inc...Rule Medium Severity -
Set Lockout Time for Failed Password Attempts
This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using <code>pam_fail...Rule Medium Severity -
Set Password Quality Requirements
The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure pas...Group -
Set Password Quality Requirements with pam_pwquality
The <code>pam_pwquality</code> PAM module can be configured to meet requirements for a variety of policies. <br> <br> For example, to conf...Group -
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
The pam_pwquality module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, a...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
The pam_pwquality module's <code>lcredit</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negativ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.