DISA STIG Ubuntu 16.04 LTS v2r3

Audit Details

Name: DISA STIG Ubuntu 16.04 LTS v2r3

Updated: 7/27/2022

Authority: DISA STIG

Plugin: Unix

Revision: 1.2

Estimated Item Count: 326

File Details

Filename: DISA_STIG_Ubuntu_16.04_LTS_v2r3.audit

Size: 901 kB

MD5: 550d6dd0f1b75fa392b3b1e4ba9d3c21
SHA256: 278ee4b82ecbb311c39100bc9dd361a0a126130a86735aabf956483a6932b072

Audit Items

DescriptionCategories
DISA_STIG_Ubuntu_16.04_LTS_v2r3.audit from DISA Canonical Ubuntu 16.04 LTS v2r3 STIG
UBTU-16-010000 - The Ubuntu operating system must be a vendor supported release.

SYSTEM AND INFORMATION INTEGRITY

UBTU-16-010010 - Ubuntu vendor packaged system security patches and updates must be installed and up to date.

CONFIGURATION MANAGEMENT

UBTU-16-010020 - The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon - enabled

ACCESS CONTROL

UBTU-16-010020 - The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon - text

ACCESS CONTROL

UBTU-16-010030 - The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.

ACCESS CONTROL

UBTU-16-010040 - The Ubuntu operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.

ACCESS CONTROL

UBTU-16-010050 - All users must be able to directly initiate a session lock for all connection types.

ACCESS CONTROL

UBTU-16-010060 - Ubuntu operating system sessions must be automatically logged out after 15 minutes of inactivity - export

ACCESS CONTROL

UBTU-16-010060 - Ubuntu operating system sessions must be automatically logged out after 15 minutes of inactivity - readonly

ACCESS CONTROL

UBTU-16-010060 - Ubuntu operating system sessions must be automatically logged out after 15 minutes of inactivity - timeout

ACCESS CONTROL

UBTU-16-010070 - The Ubuntu operating system must limit the number of concurrent sessions to ten for all accounts and/or account types.

ACCESS CONTROL

UBTU-16-010080 - The Ubuntu operating system must prevent direct login into the root account.

IDENTIFICATION AND AUTHENTICATION

UBTU-16-010099 - The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used - /etc/pam.d/common-password

IDENTIFICATION AND AUTHENTICATION

UBTU-16-010099 - The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used - dpkg -s libpam-pwquality

IDENTIFICATION AND AUTHENTICATION

UBTU-16-010100 - The Ubuntu operating system must enforce password complexity by requiring that at least one upper-case character be used.

IDENTIFICATION AND AUTHENTICATION

UBTU-16-010110 - The Ubuntu operating system must enforce password complexity by requiring that at least one lower-case character be used.

IDENTIFICATION AND AUTHENTICATION

UBTU-16-010120 - The Ubuntu operating system must enforce password complexity by requiring that at least one numeric character be used.

IDENTIFICATION AND AUTHENTICATION

UBTU-16-010130 - All passwords must contain at least one special character.

IDENTIFICATION AND AUTHENTICATION

UBTU-16-010140 - The Ubuntu operating system must require the change of at least 8 characters when passwords are changed.

IDENTIFICATION AND AUTHENTICATION

UBTU-16-010150 - The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.

IDENTIFICATION AND AUTHENTICATION

UBTU-16-010160 - The Ubuntu operating system must employ a FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.

IDENTIFICATION AND AUTHENTICATION

UBTU-16-010170 - The Ubuntu operating system must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords.

IDENTIFICATION AND AUTHENTICATION

UBTU-16-010180 - The pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.

IDENTIFICATION AND AUTHENTICATION

UBTU-16-010200 - Emergency administrator accounts must never be automatically removed or disabled.

ACCESS CONTROL

UBTU-16-010210 - Passwords for new users must have a 24 hours/1 day minimum password lifetime restriction.

IDENTIFICATION AND AUTHENTICATION

UBTU-16-010220 - Passwords for new users must have a 60-day maximum password lifetime restriction.

IDENTIFICATION AND AUTHENTICATION

UBTU-16-010230 - Passwords must be prohibited from reuse for a minimum of five generations.

IDENTIFICATION AND AUTHENTICATION

UBTU-16-010240 - Passwords must have a minimum of 15-characters.

IDENTIFICATION AND AUTHENTICATION

UBTU-16-010250 - The Ubuntu operating system must not be configured to allow blank or null passwords.

CONFIGURATION MANAGEMENT

UBTU-16-010260 - The Ubuntu operating system must prevent the use of dictionary words for passwords.

CONFIGURATION MANAGEMENT

UBTU-16-010270 - The passwd command must be configured to prevent the use of dictionary words as passwords.

CONFIGURATION MANAGEMENT

UBTU-16-010280 - Account identifiers (individuals, groups, roles, and devices) must disabled after 35 days of inactivity.

IDENTIFICATION AND AUTHENTICATION

UBTU-16-010290 - The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts.

ACCESS CONTROL

UBTU-16-010291 - Accounts on the Ubuntu operating system that are subject to three unsuccessful logon attempts within 15 minutes must be locked for the maximum configurable period - account required pam_faillock.so

ACCESS CONTROL

UBTU-16-010291 - Accounts on the Ubuntu operating system that are subject to three unsuccessful logon attempts within 15 minutes must be locked for the maximum configurable period - unlock_time

ACCESS CONTROL

UBTU-16-010300 - The Ubuntu operating system must require users to re-authenticate for privilege escalation and changing roles - sudoers

IDENTIFICATION AND AUTHENTICATION

UBTU-16-010300 - The Ubuntu operating system must require users to re-authenticate for privilege escalation and changing roles - sudoers.d

IDENTIFICATION AND AUTHENTICATION

UBTU-16-010310 - Temporary user accounts must be provisioned with an expiration time of 72 hours or less.

ACCESS CONTROL

UBTU-16-010320 - The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.

CONFIGURATION MANAGEMENT

UBTU-16-010330 - Unattended or automatic login via the Graphical User Interface must not be allowed - autologin-user

CONFIGURATION MANAGEMENT

UBTU-16-010330 - Unattended or automatic login via the Graphical User Interface must not be allowed - autologin-user-timeout

CONFIGURATION MANAGEMENT

UBTU-16-010340 - The Ubuntu operating system must display the date and time of the last successful account logon upon logon.

CONFIGURATION MANAGEMENT

UBTU-16-010350 - There must be no .shosts files on the Ubuntu operating system.

CONFIGURATION MANAGEMENT

UBTU-16-010360 - There must be no shosts.equiv files on the Ubuntu operating system.

CONFIGURATION MANAGEMENT

UBTU-16-010370 - The Ubuntu operating system must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

SYSTEM AND COMMUNICATIONS PROTECTION

UBTU-16-010380 - Ubuntu operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.

ACCESS CONTROL

UBTU-16-010390 - Ubuntu operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.

ACCESS CONTROL

UBTU-16-010400 - All persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.

SYSTEM AND COMMUNICATIONS PROTECTION

UBTU-16-010410 - All public directories must be owned by root to prevent unauthorized and unintended information transferred via shared system resources.

SYSTEM AND COMMUNICATIONS PROTECTION