DISA STIG Ubuntu 18.04 LTS v2r12

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Ubuntu 18.04 LTS v2r12

Updated: 3/20/2024

Authority: DISA STIG

Plugin: Unix

Revision: 1.2

Estimated Item Count: 178

Audit Items

DescriptionCategories
DISA_STIG_Ubuntu_18.04_LTS_v2r12.audit from DISA Canonical Ubuntu 18.04 LTS v2r12 STIG
UBTU-18-010000 - Ubuntu operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.
UBTU-18-010001 - Ubuntu operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
UBTU-18-010002 - The Ubuntu operating system must initiate session audits at system startup.
UBTU-18-010003 - Ubuntu operating systems handling data requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
UBTU-18-010005 - The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect classified information and for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
UBTU-18-010006 - The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
UBTU-18-010007 - The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system in real time, if the system is interconnected.
UBTU-18-010008 - The Ubuntu operating system must have a crontab script running weekly to off-load audit events of standalone systems.
UBTU-18-010016 - Advance package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
UBTU-18-010017 - The Ubuntu operating system must be configured so that Advance package Tool (APT) removes all software components after updated versions have been installed.
UBTU-18-010018 - The Ubuntu operating system must not have the Network Information Service (NIS) package installed.
UBTU-18-010019 - The Ubuntu operating system must not have the rsh-server package installed.
UBTU-18-010021 - The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention (ENSLTP).
UBTU-18-010022 - The Ubuntu operating system must be configured to preserve log records from failure events.
UBTU-18-010023 - The Ubuntu operating system must have an application firewall installed in order to control remote access methods.
UBTU-18-010025 - The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system or storage media from the system being audited.
UBTU-18-010030 - The Ubuntu operating system must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.
UBTU-18-010031 - The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
UBTU-18-010032 - The Ubuntu operating system must display the date and time of the last successful account logon upon logon.
UBTU-18-010033 - The Ubuntu operating system must be configured so that three consecutive invalid logon attempts by a user automatically locks the account until released by an administrator.
UBTU-18-010035 - The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local access to the system via a graphical user logon.
UBTU-18-010036 - The Ubuntu operating system must prevent direct login into the root account.
UBTU-18-010037 - The Ubuntu operating system must be configured so that only users who need access to security functions are part of the sudo group.
UBTU-18-010038 - The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting any publically accessible connection to the system.
UBTU-18-010100 - The Ubuntu operating system must enforce password complexity by requiring that at least one upper-case character be used.
UBTU-18-010101 - The Ubuntu operating system must enforce password complexity by requiring that at least one lower-case character be used.
UBTU-18-010102 - The Ubuntu operating system must enforce password complexity by requiring that at least one numeric character be used.
UBTU-18-010103 - The Ubuntu operating system must require the change of at least 8 characters when passwords are changed.
UBTU-18-010104 - The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
UBTU-18-010105 - The Ubuntu operating system must not have the telnet package installed.
UBTU-18-010106 - The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime. Passwords for new users must have a 24 hours/1 day minimum password lifetime restriction.
UBTU-18-010107 - The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction. Passwords for new users must have a 60-day maximum password lifetime restriction.
UBTU-18-010108 - The Ubuntu operating system must prohibit password reuse for a minimum of five generations.
UBTU-18-010109 - The Ubuntu operating system must enforce a minimum 15-character password length.
UBTU-18-010110 - The Ubuntu operating system must employ a FIPS 140-2 approved cryptographic hashing algorithms for all created and stored passwords.
UBTU-18-010112 - The Ubuntu operating system must allow the use of a temporary password for system logons with an immediate change to a permanent password.
UBTU-18-010113 - The Ubuntu operating system must prevent the use of dictionary words for passwords.
UBTU-18-010114 - The Ubuntu operating system must require users to re-authenticate for privilege escalation and changing roles.
UBTU-18-010116 - The Ubuntu Operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.
UBTU-18-010120 - The Ubuntu operating system must set a sticky bit on all public directories to prevent unauthorized and unintended information transferred via shared system resources.
UBTU-18-010121 - The Ubuntu operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
UBTU-18-010122 - The Ubuntu operating system must configure the /var/log directory to be group-owned by syslog.
UBTU-18-010123 - The Ubuntu operating system must configure the /var/log directory to be owned by root.
UBTU-18-010124 - The Ubuntu operating system must configure the /var/log directory to have mode 0755 or less permissive.
UBTU-18-010125 - The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by adm.
UBTU-18-010126 - The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog.
UBTU-18-010127 - The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less permissive.
UBTU-18-010128 - The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive.
UBTU-18-010129 - The Ubuntu operating system must configure audit tools to be owned by root.