DISA STIG Ubuntu 20.04 LTS v1r1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Ubuntu 20.04 LTS v1r1

Updated: 6/10/2022

Authority: Operating Systems and Applications

Plugin: Unix

Revision: 1.2

Estimated Item Count: 295

Audit Items

DescriptionCategories
DISA_STIG_Ubuntu_20.04_LTS_v1r1.audit from DISA Canonical Ubuntu 20.04 LTS v1r1 STIG
UBTU-20-010000 - The Ubuntu operating system must provision temporary user accounts with an expiration time of 72 hours or less.
UBTU-20-010002 - The Ubuntu operating system must enable the graphical user logon banner to display the Standard Mandatory DoD Notice and Consent Banner before granting local access to the system via a graphical user logon.
UBTU-20-010003 - The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local access to the system via a graphical user logon.
UBTU-20-010004 - The Ubuntu operating system must retain a user's session lock until that user reestablishes access using established identification and authentication procedures.
UBTU-20-010005 - The Ubuntu operating system must allow users to directly initiate a session lock for all connection types.
UBTU-20-010006 - The Ubuntu operating system must map the authenticated identity to the user or group account for PKI-based authentication.
UBTU-20-010007 - The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime. Passwords for new users must have a 24 hours/1 day minimum password lifetime restriction.
UBTU-20-010008 - The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction. Passwords for new users must have a 60-day maximum password lifetime restriction.
UBTU-20-010009 - Ubuntu operating systems when booted must require authentication upon booting into single-user and maintenance modes.
UBTU-20-010010 - The Ubuntu operating system must uniquely identify interactive users.
UBTU-20-010012 - The Ubuntu operating system must ensure only users who need access to security functions are part of sudo group.
UBTU-20-010013 - The Ubuntu operating system must automatically terminate a user session after inactivity timeouts have expired.
UBTU-20-010014 - The Ubuntu operating system must require users to reauthenticate for privilege escalation or when changing roles.
UBTU-20-010016 - The Ubuntu operating system default filesystem permissions must be defined in such a way that all authenticated users can read and modify only their own files.
UBTU-20-010033 - The Ubuntu operating system must implement smart card logins for multifactor authentication for local and network access to privileged and non-privileged accounts - libpam-pkcs11
UBTU-20-010033 - The Ubuntu operating system must implement smart card logins for multifactor authentication for local and network access to privileged and non-privileged accounts - PubkeyAuthentication
UBTU-20-010035 - The Ubuntu operating system must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions.
UBTU-20-010036 - The Ubuntu operating system must immediately terminate all network connections associated with SSH traffic after a period of inactivity.
UBTU-20-010037 - The Ubuntu operating system must immediately terminate all network connections associated with SSH traffic at the end of the session or after 10 minutes of inactivity.
UBTU-20-010038 - The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting any local or remote connection to the system - banner text
UBTU-20-010038 - The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting any local or remote connection to the system - sshd_config
UBTU-20-010042 - The Ubuntu operating system must use SSH to protect the confidentiality and integrity of transmitted information - openssh-server
UBTU-20-010042 - The Ubuntu operating system must use SSH to protect the confidentiality and integrity of transmitted information - sshd.service
UBTU-20-010043 - The Ubuntu operating system must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.
UBTU-20-010044 - The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.
UBTU-20-010047 - The Ubuntu operating system must not allow unattended or automatic login via SSH - PermitEmptyPasswords
UBTU-20-010047 - The Ubuntu operating system must not allow unattended or automatic login via SSH - PermitUserEnvironment
UBTU-20-010048 - The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
UBTU-20-010049 - The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
UBTU-20-010050 - The Ubuntu operating system must enforce password complexity by requiring that at least one upper-case character be used.
UBTU-20-010051 - The Ubuntu operating system must enforce password complexity by requiring that at least one lower-case character be used.
UBTU-20-010052 - The Ubuntu operating system must enforce password complexity by requiring that at least one numeric character be used.
UBTU-20-010053 - The Ubuntu operating system must require the change of at least 8 characters when passwords are changed.
UBTU-20-010054 - The Ubuntu operating system must enforce a minimum 15-character password length.
UBTU-20-010055 - The Ubuntu operating system must enforce password complexity by requiring that at least one special character be used.
UBTU-20-010056 - The Ubuntu operating system must prevent the use of dictionary words for passwords.
UBTU-20-010057 - The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used - enforcing
UBTU-20-010057 - The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used - libpam-pwquality
UBTU-20-010057 - The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used - retry
UBTU-20-010060 - The Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
UBTU-20-010063 - The Ubuntu operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.
UBTU-20-010064 - The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials.
UBTU-20-010065 - The Ubuntu operating system must electronically verify Personal Identity Verification (PIV) credentials.
UBTU-20-010066 - The Ubuntu operating system for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network.
UBTU-20-010070 - The Ubuntu operating system must prohibit password reuse for a minimum of five generations.
UBTU-20-010072 - The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.
UBTU-20-010074 - The Ubuntu operating system must be configured so that the script which runs each 30 days or less to check file integrity is the default one.
UBTU-20-010075 - The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
UBTU-20-010100 - The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.