DISA STIG Ubuntu 20.04 LTS v1r5

Audit Details

Name: DISA STIG Ubuntu 20.04 LTS v1r5

Updated: 8/23/2022

Authority: DISA STIG

Plugin: Unix

Revision: 1.0

Estimated Item Count: 237

File Details

Filename: DISA_STIG_Ubuntu_20.04_LTS_v1r5.audit

Size: 555 kB

MD5: f16e6c0cc8386b01f95525a70bb1a27f
SHA256: 367dd6aac57e3bc4942eebcce90503fa5b032259e7438708b15e3ce107ede1f5

Audit Items

DescriptionCategories
DISA_STIG_Ubuntu_20.04_LTS_v1r5.audit from DISA Canonical Ubuntu 20.04 LTS v1r5 STIG
UBTU-20-010000 - The Ubuntu operating system must provision temporary user accounts with an expiration time of 72 hours or less.

ACCESS CONTROL

UBTU-20-010002 - The Ubuntu operating system must enable the graphical user logon banner to display the Standard Mandatory DoD Notice and Consent Banner before granting local access to the system via a graphical user logon.

ACCESS CONTROL

UBTU-20-010003 - The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local access to the system via a graphical user logon.

ACCESS CONTROL

UBTU-20-010004 - The Ubuntu operating system must retain a user's session lock until that user reestablishes access using established identification and authentication procedures.

ACCESS CONTROL

UBTU-20-010005 - The Ubuntu operating system must allow users to directly initiate a session lock for all connection types.

ACCESS CONTROL

UBTU-20-010006 - The Ubuntu operating system must map the authenticated identity to the user or group account for PKI-based authentication.

IDENTIFICATION AND AUTHENTICATION

UBTU-20-010007 - The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime. Passwords for new users must have a 24 hours/1 day minimum password lifetime restriction.

IDENTIFICATION AND AUTHENTICATION

UBTU-20-010008 - The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction. Passwords for new users must have a 60-day maximum password lifetime restriction.

IDENTIFICATION AND AUTHENTICATION

UBTU-20-010009 - Ubuntu operating systems when booted must require authentication upon booting into single-user and maintenance modes.

ACCESS CONTROL

UBTU-20-010010 - The Ubuntu operating system must uniquely identify interactive users.

IDENTIFICATION AND AUTHENTICATION

UBTU-20-010012 - The Ubuntu operating system must ensure only users who need access to security functions are part of sudo group.

SYSTEM AND COMMUNICATIONS PROTECTION

UBTU-20-010013 - The Ubuntu operating system must automatically terminate a user session after inactivity timeouts have expired.

ACCESS CONTROL

UBTU-20-010014 - The Ubuntu operating system must require users to reauthenticate for privilege escalation or when changing roles.

IDENTIFICATION AND AUTHENTICATION

UBTU-20-010016 - The Ubuntu operating system default filesystem permissions must be defined in such a way that all authenticated users can read and modify only their own files.

CONFIGURATION MANAGEMENT

UBTU-20-010033 - The Ubuntu operating system must implement smart card logins for multifactor authentication for local and network access to privileged and non-privileged accounts - libpam-pkcs11

IDENTIFICATION AND AUTHENTICATION

UBTU-20-010033 - The Ubuntu operating system must implement smart card logins for multifactor authentication for local and network access to privileged and non-privileged accounts - PubkeyAuthentication

IDENTIFICATION AND AUTHENTICATION

UBTU-20-010035 - The Ubuntu operating system must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions.

MAINTENANCE

UBTU-20-010036 - The Ubuntu operating system must immediately terminate all network connections associated with SSH traffic after a period of inactivity.

MAINTENANCE

UBTU-20-010037 - The Ubuntu operating system must immediately terminate all network connections associated with SSH traffic at the end of the session or after 10 minutes of inactivity.

SYSTEM AND COMMUNICATIONS PROTECTION

UBTU-20-010038 - The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting any local or remote connection to the system - banner text

ACCESS CONTROL

UBTU-20-010038 - The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting any local or remote connection to the system - sshd_config

ACCESS CONTROL

UBTU-20-010042 - The Ubuntu operating system must use SSH to protect the confidentiality and integrity of transmitted information - openssh-server

SYSTEM AND COMMUNICATIONS PROTECTION

UBTU-20-010042 - The Ubuntu operating system must use SSH to protect the confidentiality and integrity of transmitted information - sshd.service

SYSTEM AND COMMUNICATIONS PROTECTION

UBTU-20-010043 - The Ubuntu operating system must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.

ACCESS CONTROL, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

UBTU-20-010044 - The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.

ACCESS CONTROL, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

UBTU-20-010047 - The Ubuntu operating system must not allow unattended or automatic login via SSH - PermitEmptyPasswords

CONFIGURATION MANAGEMENT

UBTU-20-010047 - The Ubuntu operating system must not allow unattended or automatic login via SSH - PermitUserEnvironment

CONFIGURATION MANAGEMENT

UBTU-20-010048 - The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.

CONFIGURATION MANAGEMENT

UBTU-20-010049 - The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display.

CONFIGURATION MANAGEMENT

UBTU-20-010050 - The Ubuntu operating system must enforce password complexity by requiring that at least one upper-case character be used.

IDENTIFICATION AND AUTHENTICATION

UBTU-20-010051 - The Ubuntu operating system must enforce password complexity by requiring that at least one lower-case character be used.

IDENTIFICATION AND AUTHENTICATION

UBTU-20-010052 - The Ubuntu operating system must enforce password complexity by requiring that at least one numeric character be used.

IDENTIFICATION AND AUTHENTICATION

UBTU-20-010053 - The Ubuntu operating system must require the change of at least 8 characters when passwords are changed.

IDENTIFICATION AND AUTHENTICATION

UBTU-20-010054 - The Ubuntu operating system must enforce a minimum 15-character password length.

IDENTIFICATION AND AUTHENTICATION

UBTU-20-010055 - The Ubuntu operating system must enforce password complexity by requiring that at least one special character be used.

IDENTIFICATION AND AUTHENTICATION

UBTU-20-010056 - The Ubuntu operating system must prevent the use of dictionary words for passwords.

CONFIGURATION MANAGEMENT

UBTU-20-010057 - The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used - enforcing

CONFIGURATION MANAGEMENT

UBTU-20-010057 - The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used - libpam-pwquality

CONFIGURATION MANAGEMENT

UBTU-20-010057 - The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used - retry

CONFIGURATION MANAGEMENT

UBTU-20-010060 - The Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

IDENTIFICATION AND AUTHENTICATION

UBTU-20-010063 - The Ubuntu operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.

IDENTIFICATION AND AUTHENTICATION

UBTU-20-010064 - The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials.

IDENTIFICATION AND AUTHENTICATION

UBTU-20-010065 - The Ubuntu operating system must electronically verify Personal Identity Verification (PIV) credentials.

IDENTIFICATION AND AUTHENTICATION

UBTU-20-010066 - The Ubuntu operating system for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network.

IDENTIFICATION AND AUTHENTICATION

UBTU-20-010070 - The Ubuntu operating system must prohibit password reuse for a minimum of five generations.

IDENTIFICATION AND AUTHENTICATION

UBTU-20-010072 - The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.

ACCESS CONTROL

UBTU-20-010074 - The Ubuntu operating system must be configured so that the script which runs each 30 days or less to check file integrity is the default one.

SYSTEM AND INFORMATION INTEGRITY

UBTU-20-010075 - The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.

CONFIGURATION MANAGEMENT

UBTU-20-010100 - The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY