Detections
Analytics

DISA STIG Ubuntu 20.04 LTS v1r7

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Ubuntu 20.04 LTS v1r7

Updated: 4/1/2024

Authority: Operating Systems and Applications

Plugin: Unix

Revision: 1.5

Audit Changelog

 
Revision 1.4

Sep 15, 2023

Functional Update
  • UBTU-20-010013 - The Ubuntu operating system must automatically terminate a user session after inactivity timeouts have expired.
  • UBTU-20-010072 - The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.
  • UBTU-20-010100 - The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
  • UBTU-20-010101 - The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
  • UBTU-20-010102 - The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
  • UBTU-20-010103 - The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
  • UBTU-20-010104 - The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
  • UBTU-20-010136 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the su command.
  • UBTU-20-010137 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chfn command.
  • UBTU-20-010138 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the mount command.
  • UBTU-20-010139 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the umount command.
  • UBTU-20-010140 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the ssh-agent command.
  • UBTU-20-010141 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the ssh-keysign command.
  • UBTU-20-010148 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls - b32
  • UBTU-20-010148 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls - b64
  • UBTU-20-010152 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls - b32
  • UBTU-20-010152 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls - b64
  • UBTU-20-010161 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the sudo command.
  • UBTU-20-010162 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the sudoedit command.
  • UBTU-20-010163 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chsh command.
  • UBTU-20-010164 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the newgrp command.
  • UBTU-20-010165 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chcon command.
  • UBTU-20-010166 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the apparmor_parser command.
  • UBTU-20-010167 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the setfacl command.
  • UBTU-20-010168 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chacl command.
  • UBTU-20-010172 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the passwd command.
  • UBTU-20-010173 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the unix_update command.
  • UBTU-20-010174 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the gpasswd command.
  • UBTU-20-010175 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chage command.
  • UBTU-20-010176 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the usermod command.
  • UBTU-20-010177 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the crontab command.
  • UBTU-20-010178 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the pam_timestamp_check command.
  • UBTU-20-010179 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the init_module and finit_module syscalls - b32
  • UBTU-20-010179 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the init_module and finit_module syscalls - b64
  • UBTU-20-010205 - The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools - audispd
  • UBTU-20-010205 - The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools - auditctl
  • UBTU-20-010205 - The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools - auditd
  • UBTU-20-010205 - The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools - augenrules
  • UBTU-20-010205 - The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools - aureport
  • UBTU-20-010205 - The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools - ausearch
  • UBTU-20-010205 - The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools - autrace
  • UBTU-20-010244 - The Ubuntu operating system must generate audit records for privileged activities, nonlocal maintenance, diagnostic sessions and other system-level access.
  • UBTU-20-010277 - The Ubuntu operating system must generate audit records for the /var/log/wtmp file.
  • UBTU-20-010278 - The Ubuntu operating system must generate audit records for the /var/run/utmp file.
  • UBTU-20-010279 - The Ubuntu operating system must generate audit records for the /var/log/btmp file.
  • UBTU-20-010298 - The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use the fdisk command.
Miscellaneous
  • Metadata updated.
  • References updated.
Added
  • UBTU-20-010155 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls
  • UBTU-20-010267 - The Ubuntu operating system must generate audit records for any successful/unsuccessful use of unlink, unlinkat, rename, renameat, and rmdir system calls
Removed
  • UBTU-20-010155 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls - b32 EACCES
  • UBTU-20-010155 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls - b32 EPERM
  • UBTU-20-010155 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls - b64 EACCES
  • UBTU-20-010155 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls - b64 EPERM
  • UBTU-20-010267 - The Ubuntu operating system must generate audit records for any successful/unsuccessful use of unlink, unlinkat, rename, renameat, and rmdir system calls - b32
  • UBTU-20-010267 - The Ubuntu operating system must generate audit records for any successful/unsuccessful use of unlink, unlinkat, rename, renameat, and rmdir system calls - b64
Revision 1.3

Sep 6, 2023

Functional Update
  • UBTU-20-010033 - The Ubuntu operating system must implement smart card logins for multifactor authentication for local and network access to privileged and non-privileged accounts - PubkeyAuthentication
Revision 1.2

Jul 5, 2023

Functional Update
  • UBTU-20-010217 - The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity - action_mail_acct
Revision 1.1

May 16, 2023

Added
  • UBTU-20-010142 - The Ubuntu operating system must generate audit records for any use of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls
Removed
  • UBTU-20-010142 - The Ubuntu operating system must generate audit records for any use of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls - b32 auid=0
  • UBTU-20-010142 - The Ubuntu operating system must generate audit records for any use of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls - b32 auid>=1000
  • UBTU-20-010142 - The Ubuntu operating system must generate audit records for any use of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls - b64 auid=0
  • UBTU-20-010142 - The Ubuntu operating system must generate audit records for any use of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls - b64 auid>=1000