Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · SCAP

Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide

V2R5 · · · Published 29 Nov 2021 · 92 rules
View

Open a previous version of this SCAP benchmark.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Sort by
c
Ubuntu operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.
RMF Control
AC-3
Severity
H
CCI
CCI-000213
Version
UBTU-18-010000
Vuln IDs
V-219147
Rule IDs
SV-219147r802349_rule
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.
Fix: F-20871r802348_fix

Configure the system to require a password for authentication upon booting into single-user and maintenance modes. Generate an encrypted (grub) password for root with the following command: $ grub-mkpasswd-pbkdf2 Enter Password: Reenter Password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG Using the hash from the output, modify the "/etc/grub.d/40_custom" file with the following command to add a boot password: $ sudo sed -i '$i set superusers=\"root\"\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom where <hash> is the hash generated by grub-mkpasswd-pbdkf2 command. Configure grub to only require a password when accessing the bootloader: $ sudo sed -i -E 's/^CLASS="[^"]*/& --unrestricted/' /etc/grub.d/10_linux Generate an updated "grub.conf" file with the new password by using the following command: $ update-grub

c
Ubuntu operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
RMF Control
AC-3
Severity
H
CCI
CCI-000213
Version
UBTU-18-010001
Vuln IDs
V-219148
Rule IDs
SV-219148r808471_rule
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.
Fix: F-20872r808470_fix

Configure the system to require a password for authentication upon booting into single-user and maintenance modes. Generate an encrypted (grub) password for root with the following command: $ grub-mkpasswd-pbkdf2 Enter Password: Reenter Password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG Using the hash from the output, modify the "/etc/grub.d/40_custom" file with the following command to add a boot password: $ sudo sed -i '$i set superusers=\"root\"\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom where <hash> is the hash generated by grub-mkpasswd-pbdkf2 command. Configure grub to only require a password when accessing the bootloader: $ sudo sed -i -E 's/^CLASS="[^"]*/& --unrestricted/' /etc/grub.d/10_linux Generate an updated "grub.conf" file with the new password by using the following command: $ grub-mkconfig -o /boot/efi/EFI/ubuntu/grub.cfg

b
The Ubuntu operating system must initiate session audits at system startup.
RMF Control
AU-14
Severity
M
CCI
CCI-001464
Version
UBTU-18-010002
Vuln IDs
V-219149
Rule IDs
SV-219149r610963_rule
If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
Fix: F-20873r304776_fix

Configure the Ubuntu operating system to produce audit records at system startup. Edit /etc/default/grub file and add "audit=1" to the GRUB_CMDLINE_LINUX option. To update the grub config file run, sudo update-grub

c
The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect classified information and for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
RMF Control
SC-13
Severity
H
CCI
CCI-002450
Version
UBTU-18-010005
Vuln IDs
V-219151
Rule IDs
SV-219151r610963_rule
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. Satisfies: SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176
Fix: F-20875r304782_fix

Configure the system to run in FIPS mode. Add "fips=1" to the kernel parameter during the Ubuntu operating systems install. Enabling a FIPS mode on a pre-existing system involves a number of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS 140-2 security policy document for instructions. A subscription to the "Ubuntu Advantage" plan is required in order to obtain the FIPS Kernel cryptographic modules and enable FIPS.

c
The Ubuntu operating system must not have the Network Information Service (NIS) package installed.
RMF Control
CM-7
Severity
H
CCI
CCI-000381
Version
UBTU-18-010018
Vuln IDs
V-219157
Rule IDs
SV-219157r610963_rule
Removing the Network Information Service (NIS) package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.
Fix: F-20881r304800_fix

Configure the Ubuntu operating system to disable non-essential capabilities by removing the Network Information Service (NIS) package from the system with the following command: # sudo apt-get remove nis

c
The Ubuntu operating system must not have the rsh-server package installed.
RMF Control
CM-7
Severity
H
CCI
CCI-000381
Version
UBTU-18-010019
Vuln IDs
V-219158
Rule IDs
SV-219158r610963_rule
It is detrimental for Ubuntu operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Ubuntu operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to log on using this service, the privileged user password could be compromised.
Fix: F-20882r304803_fix

Configure the Ubuntu operating system to disable non-essential capabilities by removing the rsh-server package from the system with the following command: # sudo apt-get remove rsh-server

b
The Ubuntu operating system must have an application firewall installed in order to control remote access methods.
RMF Control
AC-17
Severity
M
CCI
CCI-002314
Version
UBTU-18-010023
Vuln IDs
V-219161
Rule IDs
SV-219161r610963_rule
Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Ubuntu operating system functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
Fix: F-20885r304812_fix

Install the Uncomplicated Firewall by using the following command: # sudo apt-get install ufw

a
The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
UBTU-18-010031
Vuln IDs
V-219164
Rule IDs
SV-219164r610963_rule
Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.
Fix: F-20888r304821_fix

Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt. Edit the file "/etc/pam.d/common-auth" and set the parameter "pam_faildelay" to a value of 4000000 or greater: auth required pam_faildelay.so delay=4000000

a
The Ubuntu operating system must display the date and time of the last successful account logon upon logon.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
UBTU-18-010032
Vuln IDs
V-219165
Rule IDs
SV-219165r610963_rule
Configuring the Ubuntu operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.
Fix: F-20889r304824_fix

Configure the Ubuntu operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin-ac". Add the following line to the top of "/etc/pam.d/login": session required pam_lastlog.so showfailed

b
The Ubuntu operating system must be configured so that three consecutive invalid logon attempts by a user automatically locks the account until released by an administrator.
RMF Control
AC-7
Severity
M
CCI
CCI-000044
Version
UBTU-18-010033
Vuln IDs
V-219166
Rule IDs
SV-219166r802355_rule
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000329-GPOS-00128
Fix: F-20890r802354_fix

Configure the Ubuntu operating system to utilize the "pam_faillock" module. Edit the /etc/pam.d/common-auth file. Add the following lines below the "auth" definition for pam_unix.so: auth [default=die] pam_faillock.so authfail auth sufficient pam_faillock.so authsucc Configure the "pam_faillock" module to use the following options: Edit the /etc/security/faillock.conf file and add/update the following keywords and values: audit silent deny = 3 fail_interval = 900 unlock_time = 0

a
The Ubuntu operating system must enforce password complexity by requiring that at least one upper-case character be used.
RMF Control
IA-5
Severity
L
CCI
CCI-000192
Version
UBTU-18-010100
Vuln IDs
V-219172
Rule IDs
SV-219172r610963_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Fix: F-20896r304845_fix

Add or update the "/etc/security/pwquality.conf" file to contain the "ucredit" parameter: ucredit=-1

a
The Ubuntu operating system must enforce password complexity by requiring that at least one lower-case character be used.
RMF Control
IA-5
Severity
L
CCI
CCI-000193
Version
UBTU-18-010101
Vuln IDs
V-219173
Rule IDs
SV-219173r610963_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Fix: F-20897r304848_fix

Add or update the "/etc/security/pwquality.conf" file to contain the "lcredit" parameter: lcredit=-1

a
The Ubuntu operating system must enforce password complexity by requiring that at least one numeric character be used.
RMF Control
IA-5
Severity
L
CCI
CCI-000194
Version
UBTU-18-010102
Vuln IDs
V-219174
Rule IDs
SV-219174r610963_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Fix: F-20898r304851_fix

Configure the Ubuntu operating system to enforce password complexity by requiring that at least one numeric character be used. Add or update the "/etc/security/pwquality.conf" file to contain the "dcredit" parameter: dcredit=-1

a
The Ubuntu operating system must require the change of at least 8 characters when passwords are changed.
RMF Control
IA-5
Severity
L
CCI
CCI-000195
Version
UBTU-18-010103
Vuln IDs
V-219175
Rule IDs
SV-219175r610963_rule
If the Ubuntu operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. If the password length is an odd number then number of changed characters must be rounded up. For example, a password length of 15 characters must require the change of at least 8 characters.
Fix: F-20899r304854_fix

Configure the Ubuntu operating system to require the change of at least 8 characters when passwords are changed. Add or update the "/etc/security/pwquality.conf" file to include the "difok=8" parameter: difok=8

b
The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
RMF Control
IA-5
Severity
M
CCI
CCI-000196
Version
UBTU-18-010104
Vuln IDs
V-219176
Rule IDs
SV-219176r610963_rule
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
Fix: F-20900r304857_fix

Configure the Ubuntu operating system to encrypt all stored passwords. Edit/Modify the following line in the "/etc/login.defs" file and set "ENCRYPT_METHOD" to SHA512. ENCRYPT_METHOD SHA512

c
The Ubuntu operating system must not have the telnet package installed.
RMF Control
IA-5
Severity
H
CCI
CCI-000197
Version
UBTU-18-010105
Vuln IDs
V-219177
Rule IDs
SV-219177r610963_rule
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
Fix: F-20901r304860_fix

Remove the telnet package from the Ubuntu operating system by running the following command: # sudo apt-get remove telnetd

a
The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime. Passwords for new users must have a 24 hours/1 day minimum password lifetime restriction.
RMF Control
IA-5
Severity
L
CCI
CCI-000198
Version
UBTU-18-010106
Vuln IDs
V-219178
Rule IDs
SV-219178r610963_rule
Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
Fix: F-20902r304863_fix

Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime. Add, or modify the following line in the "/etc/login.defs" file: PASS_MIN_DAYS 1

a
The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction. Passwords for new users must have a 60-day maximum password lifetime restriction.
RMF Control
IA-5
Severity
L
CCI
CCI-000199
Version
UBTU-18-010107
Vuln IDs
V-219179
Rule IDs
SV-219179r610963_rule
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.
Fix: F-20903r304866_fix

Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime. Add, or modify the following line in the "/etc/login.defs" file: PASS_MAX_DAYS 60

b
The Ubuntu operating system must enforce a minimum 15-character password length.
RMF Control
IA-5
Severity
M
CCI
CCI-000205
Version
UBTU-18-010109
Vuln IDs
V-219181
Rule IDs
SV-219181r610963_rule
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Fix: F-20905r304872_fix

Configure the Ubuntu operating system to enforce a minimum 15-character password length. Add, or modify the "minlen" parameter value to the "/etc/security/pwquality.conf" file: minlen=15

b
The Ubuntu operating system must prevent the use of dictionary words for passwords.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
UBTU-18-010113
Vuln IDs
V-219184
Rule IDs
SV-219184r610963_rule
If the Ubuntu operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.
Fix: F-20908r304881_fix

Configure the Ubuntu operating system to prevent the use of dictionary words for passwords. Add or update the following line in the "/etc/security/pwquality.conf" file to include the "dictcheck=1" parameter: dictcheck=1

b
The Ubuntu operating system must require users to re-authenticate for privilege escalation and changing roles.
RMF Control
IA-11
Severity
M
CCI
CCI-002038
Version
UBTU-18-010114
Vuln IDs
V-219185
Rule IDs
SV-219185r610963_rule
Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When the Ubuntu operating system provides the capability to escalate a functional capability or change security roles, it is critical the user re-authenticate. Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157
Fix: F-20909r304884_fix

Remove any occurrence of "NOPASSWD" or "!authenticate" found in "/etc/sudoers" file or files in the /etc/sudoers.d directory.

b
The Ubuntu operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
RMF Control
SI-11
Severity
M
CCI
CCI-001312
Version
UBTU-18-010121
Vuln IDs
V-219188
Rule IDs
SV-219188r610963_rule
Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization. Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers.
Fix: F-20912r304893_fix

Configured the Ubuntu operating system to set permissions of all log files under /var/log directory to 640 or more restricted, by using the following command: # sudo find /var/log -perm /137 -type f -exec chmod 640 '{}' \;

b
The Ubuntu operating system must configure the /var/log directory to be group-owned by syslog.
RMF Control
SI-11
Severity
M
CCI
CCI-001314
Version
UBTU-18-010122
Vuln IDs
V-219189
Rule IDs
SV-219189r610963_rule
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Fix: F-20913r304896_fix

Configure the Ubuntu operating system to have syslog group-own the /var/log directory by running the following command: # sudo chgrp syslog /var/log

b
The Ubuntu operating system must configure the /var/log directory to be owned by root.
RMF Control
SI-11
Severity
M
CCI
CCI-001314
Version
UBTU-18-010123
Vuln IDs
V-219190
Rule IDs
SV-219190r610963_rule
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Fix: F-20914r304899_fix

Configure the Ubuntu operating system to have root own the /var/log directory by running the following command: # sudo chown root /var/log

b
The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less permissive.
RMF Control
SI-11
Severity
M
CCI
CCI-001314
Version
UBTU-18-010124
Vuln IDs
V-219191
Rule IDs
SV-219191r610963_rule
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Fix: F-20915r304902_fix

Configure the Ubuntu operating system to have permissions of 0750 for the /var/log directory by running the following command: # sudo chmod 0750 /var/log

b
The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less permissive.
RMF Control
SI-11
Severity
M
CCI
CCI-001314
Version
UBTU-18-010127
Vuln IDs
V-219194
Rule IDs
SV-219194r610963_rule
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Fix: F-20918r304911_fix

Configure the Ubuntu operating system to have permissions of 0640 o for the /var/log/syslog file by running the following command: # sudo chmod 0640 /var/log/syslog

b
The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive.
RMF Control
AU-9
Severity
M
CCI
CCI-001493
Version
UBTU-18-010128
Vuln IDs
V-219195
Rule IDs
SV-219195r610963_rule
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. The Ubuntu operating system providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
Fix: F-20919r304914_fix

Configure the audit tools on the Ubuntu operating system to be protected from unauthorized access by setting the correct permissive mode using the following command: # sudo chmod 0755 [audit_tool] Replace "[audit_tool]" with the audit tool that does not have the correct permissive mode.

b
The Ubuntu operating system must configure audit tools to be owned by root.
RMF Control
AU-9
Severity
M
CCI
CCI-001493
Version
UBTU-18-010129
Vuln IDs
V-219196
Rule IDs
SV-219196r610963_rule
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. The Ubuntu operating system providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Fix: F-20920r304917_fix

Configure the audit tools on the Ubuntu operating system to be owned by root, by running the following command: # sudo chown root [audit_tool] Replace "[audit_tool]" with each audit tool not owned by root.

b
The Ubuntu operating system must configure the audit tools to be group-owned by root.
RMF Control
AU-9
Severity
M
CCI
CCI-001493
Version
UBTU-18-010130
Vuln IDs
V-219197
Rule IDs
SV-219197r610963_rule
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. The Ubuntu operating system providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Fix: F-20921r304920_fix

Configure the audit tools on the Ubuntu operating system to be group-owned by root, by running the following command: # sudo chgrp root [audit_tool] Replace "[audit_tool]" with each audit tool not group-owned by root.

b
The Ubuntu operating system library directories must have mode 0755 or less permissive.
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
UBTU-18-010134
Vuln IDs
V-219199
Rule IDs
SV-219199r610963_rule
If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-20923r569490_fix

Configure the shared library directories to be protected from unauthorized access. Run the following command: # sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}' \;

b
The Ubuntu operating system library directories must be owned by root.
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
UBTU-18-010136
Vuln IDs
V-219201
Rule IDs
SV-219201r610963_rule
If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-20925r304932_fix

Configure the library files and their respective parent directories to be protected from unauthorized access. Run the following command: # sudo find /lib /usr/lib /lib64 ! -user root -type d -exec chown root '{}' \;

b
The Ubuntu operating system library directories must be group-owned by root.
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
UBTU-18-010138
Vuln IDs
V-219203
Rule IDs
SV-219203r610963_rule
If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-20927r304938_fix

Configure the system library directories to be protected from unauthorized access. Run the following command: # sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root '{}' \;

b
The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive.
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
UBTU-18-010139
Vuln IDs
V-219204
Rule IDs
SV-219204r610963_rule
If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-20928r304941_fix

Configure the system commands to be protected from unauthorized access. Run the following command: # sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \;

b
The Ubuntu operating system must have directories that contain system commands set to a mode of 0755 or less permissive.
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
UBTU-18-010140
Vuln IDs
V-219205
Rule IDs
SV-219205r610963_rule
If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-20929r304944_fix

Configure the system commands directories to be protected from unauthorized access. Run the following command: # sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \;

b
The Ubuntu operating system must have system commands owned by root.
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
UBTU-18-010141
Vuln IDs
V-219206
Rule IDs
SV-219206r610963_rule
If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-20930r304947_fix

Configure the system commands - and their respective parent directories - to be protected from unauthorized access. Run the following command: # sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec chown root '{}' \;

b
The Ubuntu operating system must have directories that contain system commands owned by root.
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
UBTU-18-010142
Vuln IDs
V-219207
Rule IDs
SV-219207r610963_rule
If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-20931r304950_fix

Configure the system commands directories to be protected from unauthorized access. Run the following command: # sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec chown root '{}' \;

b
The Ubuntu operating system must have system commands group-owned by root.
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
UBTU-18-010143
Vuln IDs
V-219208
Rule IDs
SV-219208r648688_rule
If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-20932r648687_fix

Configure the system commands to be protected from unauthorized access. Run the following command: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec chgrp root '{}' \;

b
The Ubuntu operating system must have directories that contain system commands group-owned by root.
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
UBTU-18-010144
Vuln IDs
V-219209
Rule IDs
SV-219209r610963_rule
If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-20933r304956_fix

Configure the system commands directories to be protected from unauthorized access. Run the following command: # sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec chgrp root '{}' \;

a
The Ubuntu operating system must enforce password complexity by requiring that at least one special character be used.
RMF Control
IA-5
Severity
L
CCI
CCI-001619
Version
UBTU-18-010145
Vuln IDs
V-219210
Rule IDs
SV-219210r610963_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.
Fix: F-20934r304959_fix

Configure the Ubuntu operating system to enforce password complexity by requiring that at least one special character be used. Add or update the following line in the "/etc/security/pwquality.conf" file to include the "ocredit=-1" parameter: ocredit=-1

b
The Ubuntu operating system must generate audit records for the use and modification of the tallylog file.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010201
Vuln IDs
V-219213
Rule IDs
SV-219213r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218
Fix: F-20937r304968_fix

Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "tallylog" file occur. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -w /var/log/tallylog -p wa -k logins Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for the use and modification of faillog file.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010202
Vuln IDs
V-219214
Rule IDs
SV-219214r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218
Fix: F-20938r304971_fix

Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "faillog" file occur. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -w /var/log/faillog -p wa -k logins Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for the use and modification of the lastlog file.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010203
Vuln IDs
V-219215
Rule IDs
SV-219215r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218
Fix: F-20939r304974_fix

Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "lastlog" file occur. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -w /var/log/lastlog -p wa -k logins Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
RMF Control
AC-2
Severity
M
CCI
CCI-000018
Version
UBTU-18-010244
Vuln IDs
V-219220
Rule IDs
SV-219220r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000476-GPOS-00221, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000004-GPOS-00004
Fix: F-20944r304989_fix

Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. Add or update the following rule to "/etc/audit/rules.d/stig.rules": -w /etc/passwd -p wa -k usergroup_modification Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010245
Vuln IDs
V-219221
Rule IDs
SV-219221r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000476-GPOS-00221, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207
Fix: F-20945r304992_fix

Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. Add or update the following rule to "/etc/audit/rules.d/stig.rules": -w /etc/group -p wa -k usergroup_modification Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010246
Vuln IDs
V-219222
Rule IDs
SV-219222r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000476-GPOS-00221, SRG-OS-000463-GPOS-00207, SRG-OS-000458-GPOS-00203, SRG-OS-000303-GPOS-00120, SRG-OS-000241-GPOS-00091, SRG-OS-000240-GPOS-00090, SRG-OS-000239-GPOS-00089
Fix: F-20946r304995_fix

Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. Add or update the following rule to "/etc/audit/rules.d/stig.rules": -w /etc/gshadow -p wa -k usergroup_modification Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010247
Vuln IDs
V-219223
Rule IDs
SV-219223r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000476-GPOS-00221, SRG-OS-000463-GPOS-00207, SRG-OS-000458-GPOS-00203, SRG-OS-000303-GPOS-00120, SRG-OS-000241-GPOS-00091, SRG-OS-000240-GPOS-00090, SRG-OS-000239-GPOS-00089
Fix: F-20947r304998_fix

Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. Add or update the following rule to "/etc/audit/rules.d/stig.rules": -w /etc/shadow -p wa -k usergroup_modification Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010248
Vuln IDs
V-219224
Rule IDs
SV-219224r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000476-GPOS-00221, SRG-OS-000463-GPOS-00207, SRG-OS-000458-GPOS-00203, SRG-OS-000303-GPOS-00120, SRG-OS-000241-GPOS-00091, SRG-OS-000240-GPOS-00090, SRG-OS-000239-GPOS-00089
Fix: F-20948r305001_fix

Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. Add or update the following rule to "/etc/audit/rules.d/stig.rules": -w /etc/security/opasswd -p wa -k usergroup_modification Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time.
RMF Control
AU-3
Severity
M
CCI
CCI-000131
Version
UBTU-18-010250
Vuln IDs
V-219225
Rule IDs
SV-219225r610963_rule
Without establishing the when, where, type, source, and outcome of events that occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. If the operating system does not provide the ability to centrally review the operating system logs, forensic analysis is negatively impacted. Associating event types with detected events in the Ubuntu operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. Satisfies: SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00020, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000062-GPOS-00031, SRG-OS-000122-GPOS-00063, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220
Fix: F-20949r305004_fix

Configure the audit service to produce audit records containing the information needed to establish when (date and time) an event occurred. Install the audit service (if the audit service is not already installed) with the following command: # sudo apt-get install auditd Enable the audit service with the following command: # sudo systemctl enable auditd.service In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the su command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010315
Vuln IDs
V-219238
Rule IDs
SV-219238r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-20962r569457_fix

Configure the Ubuntu operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change In order to reload the rules file, issue the following command: # sudo augenrules --load Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chfn command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010316
Vuln IDs
V-219239
Rule IDs
SV-219239r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-20963r305046_fix

Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "chfn" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chfn In order to reload the rules file, issue the following command: # sudo augenrules --load Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the mount command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010317
Vuln IDs
V-219240
Rule IDs
SV-219240r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-20964r305049_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "mount" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount In order to reload the rules file, issue the following command: # sudo augenrules --load Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the umount command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010318
Vuln IDs
V-219241
Rule IDs
SV-219241r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-20965r305052_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "umount" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount In order to reload the rules file, issue the following command: # sudo augenrules --load Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the ssh-agent command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010319
Vuln IDs
V-219242
Rule IDs
SV-219242r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-20966r305055_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-agent" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh In order to reload the rules file, issue the following command: # sudo augenrules --load Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the ssh-keysign command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010320
Vuln IDs
V-219243
Rule IDs
SV-219243r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-20967r305058_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-keysign" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh In order to reload the rules file, issue the following command: # sudo augenrules --load Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory.

b
The Ubuntu operating system must generate audit records for any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010321
Vuln IDs
V-219244
Rule IDs
SV-219244r809514_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000462-GPOS-00206
Fix: F-20968r809513_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod Notes: For 32-bit architectures, only the 32-bit specific entries are required. The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. To reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010327
Vuln IDs
V-219250
Rule IDs
SV-219250r809517_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206
Fix: F-20974r809516_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chown", "fchown", "fchownat", and "lchown" system calls. Add or update the following rules in the "/etc/audit/rules.d/stig.rules": -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng Notes: For 32-bit architectures, only the 32-bit specific entries are required. The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. To reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010331
Vuln IDs
V-219254
Rule IDs
SV-219254r809520_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206
Fix: F-20978r809519_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chmod", "fchmod", and "fchmodat" system calls. Add or update the following rules in the "/etc/audit/rules.d/stig.rules": -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng Notes: For 32-bit architectures, only the 32-bit specific entries are required. The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. To reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010334
Vuln IDs
V-219257
Rule IDs
SV-219257r809523_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000474-GPOS-00219
Fix: F-20981r809522_fix

Configure the audit system to generate an audit event for any unsuccessful use of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access Notes: For 32-bit architectures, only the 32-bit specific entries are required. The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. To reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the sudo command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010340
Vuln IDs
V-219263
Rule IDs
SV-219263r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-20987r305118_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "sudo" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the sudoedit command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010341
Vuln IDs
V-219264
Rule IDs
SV-219264r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-20988r305121_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "sudoedit" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules": -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chsh command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010342
Vuln IDs
V-219265
Rule IDs
SV-219265r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-20989r305124_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chsh" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the newgrp command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010343
Vuln IDs
V-219266
Rule IDs
SV-219266r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-20990r305127_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "newgrp" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chcon command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010344
Vuln IDs
V-219267
Rule IDs
SV-219267r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-20991r305130_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chcon" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the apparmor_parser command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010345
Vuln IDs
V-219268
Rule IDs
SV-219268r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-20992r305133_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "apparmor_parser" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the setfacl command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010346
Vuln IDs
V-219269
Rule IDs
SV-219269r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-20993r305136_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "setfacl" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chacl command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010347
Vuln IDs
V-219270
Rule IDs
SV-219270r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-20994r305139_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chacl" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the passwd command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010348
Vuln IDs
V-219271
Rule IDs
SV-219271r755156_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-20995r755155_fix

Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "passwd" command. Add or update the following rule in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the unix_update command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010349
Vuln IDs
V-219272
Rule IDs
SV-219272r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-20996r305145_fix

Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "unix_update" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the gpasswd command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010350
Vuln IDs
V-219273
Rule IDs
SV-219273r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-20997r305148_fix

Configure the audit system to generate an audit event for any successful/unsuccessful uses of the gpasswd command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chage command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010351
Vuln IDs
V-219274
Rule IDs
SV-219274r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-20998r305151_fix

Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "chage" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the usermod command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010352
Vuln IDs
V-219275
Rule IDs
SV-219275r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-20999r305154_fix

Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "usermod" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the crontab command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010353
Vuln IDs
V-219276
Rule IDs
SV-219276r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-21000r305157_fix

Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "crontab" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the pam_timestamp_check command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010354
Vuln IDs
V-219277
Rule IDs
SV-219277r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-21001r305160_fix

Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "pam_timestamp_check" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check Note: The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the finit_module syscall.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010356
Vuln IDs
V-219279
Rule IDs
SV-219279r610963_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-21003r305166_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "finit_module" syscall. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng -a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng Notes: For 32-bit architectures, only the 32-bit specific entries are required. The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions.
RMF Control
AC-6
Severity
M
CCI
CCI-002233
Version
UBTU-18-010358
Vuln IDs
V-219281
Rule IDs
SV-219281r610963_rule
In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by the organizations. Some programs and processes are required to operate at a higher privilege level and therefore should be excluded from the organization-defined software list after review. Satisfies: SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127
Fix: F-21005r621651_fix

Configure the Ubuntu operating system to audit the execution of all privileged functions. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv Notes: For 32-bit architectures, only the 32-bit specific entries are required. The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate audit records upon successful/unsuccessful use of unlink, unlinkat, rename, renameat, and rmdir system calls.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010375
Vuln IDs
V-219287
Rule IDs
SV-219287r809526_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
Fix: F-21011r809525_fix

Configure the audit system to generate audit events upon successful/unsuccessful use of "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -Fauid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete Notes: For 32-bit architectures, only the 32-bit specific entries are required. The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. To reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate records for successful/unsuccessful uses of init_module or finit_module syscalls.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010387
Vuln IDs
V-219296
Rule IDs
SV-219296r648693_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000064-GPOS-00033
Fix: F-21020r305217_fix

Configure the audit system to generate an audit event for any use of the "init_module" or "finit_module" system calls. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b32 -S init_module -S finit_module -F key=modules -a always,exit -F arch=b64 -S init_module -S finit_module -F key=modules Notes: For 32-bit architectures, only the 32-bit specific entries are required. The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must generate records for successful/unsuccessful uses of delete_module syscall and when unloading dynamic kernel modules.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
UBTU-18-010388
Vuln IDs
V-219297
Rule IDs
SV-219297r648694_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000471-GPOS-00216
Fix: F-21021r305220_fix

Configure the Ubuntu operating system to generate an audit event for any use of the delete_module system call. Add or update the following rule in the "/etc/audit/rules.d/stig.rules" file. -a always,exit -F arch=b32 -S delete_module -F key=modules -a always,exit -F arch=b64 -S delete_module -F key=modules Notes: For 32-bit architectures, only the 32-bit specific entries are required. The "root" account must be used to view/edit any files in the /etc/audit/rules.d/ directory. In order to reload the rules file, issue the following command: # sudo augenrules --load

b
The Ubuntu operating system must be configured for users to directly initiate a session lock for all connection types.
RMF Control
AC-11
Severity
M
CCI
CCI-000058
Version
UBTU-18-010403
Vuln IDs
V-219304
Rule IDs
SV-219304r610963_rule
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, the Ubuntu operating system need to provide users with the ability to manually invoke a session lock so users may secure their session should the need arise for them to temporarily vacate the immediate physical vicinity. Satisfies: SRG-OS-000030-GPOS-00011, SRG-OS-000031-GPOS-00012
Fix: F-21028r305241_fix

Install the "vlock" (if it is not already installed) package by running the following command: # sudo apt-get install vlock

b
The Ubuntu operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
RMF Control
AC-17
Severity
M
CCI
CCI-000068
Version
UBTU-18-010411
Vuln IDs
V-219307
Rule IDs
SV-219307r610963_rule
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information. By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections.
Fix: F-21031r621654_fix

Configure the Ubuntu operating system to allow the SSH daemon to only implement DoD-approved encryption. Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): Ciphers aes256-ctr,aes192-ctr,aes128-ctr In order for the changes to take effect, the SSH daemon must be restarted. # sudo systemctl restart sshd.service

c
The Ubuntu operating system must enforce SSHv2 for network access to all accounts.
RMF Control
IA-2
Severity
H
CCI
CCI-001941
Version
UBTU-18-010412
Vuln IDs
V-219308
Rule IDs
SV-219308r610963_rule
A replay attack may enable an unauthorized user to gain access to the operating system. Authentication sessions between the authenticator and the operating system validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. A privileged account is any information system account with authorizations of a privileged user. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058
Fix: F-21032r305253_fix

Configure the Ubuntu operating system to enforce SSHv2 for network access to all accounts. Add or update the following line in the "/etc/ssh/sshd_config" file: Protocol 2 Restart the ssh service. # systemctl restart sshd.service

b
The Ubuntu operating system must configure the SSH daemon to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms to protect the integrity of nonlocal maintenance and diagnostic communications.
RMF Control
AC-17
Severity
M
CCI
CCI-001453
Version
UBTU-18-010417
Vuln IDs
V-219312
Rule IDs
SV-219312r610963_rule
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
Fix: F-21036r621657_fix

Configure the Ubuntu operating system to allow the SSH daemon to only use Message Authentication Codes (MACs) that employ FIPS 140-2 approved ciphers. Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): MACs hmac-sha2-512,hmac-sha2-256 In order for the changes to take effect, reload the SSH daemon. # sudo systemctl reload sshd.service

c
The Ubuntu operating system must use SSH to protect the confidentiality and integrity of transmitted information unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
RMF Control
SC-8
Severity
H
CCI
CCI-002418
Version
UBTU-18-010420
Vuln IDs
V-219313
Rule IDs
SV-219313r610963_rule
Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. Alternative physical protection measures include PDS. PDSs are used to transmit unencrypted classified National Security Information (NSI) through an area of lesser classification or control. Since the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190
Fix: F-21037r305268_fix

Install the "ssh" meta-package on the system with the following command: # sudo apt install ssh Enable the "ssh" service to start automatically on reboot with the following command: # sudo systemctl enable sshd.service Ensure that the "ssh" service is running. # sudo systemctl start sshd.service

b
The Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
RMF Control
IA-5
Severity
M
CCI
CCI-000185
Version
UBTU-18-010425
Vuln IDs
V-219315
Rule IDs
SV-219315r610963_rule
Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000384-GPOS-00167
Fix: F-21039r305274_fix

Configure the Ubuntu operating system, for PKI-based authentication, to validate certificates by constructing a certification path to an accepted trust anchor. Determine which pkcs11 module is being used via the use_pkcs11_module in /etc/pam_pkcs11/pam_pkcs11.conf and ensure "ca" is enabled in "cert_policy". Add or update the "cert_policy" to ensure "ca" is enabled: cert_policy = ca,signature,ocsp_on; If the system is missing an "/etc/pam_pkcs11/" directory and an "/etc/pam_pkcs11/pam_pkcs11.conf", find an example to copy into place and modify accordingly at "/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz".

c
The Ubuntu operating system must map the authenticated identity to the user or group account for PKI-based authentication.
RMF Control
IA-5
Severity
H
CCI
CCI-000187
Version
UBTU-18-010426
Vuln IDs
V-219316
Rule IDs
SV-219316r610963_rule
Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.
Fix: F-21040r305277_fix

Install libpam-pkcs11 package on the system. Set use_mappers=pwent in /etc/pam_pkcs11/pam_pkcs11.conf If the system is missing an "/etc/pam_pkcs11/" directory and an "/etc/pam_pkcs11/pam_pkcs11.conf", find an example to copy into place and modify accordingly at "/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz".

b
The Ubuntu operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.
RMF Control
IA-2
Severity
M
CCI
CCI-001948
Version
UBTU-18-010431
Vuln IDs
V-219318
Rule IDs
SV-219318r610963_rule
Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. A privileged account is defined as an information system account with authorizations of a privileged user. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). Requires further clarification from NIST.
Fix: F-21042r305283_fix

Configure the Ubuntu operating system to implement multifactor authentication by installing the required packages. Install the "libpam-pkcs11" package on the system with the following command: # sudo apt install libpam-pkcs11

b
The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials.
RMF Control
IA-2
Severity
M
CCI
CCI-001953
Version
UBTU-18-010432
Vuln IDs
V-219319
Rule IDs
SV-219319r610963_rule
The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems.
Fix: F-21043r305286_fix

Configure the Ubuntu operating system to accept Personal Identity Verification (PIV) credentials. Install the "opensc-pkcs11" package using the following command: # sudo apt-get install opensc-pkcs11

b
The Ubuntu operating system must implement certificate status checking for multifactor authentication.
RMF Control
IA-2
Severity
M
CCI
CCI-001954
Version
UBTU-18-010434
Vuln IDs
V-219320
Rule IDs
SV-219320r610963_rule
The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems.
Fix: F-21044r305289_fix

Configure the Ubuntu operating system to certificate status checking for multifactor authentication. Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include ocsp_on.

b
The Ubuntu operating system default filesystem permissions must be defined in such a way that all authenticated users can only read and modify their own files.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
UBTU-18-010448
Vuln IDs
V-219328
Rule IDs
SV-219328r610963_rule
Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.
Fix: F-21052r305313_fix

Configure the system to define the default permissions for all authenticated users in such a way that the user can only read and modify their own files. Edit the "UMASK" parameter in the "/etc/login.defs" file to match the example below: UMASK 077

b
The Ubuntu operating system must be configured to use TCP syncookies.
RMF Control
SC-5
Severity
M
CCI
CCI-001095
Version
UBTU-18-010500
Vuln IDs
V-219330
Rule IDs
SV-219330r610963_rule
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.
Fix: F-21054r305319_fix

Configure the Ubuntu operating system to use TCP syncookies, by running the following command: # sudo sysctl -w net.ipv4.tcp_syncookies=1 If "1" is not the system's default value then add or update the following line in "/etc/sysctl.conf": net.ipv4.tcp_syncookies = 1

b
The Ubuntu operating system must implement address space layout randomization to protect its memory from unauthorized code execution.
RMF Control
SI-16
Severity
M
CCI
CCI-002824
Version
UBTU-18-010514
Vuln IDs
V-219342
Rule IDs
SV-219342r610963_rule
Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks.
Fix: F-21066r569470_fix

Set the "kernel.randomize_va_space" entry found in the "/etc/sysctl.conf" file to a value of "2". After the line has been modified the kernel settings from all system configuration files must be reloaded; before any of the changes will take effect. Run the following command to reload all of the kernel system configuration files: # sudo sysctl --system

b
The Ubuntu operating system must use a file integrity tool to verify correct operation of all security functions.
RMF Control
SI-6
Severity
M
CCI
CCI-002696
Version
UBTU-18-010515
Vuln IDs
V-219343
Rule IDs
SV-219343r610963_rule
Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. This requirement applies to the Ubuntu operating system performing security function verification/testing and/or systems and environments that require this functionality.
Fix: F-21067r305358_fix

Install the AIDE package by running the following command: # sudo apt-get install aide