Canonical Ubuntu 22.04 LTS STIG SCAP Benchmark V1R0 (SCAP)

c

Ubuntu 22.04 LTS, when booted, must require authentication upon booting into single-user and maintenance modes.

RMF Control: AC-3
Severity: H
CCI: CCI-000213
Version: UBTU-22-212010
Vuln IDs: V-260470
Rule IDs: SV-260470r958472_rule

To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.

Fix: F-64107r953222_fix

Configure Ubuntu 22.04 LTS to require a password for authentication upon booting into single-user and maintenance modes. Generate an encrypted (grub) password for root by using the following command: $ grub-mkpasswd-pbkdf2 Enter Password: Reenter Password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771 Using the hash from the output, modify the "/etc/grub.d/40_custom" file by using the following command to add a boot password: $ sudo sed -i '$i set superusers=\"root\"\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom where <hash> is the hash generated by grub-mkpasswd-pbkdf2 command. Generate an updated "grub.conf" file with the new password by using the following command: $ sudo update-grub

b

Ubuntu 22.04 LTS must initiate session audits at system startup.

RMF Control: AU-14
Severity: M
CCI: CCI-001464
Version: UBTU-22-212015
Vuln IDs: V-260471
Rule IDs: SV-260471r991555_rule

If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.

Fix: F-64108r953225_fix

Configure Ubuntu 22.04 LTS to produce audit records at system startup. Edit the "/etc/default/grub" file and add "audit=1" to the "GRUB_CMDLINE_LINUX" option. To update the grub config file, run: $ sudo update-grub

b

Ubuntu 22.04 LTS must be configured so that the Advance Package Tool (APT) removes all software components after updated versions have been installed.

RMF Control: SI-2
Severity: M
CCI: CCI-002617
Version: UBTU-22-214015
Vuln IDs: V-260477
Rule IDs: SV-260477r958936_rule

Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.

Fix: F-64114r953243_fix

Configure APT to remove all software components after updated versions have been installed. Add or modify the following lines in the "/etc/apt/apt.conf.d/50-unattended-upgrades" file: Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; Unattended-Upgrade::Remove-Unused-Dependencies "true";

b

Ubuntu 22.04 LTS must have the "libpam-pwquality" package installed.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: UBTU-22-215010
Vuln IDs: V-260478
Rule IDs: SV-260478r991587_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.

Fix: F-64115r953246_fix

Install the "pam_pwquality" package by using the following command: $ sudo apt-get install libpam-pwquality

a

Ubuntu 22.04 LTS must not have the "ntp" package installed.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: UBTU-22-215025
Vuln IDs: V-260481
Rule IDs: SV-260481r991589_rule

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Organizations must consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).

Fix: F-64118r953255_fix

Uninstall the "ntp" package by using the following command: $ sudo dpkg -P --force-all ntp

c

Ubuntu 22.04 LTS must not have the "rsh-server" package installed.

RMF Control: CM-7
Severity: H
CCI: CCI-000381
Version: UBTU-22-215030
Vuln IDs: V-260482
Rule IDs: SV-260482r958478_rule

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Remote Shell (RSH) is a client/server application protocol that provides an unencrypted remote access service, which does not provide for the confidentiality and integrity of user passwords or the remote session. If users were allowed to login to a system using RSH, the privileged user passwords and communications could be compromised. Removing the "rsh-server" package decreases the risk of accidental or intentional activation of the RSH service.

Fix: F-64119r953258_fix

Remove the "rsh-server" package by using the following command: $ sudo apt-get remove rsh-server

c

Ubuntu 22.04 LTS must not have the "telnet" package installed.

RMF Control: IA-5
Severity: H
CCI: CCI-000197
Version: UBTU-22-215035
Vuln IDs: V-260483
Rule IDs: SV-260483r987796_rule

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore, may remain unsecure. They increase the risk to the platform by providing additional attack vectors. Telnet is a client/server application protocol that provides an unencrypted remote access service, which does not provide for the confidentiality and integrity of user passwords or the remote session. If users were allowed to login to a system using Telnet, the privileged user passwords and communications could be compromised. Removing the "telnetd" package decreases the risk of accidental or intentional activation of the Telnet service.

Fix: F-64120r953261_fix

Remove the "telnetd" package by using the following command: $ sudo apt-get remove telnetd

b

Ubuntu 22.04 LTS must have system commands set to a mode of "755" or less permissive.

RMF Control: CM-5
Severity: M
CCI: CCI-001499
Version: UBTU-22-232015
Vuln IDs: V-260486
Rule IDs: SV-260486r991560_rule

If Ubuntu 22.04 LTS were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to Ubuntu 22.04 LTS with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Fix: F-64123r953270_fix

Configure Ubuntu 22.04 LTS commands to be protected from unauthorized access. Run the following command: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \;

b

Ubuntu 22.04 LTS must configure the "/var/log" directory to have mode "755" or less permissive.

RMF Control: SI-11
Severity: M
CCI: CCI-001314
Version: UBTU-22-232025
Vuln IDs: V-260488
Rule IDs: SV-260488r958566_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Fix: F-64125r953276_fix

Configure the "/var/log" directory to have permissions of "0755" by using the following command: $ sudo chmod 0755 /var/log

b

Ubuntu 22.04 LTS must configure "/var/log/syslog" file with mode "640" or less permissive.

RMF Control: SI-11
Severity: M
CCI: CCI-001314
Version: UBTU-22-232030
Vuln IDs: V-260491
Rule IDs: SV-260491r958566_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Fix: F-64128r953285_fix

Configure Ubuntu 22.04 LTS to have permissions of "640" for the "/var/log/syslog" file by using the following command: $ sudo chmod 0640 /var/log/syslog

b

Ubuntu 22.04 LTS library directories must be group-owned by "root".

RMF Control: CM-5
Severity: M
CCI: CCI-001499
Version: UBTU-22-232065
Vuln IDs: V-260498
Rule IDs: SV-260498r991560_rule

If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Fix: F-64135r953306_fix

Configure Ubuntu 22.04 LTS library directories to be protected from unauthorized access. Run the following command: $ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root '{}' \;

b

Ubuntu 22.04 LTS library files must be group-owned by "root".

RMF Control: CM-5
Severity: M
CCI: CCI-001499
Version: UBTU-22-232075
Vuln IDs: V-260500
Rule IDs: SV-260500r991560_rule

If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Fix: F-64137r953312_fix

Configure Ubuntu 22.04 LTS library files to be protected from unauthorized access. Run the following command, replacing "<command_name>" with any system command not group-owned by "root" or a required system account: $ sudo chgrp root <command_name>

b

Ubuntu 22.04 LTS must be configured so that the "journalctl" command is group-owned by "root".

RMF Control: SI-11
Severity: M
CCI: CCI-001314
Version: UBTU-22-232105
Vuln IDs: V-260506
Rule IDs: SV-260506r958566_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Fix: F-64143r953330_fix

Configure "journalctl" to be group-owned by "root": $ sudo chown :root /usr/bin/journalctl

b

Ubuntu 22.04 LTS must configure the "/var/log" directory to be owned by "root".

RMF Control: SI-11
Severity: M
CCI: CCI-001314
Version: UBTU-22-232120
Vuln IDs: V-260508
Rule IDs: SV-260508r958566_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Fix: F-64145r953336_fix

Configure Ubuntu 22.04 LTS to have root own the "/var/log" directory by using the following command: $ sudo chown root /var/log

b

Ubuntu 22.04 LTS must configure the "/var/log/syslog" file to be group-owned by "adm".

RMF Control: SI-11
Severity: M
CCI: CCI-001314
Version: UBTU-22-232135
Vuln IDs: V-260511
Rule IDs: SV-260511r958566_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Fix: F-64148r953345_fix

Configure Ubuntu 22.04 LTS to have adm group-own the "/var/log/syslog" file by using the following command: $ sudo chgrp adm /var/log/syslog

b

Ubuntu 22.04 LTS must have an application firewall enabled.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: UBTU-22-251020
Vuln IDs: V-260516
Rule IDs: SV-260516r991593_rule

Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network.

Fix: F-64153r953360_fix

Enable and start the ufw by using the following command: $ sudo systemctl enable ufw.service --now

c

Ubuntu 22.04 LTS must have SSH installed.

RMF Control: SC-8
Severity: H
CCI: CCI-002418
Version: UBTU-22-255010
Vuln IDs: V-260523
Rule IDs: SV-260523r958908_rule

Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190

Fix: F-64160r953381_fix

Install the "ssh" meta-package by using the following command: $ sudo apt install ssh

c

Ubuntu 22.04 LTS must use SSH to protect the confidentiality and integrity of transmitted information.

RMF Control: SC-8
Severity: H
CCI: CCI-002418
Version: UBTU-22-255015
Vuln IDs: V-260524
Rule IDs: SV-260524r958908_rule

Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190

Fix: F-64161r953384_fix

Enable and start the "ssh.service" by using the following command: $ sudo systemctl enable ssh.service --now

c

Ubuntu 22.04 LTS must not allow unattended or automatic login via SSH.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: UBTU-22-255025
Vuln IDs: V-260526
Rule IDs: SV-260526r991591_rule

Failure to restrict system access to authenticated users negatively impacts Ubuntu 22.04 LTS security.

Fix: F-64163r953390_fix

Configure the SSH server to not allow unattended or automatic login to the system. Add or modify the following lines in the "/etc/ssh/sshd_config" file: PermitEmptyPasswords no PermitUserEnvironment no Restart the SSH daemon for the changes to take effect: $ sudo systemctl restart sshd.service

b

Ubuntu 22.04 LTS must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.

RMF Control: SC-10
Severity: M
CCI: CCI-001133
Version: UBTU-22-255030
Vuln IDs: V-260527
Rule IDs: SV-260527r986275_rule

Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.

Fix: F-64164r953393_fix

Configure the SSH server to terminate a user session automatically after the SSH client has become unresponsive. Note: This setting must be applied in conjunction with UBTU-22-255040 to function correctly. Add or modify the following line in the "/etc/ssh/sshd_config" file: ClientAliveCountMax 1 Restart the SSH daemon for the changes to take effect: $ sudo systemctl restart sshd.service

c

Ubuntu 22.04 LTS must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: UBTU-22-255040
Vuln IDs: V-260529
Rule IDs: SV-260529r991589_rule

The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no'' setting. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system's needs.

Fix: F-64166r953399_fix

Configure the SSH server to disable X11 forwarding. Add or modify the following line in the "/etc/ssh/sshd_config" file: X11Forwarding no Restart the SSH daemon for the changes to take effect: $ sudo systemctl restart sshd.service

b

Ubuntu 22.04 LTS SSH daemon must prevent remote hosts from connecting to the proxy display.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: UBTU-22-255045
Vuln IDs: V-260530
Rule IDs: SV-260530r991589_rule

When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.

Fix: F-64167r953402_fix

Configure the SSH server to prevent remote hosts from connecting to the proxy display. Add or modify the following line in the "/etc/ssh/sshd_config" file: X11UseLocalhost yes Restart the SSH daemon for the changes to take effect: $ sudo systemctl restart sshd.service

b

Ubuntu 22.04 LTS SSH server must be configured to use only FIPS-validated key exchange algorithms.

RMF Control: AC-17
Severity: M
CCI: CCI-000068
Version: UBTU-22-255060
Vuln IDs: V-260533
Rule IDs: SV-260533r958408_rule

Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection. The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.

Fix: F-64170r953411_fix

Configure the SSH server to use only FIPS-validated key exchange algorithms. Add or modify the following line in the "/etc/ssh/sshd_config" file: KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 Restart the SSH server for changes to take effect: $ sudo systemctl restart sshd.service

b

Ubuntu 22.04 LTS must enforce 24 hours/one day as the minimum password lifetime. Passwords for new users must have a 24 hours/one day minimum password lifetime restriction.

RMF Control
Severity: M
CCI: CCI-004066
Version: UBTU-22-411025
Vuln IDs: V-260545
Rule IDs: SV-260545r1015007_rule

Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Fix: F-64182r986279_fix

Configure Ubuntu 22.04 LTS to enforce a 24 hours/one day minimum password lifetime. Add or modify the following line in the "/etc/login.defs" file: PASS_MIN_DAYS 1

b

Ubuntu 22.04 LTS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.

RMF Control
Severity: M
CCI: CCI-003627
Version: UBTU-22-411035
Vuln IDs: V-260547
Rule IDs: SV-260547r1015009_rule

Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Operating systems need to track periods of inactivity and disable application identifiers after 35 days of inactivity.

Fix: F-64184r953453_fix

Configure Ubuntu 22.04 LTS to disable account identifiers after 35 days of inactivity after the password expiration. Run the following command to change the configuration for adduser: $ sudo useradd -D -f 35 Note: DOD recommendation is 35 days, but a lower value is acceptable. The value "0" will disable the account immediately after the password expires.

b

Ubuntu 22.04 LTS must have the "apparmor" package installed.

RMF Control: CM-7
Severity: M
CCI: CCI-001764
Version: UBTU-22-431010
Vuln IDs: V-260556
Rule IDs: SV-260556r958702_rule

Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). Satisfies: SRG-OS-000312-GPOS-00124, SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155

Fix: F-64193r953480_fix

Install the "appArmor" package by using the following command: $ sudo apt-get install apparmor

b

Ubuntu 22.04 LTS must enforce password complexity by requiring at least one uppercase character be used.

RMF Control
Severity: M
CCI: CCI-004066
Version: UBTU-22-611010
Vuln IDs: V-260560
Rule IDs: SV-260560r1015012_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Fix: F-64197r953492_fix

Configure Ubuntu 22.04 LTS to enforce password complexity by requiring that at least one uppercase character be used. Add or modify the following line in the "/etc/security/pwquality.conf" file: ucredit = -1

b

Ubuntu 22.04 LTS must enforce password complexity by requiring that at least one numeric character be used.

RMF Control
Severity: M
CCI: CCI-004066
Version: UBTU-22-611020
Vuln IDs: V-260562
Rule IDs: SV-260562r1015014_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Fix: F-64199r953498_fix

Configure Ubuntu 22.04 LTS to enforce password complexity by requiring that at least one numeric character be used. Add or modify the following line in the "/etc/security/pwquality.conf" file: dcredit = -1

b

Ubuntu 22.04 LTS must enforce a minimum 15-character password length.

RMF Control
Severity: M
CCI: CCI-004066
Version: UBTU-22-611035
Vuln IDs: V-260565
Rule IDs: SV-260565r1015016_rule

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Fix: F-64202r953507_fix

Configure Ubuntu 22.04 LTS to enforce a minimum 15-character password length. Add or modify the following line in the "/etc/security/pwquality.conf" file: minlen = 15

c

Ubuntu 22.04 LTS must not allow accounts configured with blank or null passwords.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: UBTU-22-611060
Vuln IDs: V-260570
Rule IDs: SV-260570r991589_rule

If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords must never be used in operational environments.

Fix: F-64207r953522_fix

Remove any instances of the "nullok" option in "/etc/pam.d/common-password" to prevent logons with empty passwords.

c

Ubuntu 22.04 LTS must not have accounts configured with blank or null passwords.

RMF Control: CM-6
Severity: H
CCI: CCI-000366
Version: UBTU-22-611065
Vuln IDs: V-260571
Rule IDs: SV-260571r991589_rule

If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords must never be used in operational environments.

Fix: F-64208r953525_fix

Configure all accounts on the system to have a password or lock the account by using the following commands: Set the account password: $ sudo passwd <username> Or lock the account: $ sudo passwd -l <username>

b

Ubuntu 22.04 LTS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.

RMF Control: IA-2
Severity: M
CCI: CCI-000765
Version: UBTU-22-612010
Vuln IDs: V-260573
Rule IDs: SV-260573r1015019_rule

Using an authentication device, such as a CAC or token separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government personal identity verification card and the DOD common access card. A privileged account is defined as an information system account with authorizations of a privileged user. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055

Fix: F-64210r953531_fix

Install the "libpam-pkcs11" package by using the following command: $ sudo apt-get install libpam-pkcs11

b

Ubuntu 22.04 LTS must implement smart card logins for multifactor authentication for local and network access to privileged and nonprivileged accounts.

RMF Control: IA-2
Severity: M
CCI: CCI-000765
Version: UBTU-22-612020
Vuln IDs: V-260575
Rule IDs: SV-260575r1015020_rule

Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. Factors include: 1) Something a user knows (e.g., password/PIN); 2) Something a user has (e.g., cryptographic identification device, token); and 3) Something a user is (e.g., biometric). A privileged account is defined as an information system account with authorizations of a privileged user. Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet). The DOD common access card (CAC) with DOD-approved PKI is an example of multifactor authentication. Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055

Fix: F-64212r953537_fix

Configure Ubuntu 22.04 LTS to use multifactor authentication for access to accounts. Add or modify the following line in the "/etc/pam.d/common-auth" file: auth [success=2 default=ignore] pam_pkcs11.so Add or modify the following line in the "/etc/ssh/sshd_config" file: PubkeyAuthentication yes

c

Ubuntu 22.04 LTS must map the authenticated identity to the user or group account for PKI-based authentication.

RMF Control: IA-5
Severity: H
CCI: CCI-000187
Version: UBTU-22-612040
Vuln IDs: V-260579
Rule IDs: SV-260579r958452_rule

Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.

Fix: F-64216r953549_fix

Set "use_mappers=pwent" in "/etc/pam_pkcs11/pam_pkcs11.conf" or, if there is already a comma-separated list of mappers, add it to the list, separated by comma, and before the null mapper. If the system is missing an "/etc/pam_pkcs11/" directory and an "/etc/pam_pkcs11/pam_pkcs11.conf", find an example to copy into place and modify accordingly at "/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz".

b

Ubuntu 22.04 LTS must use a file integrity tool to verify correct operation of all security functions.

RMF Control: SI-6
Severity: M
CCI: CCI-002696
Version: UBTU-22-651010
Vuln IDs: V-260582
Rule IDs: SV-260582r958944_rule

Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. This requirement applies to Ubuntu 22.04 LTS performing security function verification/testing and/or systems and environments that require this functionality.

Fix: F-64219r953558_fix

Install the "aide" package: $ sudo apt install aide

b

Ubuntu 22.04 LTS must be configured to preserve log records from failure events.

RMF Control: SC-24
Severity: M
CCI: CCI-001665
Version: UBTU-22-652010
Vuln IDs: V-260588
Rule IDs: SV-260588r991562_rule

Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving operating system state information helps to facilitate operating system restart and return to the operational mode of the organization with least disruption to mission/business processes.

Fix: F-64225r953576_fix

Install the log service by using the following command: $ sudo apt-get install rsyslog Enable and activate the log service by using the following command: $ sudo systemctl enable rsyslog.service --now

b

Ubuntu 22.04 LTS must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions in near real time.

RMF Control: AU-3
Severity: M
CCI: CCI-000130
Version: UBTU-22-653015
Vuln IDs: V-260591
Rule IDs: SV-260591r1015023_rule

Without establishing the when, where, type, source, and outcome of events that occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. Successful incident response and auditing relies on timely, accurate system information and analysis to allow the organization to identify and respond to potential incidents in a proficient manner. If the operating system does not provide the ability to centrally review the operating system logs, forensic analysis is negatively impacted. Associating event types with detected events in Ubuntu 22.04 LTS audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00020, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000062-GPOS-00031, SRG-OS-000122-GPOS-00063, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000365-GPOS-00152, SRG-OS-000475-GPOS-00220

Fix: F-64228r953585_fix

Enable and start the "auditd.service" by using the following command: $ sudo systemctl enable auditd.service --now

b

Ubuntu 22.04 LTS must be configured so that audit log files are not read- or write-accessible by unauthorized users.

RMF Control: AU-9
Severity: M
CCI: CCI-000162
Version: UBTU-22-653045
Vuln IDs: V-260597
Rule IDs: SV-260597r958434_rule

Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028

Fix: F-64234r953603_fix

Configure the audit log files to have a mode of "600" or less permissive. Using the path of the directory containing the audit logs, configure the audit log files to have a mode of "600" or less permissive by using the following command: $ sudo chmod 600 /var/log/audit/*

b

Ubuntu 22.04 LTS must permit only authorized groups ownership of the audit log files.

RMF Control: AU-9
Severity: M
CCI: CCI-000162
Version: UBTU-22-653055
Vuln IDs: V-260599
Rule IDs: SV-260599r958434_rule

Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029

Fix: F-64236r953609_fix

Configure the group owner of newly created audit logs to be "root". Add or modify the following lines in the "/etc/audit/auditd.conf " file: log_group = root Reload the configuration file of the audit service to update the group ownership of existing files: $ sudo systemctl kill auditd -s SIGHUP

b

Ubuntu 22.04 LTS must permit only authorized accounts to own the audit configuration files.

RMF Control: AU-12
Severity: M
CCI: CCI-000171
Version: UBTU-22-653070
Vuln IDs: V-260602
Rule IDs: SV-260602r958444_rule

Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Fix: F-64239r953618_fix

Configure "/etc/audit/audit.rules", "/etc/audit/rules.d/*", and "/etc/audit/auditd.conf" files to be owned by root by using the following command: $ sudo chown -R root /etc/audit/audit.rules /etc/audit/auditd.conf /etc/audit/rules.d/*

b

Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the apparmor_parser command.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: UBTU-22-654010
Vuln IDs: V-260604
Rule IDs: SV-260604r958446_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Fix: F-64241r953624_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "apparmor_parser" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the chacl command.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: UBTU-22-654015
Vuln IDs: V-260605
Rule IDs: SV-260605r958446_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Fix: F-64242r953627_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chacl" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the chcon command.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: UBTU-22-654025
Vuln IDs: V-260607
Rule IDs: SV-260607r958446_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Fix: F-64244r953633_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chcon" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the chsh command.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: UBTU-22-654035
Vuln IDs: V-260609
Rule IDs: SV-260609r958446_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Fix: F-64246r953639_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chsh" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the crontab command.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: UBTU-22-654040
Vuln IDs: V-260610
Rule IDs: SV-260610r958446_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Fix: F-64247r953642_fix

Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "crontab" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the gpasswd command.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: UBTU-22-654050
Vuln IDs: V-260612
Rule IDs: SV-260612r958446_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Fix: F-64249r953648_fix

Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "gpasswd" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful attempts to use modprobe command.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: UBTU-22-654060
Vuln IDs: V-260614
Rule IDs: SV-260614r991586_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Fix: F-64251r953654_fix

Configure Ubuntu 22.04 LTS to audit the execution of the module management program "modprobe". Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -w /sbin/modprobe -p x -k modules To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the mount command.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: UBTU-22-654065
Vuln IDs: V-260615
Rule IDs: SV-260615r958446_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Fix: F-64252r953657_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "mount" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the pam_timestamp_check command.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: UBTU-22-654075
Vuln IDs: V-260617
Rule IDs: SV-260617r958446_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Fix: F-64254r953663_fix

Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "pam_timestamp_check" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the ssh-agent command.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: UBTU-22-654090
Vuln IDs: V-260620
Rule IDs: SV-260620r958446_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Fix: F-64257r953672_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-agent" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the su command.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: UBTU-22-654100
Vuln IDs: V-260622
Rule IDs: SV-260622r958446_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Fix: F-64259r953678_fix

Configure Ubuntu 22.04 LTS to generate audit records when successful/unsuccessful attempts to use the "su" command occur. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the umount command.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: UBTU-22-654115
Vuln IDs: V-260625
Rule IDs: SV-260625r958446_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Fix: F-64262r953687_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "umount" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the usermod command.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: UBTU-22-654125
Vuln IDs: V-260627
Rule IDs: SV-260627r958446_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Fix: F-64264r953693_fix

Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "usermod" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

RMF Control: AC-2
Severity: M
CCI: CCI-000018
Version: UBTU-22-654135
Vuln IDs: V-260629
Rule IDs: SV-260629r958368_rule

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes. To address access requirements, many operating systems may be integrated with enterprise level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221

Fix: F-64266r953699_fix

Configure Ubuntu 22.04 LTS to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". Add or modify the following line to "/etc/audit/rules.d/stig.rules": -w /etc/gshadow -p wa -k usergroup_modification To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.

RMF Control: AC-2
Severity: M
CCI: CCI-000018
Version: UBTU-22-654140
Vuln IDs: V-260630
Rule IDs: SV-260630r958368_rule

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes. To address access requirements, many operating systems may be integrated with enterprise level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221

Fix: F-64267r953702_fix

Configure Ubuntu 22.04 LTS to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd". Add or modify the following line to "/etc/audit/rules.d/stig.rules": -w /etc/security/opasswd -p wa -k usergroup_modification To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

RMF Control: AC-2
Severity: M
CCI: CCI-000018
Version: UBTU-22-654150
Vuln IDs: V-260632
Rule IDs: SV-260632r958368_rule

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes. To address access requirements, many operating systems may be integrated with enterprise level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221

Fix: F-64269r953708_fix

Configure Ubuntu 22.04 LTS to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". Add or modify the following line to "/etc/audit/rules.d/stig.rules": -w /etc/shadow -p wa -k usergroup_modification To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: UBTU-22-654160
Vuln IDs: V-260634
Rule IDs: SV-260634r958446_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, though, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206

Fix: F-64271r953714_fix

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chown", "fchown", "fchownat", and "lchown" system calls. Add or modify the following lines in the "/etc/audit/rules.d/stig.rules": -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_chng -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_chng To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: UBTU-22-654165
Vuln IDs: V-260635
Rule IDs: SV-260635r958446_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, though, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000474-GPOS-00219

Fix: F-64272r953717_fix

Configure the audit system to generate an audit event for any unsuccessful use of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls. Add or modify the following lines in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records for any successful/unsuccessful use of unlink, unlinkat, rename, renameat, and rmdir system calls.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: UBTU-22-654185
Vuln IDs: V-260639
Rule IDs: SV-260639r991577_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, though, by combining syscalls into one rule whenever possible.

Fix: F-64276r953729_fix

Configure the audit system to generate audit events for any successful/unsuccessful use of "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls. Add or modify the following lines in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records for all events that affect the systemd journal files.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: UBTU-22-654190
Vuln IDs: V-260640
Rule IDs: SV-260640r991589_rule

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify system level binaries and their operation. Auditing the systemd journal files provides logging that can be used for forensic purposes. To address access requirements, many operating systems may be integrated with enterprise level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Fix: F-64277r953732_fix

Configure Ubuntu 22.04 LTS to generate audit records for events that affect "/var/log/journal". Add or modify the following line to "/etc/audit/rules.d/stig.rules": -w /var/log/journal -p wa -k systemd_journal To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records for the /var/log/wtmp file.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: UBTU-22-654200
Vuln IDs: V-260642
Rule IDs: SV-260642r991581_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Fix: F-64279r953738_fix

Configure the audit system to generate audit events showing start and stop times for user access via the "/var/log/wtmp" file. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -w /var/log/wtmp -p wa -k logins To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records for the use and modification of faillog file.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: UBTU-22-654210
Vuln IDs: V-260644
Rule IDs: SV-260644r958446_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218

Fix: F-64281r953744_fix

Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "faillog" file. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -w /var/log/faillog -p wa -k logins To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records for the use and modification of the lastlog file.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: UBTU-22-654215
Vuln IDs: V-260645
Rule IDs: SV-260645r958446_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218

Fix: F-64282r953747_fix

Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "lastlog" file. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -w /var/log/lastlog -p wa -k logins To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records when successful/unsuccessful attempts to modify the /etc/sudoers.d directory occur.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: UBTU-22-654225
Vuln IDs: V-260647
Rule IDs: SV-260647r991575_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Fix: F-64284r953753_fix

Configure Ubuntu 22.04 LTS to generate audit records for all modifications that affect "/etc/sudoers.d" directory. Add or modify the following line to "/etc/audit/rules.d/stig.rules": -w /etc/sudoers.d -p wa -k privilege_modification To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. he <keyname> does not need to match the example above.

b

Ubuntu 22.04 LTS must generate audit records for privileged activities, nonlocal maintenance, diagnostic sessions and other system-level access.

RMF Control: AU-12
Severity: M
CCI: CCI-000172
Version: UBTU-22-654235
Vuln IDs: V-260649
Rule IDs: SV-260649r986298_rule

If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215

Fix: F-64286r953759_fix

Configure Ubuntu 22.04 LTS to audit activities performed during nonlocal maintenance and diagnostic sessions. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -w /var/log/sudo.log -p wa -k maintenance To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.