Canonical Ubuntu 22.04 LTS STIG SCAP Benchmark
Open a previous version of this SCAP benchmark.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- UBTU-22-211015
- Vuln IDs
- V-260469
- Rule IDs
- SV-260469r991589_rule
Fix: F-64106r953219_fix
Configure Ubuntu 22.04 LTS to disable the Ctrl-Alt-Delete sequence for the command line by using the following commands: $ sudo systemctl disable ctrl-alt-del.target $ sudo systemctl mask ctrl-alt-del.target Reload the daemon to take effect: $ sudo systemctl daemon-reload
- RMF Control
- AC-3
- Severity
- H
- CCI
- CCI-000213
- Version
- UBTU-22-212010
- Vuln IDs
- V-260470
- Rule IDs
- SV-260470r1137691_rule
Fix: F-64107r953222_fix
Configure Ubuntu 22.04 LTS to require a password for authentication upon booting into single-user and maintenance modes. Generate an encrypted (grub) password for root by using the following command: $ grub-mkpasswd-pbkdf2 Enter Password: Reenter Password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771 Using the hash from the output, modify the "/etc/grub.d/40_custom" file by using the following command to add a boot password: $ sudo sed -i '$i set superusers=\"root\"\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom where <hash> is the hash generated by grub-mkpasswd-pbkdf2 command. Generate an updated "grub.conf" file with the new password by using the following command: $ sudo update-grub
- RMF Control
- AU-14
- Severity
- M
- CCI
- CCI-001464
- Version
- UBTU-22-212015
- Vuln IDs
- V-260471
- Rule IDs
- SV-260471r1155214_rule
Fix: F-64108r1155195_fix
Configure Ubuntu 22.04 LTS to produce audit records at system startup. Edit the "/etc/default/grub" file and add "audit=1" to the "GRUB_CMDLINE_LINUX" option and to the "GRUB_CMDLINE_LINUX_DEFAULT" option. GRUB_CMDLINE_LINUX_DEFAULT="audit=1" GRUB_CMDLINE_LINUX="audit=1" To update the grub config file, run: $ sudo update-grub
- RMF Control
- SC-4
- Severity
- L
- CCI
- CCI-001090
- Version
- UBTU-22-213010
- Vuln IDs
- V-260472
- Rule IDs
- SV-260472r1137695_rule
Fix: F-64109r953228_fix
Configure Ubuntu 22.04 LTS to restrict access to the kernel message buffer. Add or modify the following line in the "/etc/sysctl.conf" file: kernel.dmesg_restrict = 1 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/ /etc/sysctl.d/ /usr/local/lib/sysctl.d/ /usr/lib/sysctl.d/ /lib/sysctl.d/ /etc/sysctl.conf Reload settings from all system configuration files by using the following command: $ sudo sysctl --system
- RMF Control
- SC-24
- Severity
- M
- CCI
- CCI-001190
- Version
- UBTU-22-213015
- Vuln IDs
- V-260473
- Rule IDs
- SV-260473r1155207_rule
Fix: F-64110r1044781_fix
If kernel core dumps are not required, disable and mask "kdump-tools.service" by using the following command: $ sudo systemctl mask kdump-tools --now If kernel core dumps are required, document the need with the ISSO.
- RMF Control
- SI-16
- Severity
- M
- CCI
- CCI-002824
- Version
- UBTU-22-213020
- Vuln IDs
- V-260474
- Rule IDs
- SV-260474r958928_rule
Fix: F-64111r953234_fix
Remove the "kernel.randomize_va_space" entry found in the "/etc/sysctl.conf" file or any file located in the "/etc/sysctl.d/" directory. Reload the system configuration files for the changes to take effect by using the following command: $ sudo sysctl --system
- RMF Control
- Severity
- L
- CCI
- CCI-003992
- Version
- UBTU-22-214010
- Vuln IDs
- V-260476
- Rule IDs
- SV-260476r1015003_rule
Fix: F-64113r953240_fix
Configure APT to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. Add or modify the following line in any file under the "/etc/apt/apt.conf.d/" directory: APT::Get::AllowUnauthenticated "false";
- RMF Control
- SI-2
- Severity
- M
- CCI
- CCI-002617
- Version
- UBTU-22-214015
- Vuln IDs
- V-260477
- Rule IDs
- SV-260477r1044773_rule
Fix: F-64114r1044772_fix
Configure APT to remove all software components after updated versions have been installed. Add or modify the following lines in the "/etc/apt/apt.conf.d/50unattended-upgrades" file: Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; Unattended-Upgrade::Remove-Unused-Dependencies "true";
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- UBTU-22-215010
- Vuln IDs
- V-260478
- Rule IDs
- SV-260478r991587_rule
Fix: F-64115r953246_fix
Install the "pam_pwquality" package by using the following command: $ sudo apt-get install libpam-pwquality
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- UBTU-22-215015
- Vuln IDs
- V-260479
- Rule IDs
- SV-260479r991589_rule
Fix: F-64116r953249_fix
Install the "chrony" network time protocol package using the following command: $ sudo apt-get install chrony
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- UBTU-22-215020
- Vuln IDs
- V-260480
- Rule IDs
- SV-260480r991589_rule
Fix: F-64117r953252_fix
The "systemd-timesyncd" package will be uninstalled as part of the "chrony" package install. The remaining configuration files for "systemd-timesyncd" must be purged from the operating system: $ sudo dpkg -P --force-all systemd-timesyncd
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- UBTU-22-215025
- Vuln IDs
- V-260481
- Rule IDs
- SV-260481r991589_rule
Fix: F-64118r953255_fix
Uninstall the "ntp" package by using the following command: $ sudo dpkg -P --force-all ntp
- RMF Control
- CM-7
- Severity
- H
- CCI
- CCI-000381
- Version
- UBTU-22-215030
- Vuln IDs
- V-260482
- Rule IDs
- SV-260482r958478_rule
Fix: F-64119r953258_fix
Remove the "rsh-server" package by using the following command: $ sudo apt-get remove rsh-server
- RMF Control
- IA-5
- Severity
- H
- CCI
- CCI-000197
- Version
- UBTU-22-215035
- Vuln IDs
- V-260483
- Rule IDs
- SV-260483r987796_rule
Fix: F-64120r953261_fix
Remove the "telnetd" package by using the following command: $ sudo apt-get remove telnetd
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001495
- Version
- UBTU-22-232010
- Vuln IDs
- V-260485
- Rule IDs
- SV-260485r991559_rule
Fix: F-64122r953267_fix
Configure Ubuntu 22.04 LTS commands directories to be protected from unauthorized access. Run the following command: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \;
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- UBTU-22-232015
- Vuln IDs
- V-260486
- Rule IDs
- SV-260486r991560_rule
Fix: F-64123r953270_fix
Configure Ubuntu 22.04 LTS commands to be protected from unauthorized access. Run the following command: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \;
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- UBTU-22-232020
- Vuln IDs
- V-260487
- Rule IDs
- SV-260487r1107262_rule
Fix: F-64124r1107261_fix
Configure the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" to have mode 0755 or less permissive with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' -perm /022 -exec chmod go-w {} +
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-22-232025
- Vuln IDs
- V-260488
- Rule IDs
- SV-260488r958566_rule
Fix: F-64125r953276_fix
Configure the "/var/log" directory to have permissions of "0755" by using the following command: $ sudo chmod 0755 /var/log
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001312
- Version
- UBTU-22-232026
- Vuln IDs
- V-260489
- Rule IDs
- SV-260489r1134796_rule
Fix: F-64126r953279_fix
Configure Ubuntu 22.04 LTS to set permissions of all log files under the "/var/log" directory to "640" or more restricted by using the following command: Note: The btmp, wtmp, and lastlog files are excluded. Refer to the Discussion for details. $ sudo find /var/log -perm /137 ! -name '*[bw]tmp' ! -name '*lastlog' -type f -exec chmod 640 '{}' \;
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001312
- Version
- UBTU-22-232027
- Vuln IDs
- V-260490
- Rule IDs
- SV-260490r1069105_rule
Fix: F-64127r1069104_fix
Configure Ubuntu 22.04 LTS to set the appropriate permissions to the files and directories used by the systemd journal: Add or modify the following lines in the "`/usr/lib/tmpfiles.d/systemd.conf" file: z /run/log/journal 2750 root systemd-journal - - Z /run/log/journal/%m ~2750 root systemd-journal - - z /var/log/journal 2750 root systemd-journal - - z /var/log/journal/%m 2750 root systemd-journal - - z /var/log/journal/%m/system.journal 0640 root systemd-journal - - Restart the system for the changes to take effect.
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-22-232030
- Vuln IDs
- V-260491
- Rule IDs
- SV-260491r958566_rule
Fix: F-64128r953285_fix
Configure Ubuntu 22.04 LTS to have permissions of "640" for the "/var/log/syslog" file by using the following command: $ sudo chmod 0640 /var/log/syslog
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001493
- Version
- UBTU-22-232035
- Vuln IDs
- V-260492
- Rule IDs
- SV-260492r991557_rule
Fix: F-64129r953288_fix
Configure the audit tools on Ubuntu 22.04 LTS to be protected from unauthorized access by setting the correct permissive mode using the following command: $ sudo chmod 755 <audit_tool_name> Replace "<audit_tool_name>" with the audit tool that does not have the correct permissions.
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001495
- Version
- UBTU-22-232040
- Vuln IDs
- V-260493
- Rule IDs
- SV-260493r991559_rule
Fix: F-64130r953291_fix
Configure Ubuntu 22.04 LTS commands directories to be protected from unauthorized access. Run the following command: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec chown root '{}' \;
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001495
- Version
- UBTU-22-232045
- Vuln IDs
- V-260494
- Rule IDs
- SV-260494r991559_rule
Fix: F-64131r953294_fix
Configure Ubuntu 22.04 LTS commands directories to be protected from unauthorized access. Run the following command: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec chgrp root '{}' \;
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- UBTU-22-232050
- Vuln IDs
- V-260495
- Rule IDs
- SV-260495r991560_rule
Fix: F-64132r953297_fix
Configure Ubuntu 22.04 LTS commands and their respective parent directories to be protected from unauthorized access. Run the following command, replacing "<command_name>" with any system command not owned by "root" or a required system account: $ sudo chown root <command_name>
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- UBTU-22-232055
- Vuln IDs
- V-260496
- Rule IDs
- SV-260496r991560_rule
Fix: F-64133r953300_fix
Configure Ubuntu 22.04 LTS commands to be protected from unauthorized access. Run the following command, replacing "<command_name>" with any system command not group-owned by "root" or a required system account: $ sudo chgrp root <command_name>
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- UBTU-22-232060
- Vuln IDs
- V-260497
- Rule IDs
- SV-260497r991560_rule
Fix: F-64134r953303_fix
Configure the library files and their respective parent directories to be protected from unauthorized access. Run the following command: $ sudo find /lib /usr/lib /lib64 ! -user root -type d -exec chown root '{}' \;
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- UBTU-22-232065
- Vuln IDs
- V-260498
- Rule IDs
- SV-260498r991560_rule
Fix: F-64135r953306_fix
Configure Ubuntu 22.04 LTS library directories to be protected from unauthorized access. Run the following command: $ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root '{}' \;
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- UBTU-22-232070
- Vuln IDs
- V-260499
- Rule IDs
- SV-260499r1107264_rule
Fix: F-64136r1107263_fix
Configure the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" to be owned by root with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -user root -exec chown root {} +
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- UBTU-22-232075
- Vuln IDs
- V-260500
- Rule IDs
- SV-260500r1107266_rule
Fix: F-64137r1107265_fix
Configure the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" to be group owned by root with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -group root -exec chown :root {} +
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-22-232080
- Vuln IDs
- V-260501
- Rule IDs
- SV-260501r958566_rule
Fix: F-64138r953315_fix
Configure Ubuntu 22.04 LTS to set the appropriate ownership to the directories used by the systemd journal: Add or modify the following lines in the "/usr/lib/tmpfiles.d/systemd.conf" file: z /run/log/journal 2640 root systemd-journal - - z /var/log/journal 2640 root systemd-journal - - Restart the system for the changes to take effect.
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-22-232085
- Vuln IDs
- V-260502
- Rule IDs
- SV-260502r958566_rule
Fix: F-64139r953318_fix
Configure Ubuntu 22.04 LTS to set the appropriate group-ownership to the directories used by the systemd journal: Add or modify the following lines in the "/usr/lib/tmpfiles.d/systemd.conf" file: z /run/log/journal 2640 root systemd-journal - - z /var/log/journal 2640 root systemd-journal - - Restart the system for the changes to take effect.
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-22-232090
- Vuln IDs
- V-260503
- Rule IDs
- SV-260503r958566_rule
Fix: F-64140r953321_fix
Configure Ubuntu 22.04 LTS to set the appropriate ownership to the files used by the systemd journal: Add or modify the following lines in the "/usr/lib/tmpfiles.d/systemd.conf" file: Z /run/log/journal/%m ~2640 root systemd-journal - - z /var/log/journal/%m 2640 root systemd-journal - - z /var/log/journal/%m/system.journal 0640 root systemd-journal - - Restart the system for the changes to take effect.
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-22-232095
- Vuln IDs
- V-260504
- Rule IDs
- SV-260504r958566_rule
Fix: F-64141r953324_fix
Configure Ubuntu 22.04 LTS to set the appropriate group-ownership to the files used by the systemd journal: Add or modify the following line in the "/usr/lib/tmpfiles.d/systemd.conf" file: Z /run/log/journal/%m ~2640 root systemd-journal - - z /var/log/journal/%m 2640 root systemd-journal - - z /var/log/journal/%m/system.journal 0640 root systemd-journal - - Restart the system for the changes to take effect.
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-22-232100
- Vuln IDs
- V-260505
- Rule IDs
- SV-260505r958566_rule
Fix: F-64142r953327_fix
Configure "journalctl" to be owned by "root": $ sudo chown root /usr/bin/journalctl
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-22-232105
- Vuln IDs
- V-260506
- Rule IDs
- SV-260506r958566_rule
Fix: F-64143r953330_fix
Configure "journalctl" to be group-owned by "root": $ sudo chown :root /usr/bin/journalctl
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001493
- Version
- UBTU-22-232110
- Vuln IDs
- V-260507
- Rule IDs
- SV-260507r1101725_rule
Fix: F-64144r953333_fix
Configure the audit tools on Ubuntu 22.04 LTS to be protected from unauthorized access by setting the file owner as root using the following command: $ sudo chown root <audit_tool_name> Replace "<audit_tool_name>" with each audit tool not owned by "root".
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-22-232120
- Vuln IDs
- V-260508
- Rule IDs
- SV-260508r958566_rule
Fix: F-64145r953336_fix
Configure Ubuntu 22.04 LTS to have root own the "/var/log" directory by using the following command: $ sudo chown root /var/log
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-22-232125
- Vuln IDs
- V-260509
- Rule IDs
- SV-260509r958566_rule
Fix: F-64146r953339_fix
Configure Ubuntu 22.04 LTS to have syslog group-own the "/var/log" directory by using the following command: $ sudo chgrp syslog /var/log
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-22-232130
- Vuln IDs
- V-260510
- Rule IDs
- SV-260510r958566_rule
Fix: F-64147r953342_fix
Configure Ubuntu 22.04 LTS to have syslog own the "/var/log/syslog" file by using the following command: $ sudo chown syslog /var/log/syslog
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-22-232135
- Vuln IDs
- V-260511
- Rule IDs
- SV-260511r958566_rule
Fix: F-64148r953345_fix
Configure Ubuntu 22.04 LTS to have adm group-own the "/var/log/syslog" file by using the following command: $ sudo chgrp adm /var/log/syslog
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001312
- Version
- UBTU-22-232140
- Vuln IDs
- V-260512
- Rule IDs
- SV-260512r958564_rule
Fix: F-64149r953348_fix
Configure "journalctl" to have a permission set of "740": $ sudo chmod 740 /usr/bin/journalctl
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-002314
- Version
- UBTU-22-251010
- Vuln IDs
- V-260514
- Rule IDs
- SV-260514r958672_rule
Fix: F-64151r953354_fix
Install the Uncomplicated Firewall by using the following command: $ sudo apt-get install ufw
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-002314
- Version
- UBTU-22-251015
- Vuln IDs
- V-260515
- Rule IDs
- SV-260515r958672_rule
Fix: F-64152r953357_fix
Enable the ufw by using the following command: $ sudo ufw enable
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- UBTU-22-251020
- Vuln IDs
- V-260516
- Rule IDs
- SV-260516r991593_rule
Fix: F-64153r953360_fix
Enable and start the ufw by using the following command: $ sudo systemctl enable ufw.service --now
- RMF Control
- AU-8
- Severity
- L
- CCI
- CCI-001890
- Version
- UBTU-22-252020
- Vuln IDs
- V-260521
- Rule IDs
- SV-260521r958788_rule
Fix: F-64158r953375_fix
To Configure Ubuntu 22.04 LTS time zone to use UTC, run the following command: $ sudo timedatectl set-timezone Etc/UTC
- RMF Control
- SC-5
- Severity
- M
- CCI
- CCI-001095
- Version
- UBTU-22-253010
- Vuln IDs
- V-260522
- Rule IDs
- SV-260522r1069097_rule
Fix: F-64159r1069096_fix
Configure Ubuntu 22.04 LTS to use TCP syncookies by using the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1 If "1" is not the system's default value, add or update the following line in "/etc/sysctl.conf": net.ipv4.tcp_syncookies = 1
- RMF Control
- SC-8
- Severity
- H
- CCI
- CCI-002418
- Version
- UBTU-22-255010
- Vuln IDs
- V-260523
- Rule IDs
- SV-260523r958908_rule
Fix: F-64160r953381_fix
Install the "ssh" meta-package by using the following command: $ sudo apt install ssh
- RMF Control
- SC-8
- Severity
- H
- CCI
- CCI-002418
- Version
- UBTU-22-255015
- Vuln IDs
- V-260524
- Rule IDs
- SV-260524r958908_rule
Fix: F-64161r953384_fix
Enable and start the "ssh.service" by using the following command: $ sudo systemctl enable ssh.service --now
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- UBTU-22-255025
- Vuln IDs
- V-260526
- Rule IDs
- SV-260526r991591_rule
Fix: F-64163r953390_fix
Configure the SSH server to not allow unattended or automatic login to the system. Add or modify the following lines in the "/etc/ssh/sshd_config" file: PermitEmptyPasswords no PermitUserEnvironment no Restart the SSH daemon for the changes to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- SC-10
- Severity
- M
- CCI
- CCI-001133
- Version
- UBTU-22-255030
- Vuln IDs
- V-260527
- Rule IDs
- SV-260527r986275_rule
Fix: F-64164r953393_fix
Configure the SSH server to terminate a user session automatically after the SSH client has become unresponsive. Note: This setting must be applied in conjunction with UBTU-22-255040 to function correctly. Add or modify the following line in the "/etc/ssh/sshd_config" file: ClientAliveCountMax 1 Restart the SSH daemon for the changes to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- SC-10
- Severity
- M
- CCI
- CCI-001133
- Version
- UBTU-22-255035
- Vuln IDs
- V-260528
- Rule IDs
- SV-260528r970703_rule
Fix: F-64165r953396_fix
Configure the SSH server to terminate a user session automatically after the SSH client has been unresponsive for 10 minutes. Note: This setting must be applied in conjunction with UBTU-22-255040 to function correctly. Add or modify the following line in the "/etc/ssh/sshd_config" file: ClientAliveInterval 600 Restart the SSH daemon for the changes to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- UBTU-22-255040
- Vuln IDs
- V-260529
- Rule IDs
- SV-260529r991589_rule
Fix: F-64166r953399_fix
Configure the SSH server to disable X11 forwarding. Add or modify the following line in the "/etc/ssh/sshd_config" file: X11Forwarding no Restart the SSH daemon for the changes to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- UBTU-22-255045
- Vuln IDs
- V-260530
- Rule IDs
- SV-260530r991589_rule
Fix: F-64167r953402_fix
Configure the SSH server to prevent remote hosts from connecting to the proxy display. Add or modify the following line in the "/etc/ssh/sshd_config" file: X11UseLocalhost yes Restart the SSH daemon for the changes to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000068
- Version
- UBTU-22-255050
- Vuln IDs
- V-260531
- Rule IDs
- SV-260531r1155212_rule
Fix: F-64168r1155191_fix
Configure the SSH server to only implement FIPS-approved ciphers. Add or modify the following line in the "/etc/ssh/sshd_config" file: Ciphers aes256-ctr,aes256-gcm@openssh.com,aes128-ctr,aes128-gcm@openssh.com Restart the SSH server for the changes to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-001453
- Version
- UBTU-22-255055
- Vuln IDs
- V-260532
- Rule IDs
- SV-260532r991554_rule
Fix: F-64169r953408_fix
Configure the SSH server to only use MACs that employ FIPS 140-3 approved hashes. Add or modify the following line in the "/etc/ssh/sshd_config" file: MACs hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com Restart the SSH server for the changes to take effect: $ sudo systemctl reload sshd.service
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000068
- Version
- UBTU-22-255060
- Vuln IDs
- V-260533
- Rule IDs
- SV-260533r958408_rule
Fix: F-64170r953411_fix
Configure the SSH server to use only FIPS-validated key exchange algorithms. Add or modify the following line in the "/etc/ssh/sshd_config" file: KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 Restart the SSH server for changes to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- MA-4
- Severity
- M
- CCI
- CCI-000877
- Version
- UBTU-22-255065
- Vuln IDs
- V-260534
- Rule IDs
- SV-260534r958510_rule
Fix: F-64171r953414_fix
Configure Ubuntu 22.04 LTS to use strong authentication when establishing nonlocal maintenance and diagnostic sessions. Add or modify the following line to /etc/ssh/sshd_config: UsePAM yes Restart the SSH server for changes to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-000048
- Version
- UBTU-22-271010
- Vuln IDs
- V-260535
- Rule IDs
- SV-260535r958390_rule
Fix: F-64172r953417_fix
Configure Ubuntu 22.04 LTS to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the operating system via a graphical user logon. Add or modify the following line in the "/etc/gdm3/greeter.dconf-defaults" file: [org/gnome/login-screen] banner-message-enable=true Update GDM with the new configuration by using the following commands: $ sudo dconf update $ sudo systemctl restart gdm3
- RMF Control
- IA-3
- Severity
- M
- CCI
- CCI-001958
- Version
- UBTU-22-291010
- Vuln IDs
- V-260540
- Rule IDs
- SV-260540r986276_rule
Fix: F-64177r953432_fix
Configure Ubuntu 22.04 LTS to disable using the USB storage kernel module. Create and/or append a custom file under "/etc/modprobe.d/" to contain the following: $ sudo su -c "echo install usb-storage /bin/false >> /etc/modprobe.d/stig.conf" Configure Ubuntu 22.04 LTS to disable the ability to use USB mass storage devices. $ sudo su -c "echo blacklist usb-storage >> /etc/modprobe.d/stig.conf"
- RMF Control
- Severity
- M
- CCI
- CCI-004045
- Version
- UBTU-22-411010
- Vuln IDs
- V-260542
- Rule IDs
- SV-260542r1015006_rule
Fix: F-64179r953438_fix
Configure Ubuntu 22.04 LTS to prevent direct logins to the root account by using the following command: $ sudo passwd -l root
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- UBTU-22-411015
- Vuln IDs
- V-260543
- Rule IDs
- SV-260543r958482_rule
Fix: F-64180r953441_fix
Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- UBTU-22-411025
- Vuln IDs
- V-260545
- Rule IDs
- SV-260545r1015007_rule
Fix: F-64182r986279_fix
Configure Ubuntu 22.04 LTS to enforce a 24 hours/one day minimum password lifetime. Add or modify the following line in the "/etc/login.defs" file: PASS_MIN_DAYS 1
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- UBTU-22-411030
- Vuln IDs
- V-260546
- Rule IDs
- SV-260546r1038967_rule
Fix: F-64183r953450_fix
Configure Ubuntu 22.04 LTS to enforce a 60-day maximum password lifetime. Add or modify the following line in the "/etc/login.defs" file: PASS_MAX_DAYS 60
- RMF Control
- Severity
- M
- CCI
- CCI-003627
- Version
- UBTU-22-411035
- Vuln IDs
- V-260547
- Rule IDs
- SV-260547r1015009_rule
Fix: F-64184r953453_fix
Configure Ubuntu 22.04 LTS to disable account identifiers after 35 days of inactivity after the password expiration. Run the following command to change the configuration for adduser: $ sudo useradd -D -f 35 Note: DOD recommendation is 35 days, but a lower value is acceptable. The value "0" will disable the account immediately after the password expires.
- RMF Control
- AC-7
- Severity
- L
- CCI
- CCI-000044
- Version
- UBTU-22-411045
- Vuln IDs
- V-260549
- Rule IDs
- SV-260549r958388_rule
Fix: F-64186r953459_fix
Configure Ubuntu 22.04 LTS to utilize the "pam_faillock" module. Add or modify the following lines in the "/etc/pam.d/common-auth" file, below the "auth" definition for "pam_unix.so": auth [default=die] pam_faillock.so authfail auth sufficient pam_faillock.so authsucc Configure the "pam_faillock" module to use the following options. Add or modify the following lines in the "/etc/security/faillock.conf" file: audit silent deny = 3 fail_interval = 900 unlock_time = 0
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- UBTU-22-412010
- Vuln IDs
- V-260550
- Rule IDs
- SV-260550r991588_rule
Fix: F-64187r953462_fix
Configure Ubuntu 22.04 LTS to enforce a delay of at least four seconds between logon prompts following a failed logon attempt. Add or modify the following line in the "/etc/pam.d/common-auth" file: auth required pam_faildelay.so delay=4000000
- RMF Control
- AC-10
- Severity
- L
- CCI
- CCI-000054
- Version
- UBTU-22-412020
- Vuln IDs
- V-260552
- Rule IDs
- SV-260552r958398_rule
Fix: F-64189r953468_fix
Configure Ubuntu 22.04 LTS to limit the number of concurrent sessions to 10 for all accounts and/or account types. Add or modify the following line at the top of the "/etc/security/limits.conf" file: * hard maxlogins 10
- RMF Control
- AC-11
- Severity
- M
- CCI
- CCI-000057
- Version
- UBTU-22-412025
- Vuln IDs
- V-260553
- Rule IDs
- SV-260553r1015010_rule
Fix: F-64190r953471_fix
Install the "vlock" package by using the following command: $ sudo apt-get install vlock
- RMF Control
- AC-12
- Severity
- M
- CCI
- CCI-002361
- Version
- UBTU-22-412030
- Vuln IDs
- V-260554
- Rule IDs
- SV-260554r958636_rule
Fix: F-64191r953474_fix
Configure Ubuntu 22.04 LTS to exit interactive command shell user sessions after 15 minutes of inactivity. Create and/or append a custom file under "/etc/profile.d/" by using the following command: $ sudo su -c "echo TMOUT=900 >> /etc/profile.d/99-terminal_tmout.sh" This will set a timeout value of 15 minutes for all future sessions. To set the timeout for the current sessions, execute the following command over the terminal session: $ export TMOUT=900
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- UBTU-22-412035
- Vuln IDs
- V-260555
- Rule IDs
- SV-260555r991590_rule
Fix: F-64192r953477_fix
Configure Ubuntu 22.04 LTS to define the default permissions for all authenticated users in such a way that the user can read and modify only their own files. Add or modify the following line in the "/etc/login.defs" file: UMASK 077
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-001764
- Version
- UBTU-22-431010
- Vuln IDs
- V-260556
- Rule IDs
- SV-260556r958702_rule
Fix: F-64193r953480_fix
Install the "appArmor" package by using the following command: $ sudo apt-get install apparmor
- RMF Control
- Severity
- M
- CCI
- CCI-004895
- Version
- UBTU-22-432010
- Vuln IDs
- V-260558
- Rule IDs
- SV-260558r1155216_rule
Fix: F-64195r1155200_fix
Remove any occurrence of "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- UBTU-22-611010
- Vuln IDs
- V-260560
- Rule IDs
- SV-260560r1015012_rule
Fix: F-64197r953492_fix
Configure Ubuntu 22.04 LTS to enforce password complexity by requiring that at least one uppercase character be used. Add or modify the following line in the "/etc/security/pwquality.conf" file: ucredit = -1
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- UBTU-22-611015
- Vuln IDs
- V-260561
- Rule IDs
- SV-260561r1015013_rule
Fix: F-64198r953495_fix
Configure Ubuntu 22.04 LTS to enforce password complexity by requiring that at least one lowercase character be used. Add or modify the following line in the "/etc/security/pwquality.conf" file: lcredit = -1
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- UBTU-22-611020
- Vuln IDs
- V-260562
- Rule IDs
- SV-260562r1015014_rule
Fix: F-64199r953498_fix
Configure Ubuntu 22.04 LTS to enforce password complexity by requiring that at least one numeric character be used. Add or modify the following line in the "/etc/security/pwquality.conf" file: dcredit = -1
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- UBTU-22-611025
- Vuln IDs
- V-260563
- Rule IDs
- SV-260563r1015015_rule
Fix: F-64200r953501_fix
Configure Ubuntu 22.04 LTS to enforce password complexity by requiring that at least one special character be used. Add or modify the following line in the "/etc/security/pwquality.conf" file: ocredit = -1
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- UBTU-22-611030
- Vuln IDs
- V-260564
- Rule IDs
- SV-260564r991587_rule
Fix: F-64201r953504_fix
Configure Ubuntu 22.04 LTS to prevent the use of dictionary words for passwords. Add or modify the following line in the "/etc/security/pwquality.conf" file: dictcheck = 1
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- UBTU-22-611035
- Vuln IDs
- V-260565
- Rule IDs
- SV-260565r1015016_rule
Fix: F-64202r953507_fix
Configure Ubuntu 22.04 LTS to enforce a minimum 15-character password length. Add or modify the following line in the "/etc/security/pwquality.conf" file: minlen = 15
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- UBTU-22-611040
- Vuln IDs
- V-260566
- Rule IDs
- SV-260566r1015017_rule
Fix: F-64203r953510_fix
Configure Ubuntu 22.04 LTS to require the change of at least eight characters when passwords are changed. Add or modify the following line in the "/etc/security/pwquality.conf" file: difok = 8
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- UBTU-22-611045
- Vuln IDs
- V-260567
- Rule IDs
- SV-260567r991587_rule
Fix: F-64204r953513_fix
Configure Ubuntu 22.04 LTS to enforce password complexity rules. Add or modify the following line in the "/etc/security/pwquality.conf" file: enforcing = 1 Add or modify the following line in the "/etc/pam.d/common-password" file: password requisite pam_pwquality.so retry=3 Note: The value of "retry" should be between "1" and "3".
- RMF Control
- Severity
- M
- CCI
- CCI-004062
- Version
- UBTU-22-611055
- Vuln IDs
- V-260569
- Rule IDs
- SV-260569r1101736_rule
Fix: F-64206r1101735_fix
Configure Ubuntu 22.04 LTS to store encrypted representations of passwords. Add or modify the following line in the "/etc/pam.d/common-password" file: password [success=1 default=ignore] pam_unix.so obscure sha512 shadow rounds=100000
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- UBTU-22-611060
- Vuln IDs
- V-260570
- Rule IDs
- SV-260570r1082233_rule
Fix: F-64207r1082232_fix
Remove any instances of the "nullok" option in "/etc/pam.d/common-password" to prevent logons with empty passwords. Remove any instances of the "nullok" option in "/etc/pam.d/common-auth" and "/etc/pam.d/common-password".
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- UBTU-22-611065
- Vuln IDs
- V-260571
- Rule IDs
- SV-260571r991589_rule
Fix: F-64208r953525_fix
Configure all accounts on the system to have a password or lock the account by using the following commands: Set the account password: $ sudo passwd <username> Or lock the account: $ sudo passwd -l <username>
- RMF Control
- IA-7
- Severity
- M
- CCI
- CCI-000803
- Version
- UBTU-22-611070
- Vuln IDs
- V-260572
- Rule IDs
- SV-260572r971535_rule
Fix: F-64209r953528_fix
Configure Ubuntu 22.04 LTS to encrypt all stored passwords. Add or modify the following line in the "/etc/login.defs" file: ENCRYPT_METHOD SHA512
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000765
- Version
- UBTU-22-612010
- Vuln IDs
- V-260573
- Rule IDs
- SV-260573r1015019_rule
Fix: F-64210r953531_fix
Install the "libpam-pkcs11" package by using the following command: $ sudo apt-get install libpam-pkcs11
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-001953
- Version
- UBTU-22-612015
- Vuln IDs
- V-260574
- Rule IDs
- SV-260574r958816_rule
Fix: F-64211r953534_fix
Install the "opensc-pkcs11" package by using the following command: $ sudo apt-get install opensc-pkcs11
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000765
- Version
- UBTU-22-612020
- Vuln IDs
- V-260575
- Rule IDs
- SV-260575r1044770_rule
Fix: F-64212r1044769_fix
Configure Ubuntu 22.04 LTS to use multifactor authentication for access to accounts. Add or modify the following line in the "/etc/pam.d/common-auth" file: auth [success=3 default=ignore] pam_pkcs11.so Add or modify the following line in the "/etc/ssh/sshd_config" file: PubkeyAuthentication yes
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-001954
- Version
- UBTU-22-612025
- Vuln IDs
- V-260576
- Rule IDs
- SV-260576r1069114_rule
Fix: F-64213r953540_fix
Configure Ubuntu 22.04 LTS to do certificate status checking for multifactor authentication. Add or modify all "cert_policy" lines in the "/etc/pam_pkcs11/pam_pkcs11.conf" file with the following: ocsp_on
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000185
- Version
- UBTU-22-612030
- Vuln IDs
- V-260577
- Rule IDs
- SV-260577r1069112_rule
Fix: F-64214r953543_fix
Configure Ubuntu 22.04 LTS, for PKI-based authentication, to validate certificates by constructing a certification path to an accepted trust anchor. Add or modify all "cert_policy" lines in the "/etc/pam_pkcs11/pam_pkcs11.conf" file with the following: cert_policy = ca,signature,ocsp_on; Note: If the system is missing an "/etc/pam_pkcs11/" directory and an "/etc/pam_pkcs11/pam_pkcs11.conf", find an example to copy into place and modify accordingly at "/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz".
- RMF Control
- Severity
- M
- CCI
- CCI-004068
- Version
- UBTU-22-612035
- Vuln IDs
- V-260578
- Rule IDs
- SV-260578r1015021_rule
Fix: F-64215r953546_fix
Configure Ubuntu 22.04 LTS, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely. Add or update the "cert_policy" option in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "crl_auto" or "crl_offline". cert_policy = ca,signature,ocsp_on, crl_auto; If the system is missing an "/etc/pam_pkcs11/" directory and an "/etc/pam_pkcs11/pam_pkcs11.conf", find an example to copy into place and modify accordingly at "/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz".
- RMF Control
- IA-5
- Severity
- H
- CCI
- CCI-000187
- Version
- UBTU-22-612040
- Vuln IDs
- V-260579
- Rule IDs
- SV-260579r958452_rule
Fix: F-64216r953549_fix
Set "use_mappers=pwent" in "/etc/pam_pkcs11/pam_pkcs11.conf" or, if there is already a comma-separated list of mappers, add it to the list, separated by comma, and before the null mapper. If the system is missing an "/etc/pam_pkcs11/" directory and an "/etc/pam_pkcs11/pam_pkcs11.conf", find an example to copy into place and modify accordingly at "/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz".
- RMF Control
- IA-5
- Severity
- L
- CCI
- CCI-002007
- Version
- UBTU-22-631015
- Vuln IDs
- V-260581
- Rule IDs
- SV-260581r1155206_rule
Fix: F-64218r953555_fix
Configure PAM to prohibit the use of cached authentications after one day. Add or modify the following line in the "/etc/sssd/sssd.conf" file, just below the line "[pam]": offline_credentials_expiration = 1 Note: It is valid for this configuration to be in a file with a name that ends with ".conf" and does not begin with a "." in the "/etc/sssd/conf.d/" directory instead of the "/etc/sssd/sssd.conf" file.
- RMF Control
- SI-6
- Severity
- M
- CCI
- CCI-002696
- Version
- UBTU-22-651010
- Vuln IDs
- V-260582
- Rule IDs
- SV-260582r958944_rule
Fix: F-64219r953558_fix
Install the "aide" package: $ sudo apt install aide
- RMF Control
- CM-3
- Severity
- M
- CCI
- CCI-001744
- Version
- UBTU-22-651020
- Vuln IDs
- V-260584
- Rule IDs
- SV-260584r958794_rule
Fix: F-64221r953564_fix
Configure AIDE to notify designated personnel if baseline configurations are changed in an unauthorized manner. Add or modify the following line in the "/etc/default/aide" file: SILENTREPORTS=no
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001496
- Version
- UBTU-22-651030
- Vuln IDs
- V-260586
- Rule IDs
- SV-260586r1069107_rule
Fix: F-64223r1044778_fix
Configure AIDE to protect the integrity of audit tools: Add or modify the following lines in the "/etc/aide/aide.conf" file: # Audit Tools /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
- RMF Control
- SC-24
- Severity
- M
- CCI
- CCI-001665
- Version
- UBTU-22-652010
- Vuln IDs
- V-260588
- Rule IDs
- SV-260588r991562_rule
Fix: F-64225r953576_fix
Install the log service by using the following command: $ sudo apt-get install rsyslog Enable and activate the log service by using the following command: $ sudo systemctl enable rsyslog.service --now
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000067
- Version
- UBTU-22-652015
- Vuln IDs
- V-260589
- Rule IDs
- SV-260589r958406_rule
Fix: F-64226r953579_fix
Configure Ubuntu 22.04 LTS to monitor all remote access methods. Add or modify the following line in the "/etc/rsyslog.d/50-default.conf" file: auth.*,authpriv.* /var/log/secure daemon.* /var/log/messages Restart "rsyslog.service" for the changes to take effect by using the following command: $ sudo systemctl restart rsyslog.service
- RMF Control
- AU-3
- Severity
- M
- CCI
- CCI-000130
- Version
- UBTU-22-653010
- Vuln IDs
- V-260590
- Rule IDs
- SV-260590r1015022_rule
Fix: F-64227r953582_fix
Install the "auditd" package by using the following command: $ sudo apt-get install auditd
- RMF Control
- AU-3
- Severity
- M
- CCI
- CCI-000130
- Version
- UBTU-22-653015
- Vuln IDs
- V-260591
- Rule IDs
- SV-260591r1015023_rule
Fix: F-64228r953585_fix
Enable and start the "auditd.service" by using the following command: $ sudo systemctl enable auditd.service --now
- RMF Control
- AU-5
- Severity
- M
- CCI
- CCI-000140
- Version
- UBTU-22-653030
- Vuln IDs
- V-260594
- Rule IDs
- SV-260594r1038966_rule
Fix: F-64231r953594_fix
Configure Ubuntu 22.04 LTS to shut down by default upon audit failure. Add or modify the following line in the "/etc/audit/auditd.conf " file: disk_full_action = HALT Restart the "auditd" service for the changes to take effect: $ sudo systemctl restart auditd.service Note: If system availability has been determined to be more important, and this decision is documented with the ISSO, configure Ubuntu 22.04 LTS to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG" or "SINGLE".
- RMF Control
- AU-5
- Severity
- L
- CCI
- CCI-001855
- Version
- UBTU-22-653040
- Vuln IDs
- V-260596
- Rule IDs
- SV-260596r971542_rule
Fix: F-64233r953600_fix
Configure Ubuntu 22.04 LTS to notify the SA and ISSO when the audit record storage volume reaches 25 percent remaining of the allocated capacity. Add or modify the following lines in the "/etc/audit/auditd.conf " file: space_left = 25% space_left_action = email Restart the "auditd" service for the changes to take effect: $ sudo systemctl restart auditd.service Note: If the "space_left_action" parameter is set to "exec", ensure the command being executed notifies the SA and ISSO.
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000162
- Version
- UBTU-22-653045
- Vuln IDs
- V-260597
- Rule IDs
- SV-260597r958434_rule
Fix: F-64234r953603_fix
Configure the audit log files to have a mode of "600" or less permissive. Using the path of the directory containing the audit logs, configure the audit log files to have a mode of "600" or less permissive by using the following command: $ sudo chmod 600 /var/log/audit/*
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000162
- Version
- UBTU-22-653050
- Vuln IDs
- V-260598
- Rule IDs
- SV-260598r958434_rule
Fix: F-64235r953606_fix
Configure the audit log directory and its underlying files to be owned by "root" user. Using the path of the directory containing the audit logs, configure the audit log files to be owned by "root" user by using the following command: $ sudo chown root /var/log/audit/*
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000162
- Version
- UBTU-22-653055
- Vuln IDs
- V-260599
- Rule IDs
- SV-260599r958434_rule
Fix: F-64236r953609_fix
Configure the group owner of newly created audit logs to be "root". Add or modify the following lines in the "/etc/audit/auditd.conf " file: log_group = root Reload the configuration file of the audit service to update the group ownership of existing files: $ sudo systemctl kill auditd -s SIGHUP
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000164
- Version
- UBTU-22-653060
- Vuln IDs
- V-260600
- Rule IDs
- SV-260600r958438_rule
Fix: F-64237r953612_fix
Configure the audit log directory to have a mode of "750" or less permissive. Using the path of the directory containing the audit logs, configure the audit log directory to have a mode of "750" or less permissive by using the following command: $ sudo chmod -R g-w,o-rwx /var/log/audit
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000171
- Version
- UBTU-22-653065
- Vuln IDs
- V-260601
- Rule IDs
- SV-260601r958444_rule
Fix: F-64238r953615_fix
Configure /etc/audit/audit.rules", "/etc/audit/auditd.conf", and "/etc/audit/rules.d/*" files to have a mode of "640" by using the following command: $ sudo chmod -R 640 /etc/audit/audit.rules /etc/audit/auditd.conf /etc/audit/rules.d/*
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000171
- Version
- UBTU-22-653070
- Vuln IDs
- V-260602
- Rule IDs
- SV-260602r958444_rule
Fix: F-64239r953618_fix
Configure "/etc/audit/audit.rules", "/etc/audit/rules.d/*", and "/etc/audit/auditd.conf" files to be owned by root by using the following command: $ sudo chown -R root /etc/audit/audit.rules /etc/audit/auditd.conf /etc/audit/rules.d/*
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000171
- Version
- UBTU-22-653075
- Vuln IDs
- V-260603
- Rule IDs
- SV-260603r958444_rule
Fix: F-64240r953621_fix
Configure "/etc/audit/audit.rules", "/etc/audit/rules.d/*", and "/etc/audit/auditd.conf" files to be owned by root group by using the following command: $ sudo chown -R :root /etc/audit/audit.rules /etc/audit/auditd.conf /etc/audit/rules.d/*
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654010
- Vuln IDs
- V-260604
- Rule IDs
- SV-260604r958446_rule
Fix: F-64241r953624_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "apparmor_parser" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654015
- Vuln IDs
- V-260605
- Rule IDs
- SV-260605r958446_rule
Fix: F-64242r953627_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chacl" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654020
- Vuln IDs
- V-260606
- Rule IDs
- SV-260606r958446_rule
Fix: F-64243r953630_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "chage" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654025
- Vuln IDs
- V-260607
- Rule IDs
- SV-260607r958446_rule
Fix: F-64244r953633_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chcon" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654030
- Vuln IDs
- V-260608
- Rule IDs
- SV-260608r958446_rule
Fix: F-64245r953636_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "chfn" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chfn To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654035
- Vuln IDs
- V-260609
- Rule IDs
- SV-260609r958446_rule
Fix: F-64246r953639_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chsh" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654040
- Vuln IDs
- V-260610
- Rule IDs
- SV-260610r958446_rule
Fix: F-64247r953642_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "crontab" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654045
- Vuln IDs
- V-260611
- Rule IDs
- SV-260611r991586_rule
Fix: F-64248r953645_fix
Configure Ubuntu 22.04 LTS to audit the execution of the partition management program "fdisk". Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -w /usr/sbin/fdisk -p x -k fdisk To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654050
- Vuln IDs
- V-260612
- Rule IDs
- SV-260612r958446_rule
Fix: F-64249r953648_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "gpasswd" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654055
- Vuln IDs
- V-260613
- Rule IDs
- SV-260613r991586_rule
Fix: F-64250r953651_fix
Configure Ubuntu 22.04 LTS to audit the execution of the module management program "kmod". Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -w /bin/kmod -p x -k modules To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654060
- Vuln IDs
- V-260614
- Rule IDs
- SV-260614r991586_rule
Fix: F-64251r953654_fix
Configure Ubuntu 22.04 LTS to audit the execution of the module management program "modprobe". Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -w /sbin/modprobe -p x -k modules To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654065
- Vuln IDs
- V-260615
- Rule IDs
- SV-260615r958446_rule
Fix: F-64252r953657_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "mount" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654070
- Vuln IDs
- V-260616
- Rule IDs
- SV-260616r958446_rule
Fix: F-64253r953660_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "newgrp" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654075
- Vuln IDs
- V-260617
- Rule IDs
- SV-260617r958446_rule
Fix: F-64254r953663_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "pam_timestamp_check" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654080
- Vuln IDs
- V-260618
- Rule IDs
- SV-260618r958446_rule
Fix: F-64255r953666_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "passwd" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654085
- Vuln IDs
- V-260619
- Rule IDs
- SV-260619r958446_rule
Fix: F-64256r953669_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "setfacl" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654090
- Vuln IDs
- V-260620
- Rule IDs
- SV-260620r958446_rule
Fix: F-64257r953672_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-agent" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654095
- Vuln IDs
- V-260621
- Rule IDs
- SV-260621r958446_rule
Fix: F-64258r953675_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-keysign" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654100
- Vuln IDs
- V-260622
- Rule IDs
- SV-260622r958446_rule
Fix: F-64259r953678_fix
Configure Ubuntu 22.04 LTS to generate audit records when successful/unsuccessful attempts to use the "su" command occur. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654105
- Vuln IDs
- V-260623
- Rule IDs
- SV-260623r958446_rule
Fix: F-64260r953681_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "sudo" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654110
- Vuln IDs
- V-260624
- Rule IDs
- SV-260624r958446_rule
Fix: F-64261r953684_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "sudoedit" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules": -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654115
- Vuln IDs
- V-260625
- Rule IDs
- SV-260625r958446_rule
Fix: F-64262r953687_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "umount" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654120
- Vuln IDs
- V-260626
- Rule IDs
- SV-260626r958446_rule
Fix: F-64263r953690_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "unix_update" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654125
- Vuln IDs
- V-260627
- Rule IDs
- SV-260627r958446_rule
Fix: F-64264r953693_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "usermod" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- UBTU-22-654130
- Vuln IDs
- V-260628
- Rule IDs
- SV-260628r958368_rule
Fix: F-64265r953696_fix
Configure Ubuntu 22.04 LTS to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". Add or modify the following line to "/etc/audit/rules.d/stig.rules": -w /etc/group -p wa -k usergroup_modification To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- UBTU-22-654135
- Vuln IDs
- V-260629
- Rule IDs
- SV-260629r958368_rule
Fix: F-64266r953699_fix
Configure Ubuntu 22.04 LTS to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". Add or modify the following line to "/etc/audit/rules.d/stig.rules": -w /etc/gshadow -p wa -k usergroup_modification To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- UBTU-22-654140
- Vuln IDs
- V-260630
- Rule IDs
- SV-260630r958368_rule
Fix: F-64267r953702_fix
Configure Ubuntu 22.04 LTS to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd". Add or modify the following line to "/etc/audit/rules.d/stig.rules": -w /etc/security/opasswd -p wa -k usergroup_modification To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- UBTU-22-654145
- Vuln IDs
- V-260631
- Rule IDs
- SV-260631r958368_rule
Fix: F-64268r953705_fix
Configure Ubuntu 22.04 LTS to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". Add or modify the following line to "/etc/audit/rules.d/stig.rules": -w /etc/passwd -p wa -k usergroup_modification To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- UBTU-22-654150
- Vuln IDs
- V-260632
- Rule IDs
- SV-260632r958368_rule
Fix: F-64269r953708_fix
Configure Ubuntu 22.04 LTS to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". Add or modify the following line to "/etc/audit/rules.d/stig.rules": -w /etc/shadow -p wa -k usergroup_modification To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654155
- Vuln IDs
- V-260633
- Rule IDs
- SV-260633r958446_rule
Fix: F-64270r953711_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chmod", "fchmod", and "fchmodat" system calls. Add or modify the following lines in the "/etc/audit/rules.d/stig.rules": -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_chng -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_chng To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654160
- Vuln IDs
- V-260634
- Rule IDs
- SV-260634r958446_rule
Fix: F-64271r953714_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chown", "fchown", "fchownat", and "lchown" system calls. Add or modify the following lines in the "/etc/audit/rules.d/stig.rules": -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_chng -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_chng To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654165
- Vuln IDs
- V-260635
- Rule IDs
- SV-260635r958446_rule
Fix: F-64272r953717_fix
Configure the audit system to generate an audit event for any unsuccessful use of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls. Add or modify the following lines in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654170
- Vuln IDs
- V-260636
- Rule IDs
- SV-260636r958446_rule
Fix: F-64273r953720_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "delete_module" syscall. Add or modify the following lines in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654175
- Vuln IDs
- V-260637
- Rule IDs
- SV-260637r958446_rule
Fix: F-64274r953723_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "init_module" and "finit_module" syscalls. Add or modify the following lines in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654180
- Vuln IDs
- V-260638
- Rule IDs
- SV-260638r958446_rule
Fix: F-64275r953726_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls. Add or modify the following lines in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654185
- Vuln IDs
- V-260639
- Rule IDs
- SV-260639r991577_rule
Fix: F-64276r953729_fix
Configure the audit system to generate audit events for any successful/unsuccessful use of "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls. Add or modify the following lines in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- UBTU-22-654190
- Vuln IDs
- V-260640
- Rule IDs
- SV-260640r991589_rule
Fix: F-64277r953732_fix
Configure Ubuntu 22.04 LTS to generate audit records for events that affect "/var/log/journal". Add or modify the following line to "/etc/audit/rules.d/stig.rules": -w /var/log/journal -p wa -k systemd_journal To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654195
- Vuln IDs
- V-260641
- Rule IDs
- SV-260641r991581_rule
Fix: F-64278r953735_fix
Configure the audit system to generate audit events showing start and stop times for user access via the "/var/log/btmp file". Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -w /var/log/btmp -p wa -k logins To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654200
- Vuln IDs
- V-260642
- Rule IDs
- SV-260642r991581_rule
Fix: F-64279r953738_fix
Configure the audit system to generate audit events showing start and stop times for user access via the "/var/log/wtmp" file. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -w /var/log/wtmp -p wa -k logins To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654205
- Vuln IDs
- V-260643
- Rule IDs
- SV-260643r991581_rule
Fix: F-64280r953741_fix
Configure the audit system to generate audit events showing start and stop times for user access via the "/var/run/utmp" file. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -w /var/run/utmp -p wa -k logins To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654210
- Vuln IDs
- V-260644
- Rule IDs
- SV-260644r958446_rule
Fix: F-64281r953744_fix
Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "faillog" file. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -w /var/log/faillog -p wa -k logins To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654215
- Vuln IDs
- V-260645
- Rule IDs
- SV-260645r958446_rule
Fix: F-64282r953747_fix
Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "lastlog" file. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -w /var/log/lastlog -p wa -k logins To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654220
- Vuln IDs
- V-260646
- Rule IDs
- SV-260646r991575_rule
Fix: F-64283r953750_fix
Configure Ubuntu 22.04 LTS to generate audit records for all modifications that affect "/etc/sudoers". Add or modify the following line to "/etc/audit/rules.d/stig.rules": -w /etc/sudoers -p wa -k privilege_modification To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654225
- Vuln IDs
- V-260647
- Rule IDs
- SV-260647r991575_rule
Fix: F-64284r953753_fix
Configure Ubuntu 22.04 LTS to generate audit records for all modifications that affect "/etc/sudoers.d" directory. Add or modify the following line to "/etc/audit/rules.d/stig.rules": -w /etc/sudoers.d -p wa -k privilege_modification To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. he <keyname> does not need to match the example above.
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002233
- Version
- UBTU-22-654230
- Vuln IDs
- V-260648
- Rule IDs
- SV-260648r958730_rule
Fix: F-64285r953756_fix
Configure Ubuntu 22.04 LTS to audit the execution of all privileged functions. Add or modify the following lines in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-22-654235
- Vuln IDs
- V-260649
- Rule IDs
- SV-260649r986298_rule
Fix: F-64286r953759_fix
Configure Ubuntu 22.04 LTS to audit activities performed during nonlocal maintenance and diagnostic sessions. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -w /var/log/sudo.log -p wa -k maintenance To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- SC-13
- Severity
- H
- CCI
- CCI-002450
- Version
- UBTU-22-671010
- Vuln IDs
- V-260650
- Rule IDs
- SV-260650r987791_rule
Fix: F-64287r953762_fix
Configure Ubuntu 22.04 LTS to run in FIPS mode. Add "fips=1" to the kernel parameter during Ubuntu 22.04 LTS install. Enabling a FIPS mode on a pre-existing system involves a number of modifications to Ubuntu 22.04 LTS. Refer to the Ubuntu Pro security certification documentation for instructions. A subscription to the "Ubuntu Pro" plan is required to obtain the FIPS Kernel cryptographic modules and enable FIPS. Note: Ubuntu Pro security certification instructions can be found at: https://ubuntu.com/security/certifications/docs/fips-enablement
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- UBTU-22-211000
- Vuln IDs
- V-278951
- Rule IDs
- SV-278951r1155215_rule
Fix: F-83390r1135402_fix
Upgrade to a supported version of Ubuntu 22.04 LTS.