Canonical Ubuntu 24.04 LTS STIG SCAP Benchmark
Open a previous version of this SCAP benchmark.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- UBTU-24-100010
- Vuln IDs
- V-270645
- Rule IDs
- SV-270645r1068357_rule
Fix: F-74579r1066423_fix
The "systemd-timesyncd" package will be uninstalled as part of the "chrony" package install. Purge the remaining configuration files for "systemd-timesyncd" from Ubuntu 24.04 LTS: $ sudo apt-get purge systemd-timesyncd
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- UBTU-24-100020
- Vuln IDs
- V-270646
- Rule IDs
- SV-270646r1068358_rule
Fix: F-74580r1066426_fix
Uninstall the "ntp" package using the following command: $ sudo apt remove ntp If there are additional configuration files on the system that must be removed, the following command can be used instead: $ sudo apt-get purge ntp
- RMF Control
- IA-5
- Severity
- H
- CCI
- CCI-000197
- Version
- UBTU-24-100030
- Vuln IDs
- V-270647
- Rule IDs
- SV-270647r1066430_rule
Fix: F-74581r1066429_fix
Remove the telnet package from Ubuntu 24.04 LTS with the following command: $ sudo apt remove telnetd
- RMF Control
- CM-7
- Severity
- H
- CCI
- CCI-000381
- Version
- UBTU-24-100040
- Vuln IDs
- V-270648
- Rule IDs
- SV-270648r1066433_rule
Fix: F-74582r1066432_fix
Configure Ubuntu 24.04 LTS to disable nonessential capabilities by removing the rsh-server package from the system with the following command: $ sudo apt remove rsh-server
- RMF Control
- SI-6
- Severity
- M
- CCI
- CCI-002696
- Version
- UBTU-24-100100
- Vuln IDs
- V-270649
- Rule IDs
- SV-270649r1067136_rule
Fix: F-74583r1067135_fix
Install the "AIDE" file integrity package: $ sudo apt install -y aide
- RMF Control
- SI-6
- Severity
- M
- CCI
- CCI-002702
- Version
- UBTU-24-100130
- Vuln IDs
- V-270652
- Rule IDs
- SV-270652r1067138_rule
Fix: F-74586r1067137_fix
Configure Ubuntu 24.04 LTS to notify designated personnel if baseline configurations are changed in an unauthorized manner. Modify the "SILENTREPORTS" parameter in the "/etc/default/aide" file with a value of "no" if it does not already exist as follows: SILENTREPORTS=no
- RMF Control
- SC-24
- Severity
- M
- CCI
- CCI-001665
- Version
- UBTU-24-100200
- Vuln IDs
- V-270653
- Rule IDs
- SV-270653r1067141_rule
Fix: F-74587r1067140_fix
Configure the log service to collect failure events. Install the log service (if the log service is not already installed) with the following command: $ sudo apt install -y rsyslog Enable the log service with the following command: $ sudo systemctl enable --now rsyslog
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-002314
- Version
- UBTU-24-100300
- Vuln IDs
- V-270654
- Rule IDs
- SV-270654r1067143_rule
Fix: F-74588r1067142_fix
Install the ufw by using the following command: $ sudo apt install -y ufw
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-002314
- Version
- UBTU-24-100310
- Vuln IDs
- V-270655
- Rule IDs
- SV-270655r1067145_rule
Fix: F-74589r1067144_fix
Enable the ufw by using the following command: $ sudo ufw enable Note: Enabling the firewall will potentially disrupt ssh sessions.
- RMF Control
- Severity
- M
- CCI
- CCI-003938
- Version
- UBTU-24-100400
- Vuln IDs
- V-270656
- Rule IDs
- SV-270656r1067148_rule
Fix: F-74590r1067147_fix
Configure the audit service to produce audit records containing the information needed to establish when (date and time) an event occurred. Install the audit service (if the audit service is not already installed) with the following command: $ sudo apt install -y auditd
- RMF Control
- Severity
- M
- CCI
- CCI-003938
- Version
- UBTU-24-100410
- Vuln IDs
- V-270657
- Rule IDs
- SV-270657r1066460_rule
Fix: F-74591r1066459_fix
Configure the audit service to produce audit records containing the information needed to establish when (date and time) an event occurred. Enable the audit service with the following command: $ sudo systemctl enable auditd.service To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-002165
- Version
- UBTU-24-100500
- Vuln IDs
- V-270659
- Rule IDs
- SV-270659r1066466_rule
Fix: F-74593r1066465_fix
Install "AppArmor" with the following command: $ sudo apt install apparmor Note: AppArmor must have properly configured profiles for applications and home directories. All configurations will be based on the actual system setup and organization and normally are on a per role basis. Refer to the AppArmor documentation for more information on configuring profiles.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-001764
- Version
- UBTU-24-100510
- Vuln IDs
- V-270660
- Rule IDs
- SV-270660r1066469_rule
Fix: F-74594r1066468_fix
Enable "apparmor" with the following command: $ sudo systemctl enable apparmor.service Start "apparmor" with the following command: $ sudo systemctl start apparmor.service Note: AppArmor must have properly configured profiles for applications and home directories. All configurations will be based on the actual system setup and organization and normally are on a per role basis. Refer to the AppArmor documentation for more information on configuring profiles.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- UBTU-24-100600
- Vuln IDs
- V-270661
- Rule IDs
- SV-270661r1067175_rule
Fix: F-74595r1067153_fix
Install the "pam_pwquality" package by using the following command: $ sudo apt install -y libpam-pwquality
- RMF Control
- Severity
- M
- CCI
- CCI-004046
- Version
- UBTU-24-100650
- Vuln IDs
- V-270662
- Rule IDs
- SV-270662r1067156_rule
Fix: F-74596r1067155_fix
Install the sssd.service and the required pam packages with the following commands: $ sudo apt install -y sssd $ sudo apt install -y libpam-sss $ sudo apt install -y libnss-sss
- RMF Control
- Severity
- M
- CCI
- CCI-004046
- Version
- UBTU-24-100660
- Vuln IDs
- V-270663
- Rule IDs
- SV-270663r1066478_rule
Fix: F-74597r1066477_fix
Enable the "sssd.service to start automatically on reboot with the following command: $ sudo systemctl enable sssd.service ensure the "sssd" service is running $ sudo systemctl start sssd.service
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- UBTU-24-100700
- Vuln IDs
- V-270664
- Rule IDs
- SV-270664r1068359_rule
Fix: F-74598r1067158_fix
Install the "chrony" network time protocol package using the following command: $ sudo apt install -y chrony
- RMF Control
- SC-8
- Severity
- H
- CCI
- CCI-002418
- Version
- UBTU-24-100800
- Vuln IDs
- V-270665
- Rule IDs
- SV-270665r1067133_rule
Fix: F-74599r1067132_fix
Install the "ssh" meta-package on the system with the following command: $ sudo apt install -y ssh
- RMF Control
- SC-8
- Severity
- H
- CCI
- CCI-002418
- Version
- UBTU-24-100810
- Vuln IDs
- V-270666
- Rule IDs
- SV-270666r1066487_rule
Fix: F-74600r1066486_fix
Enable the "ssh" service to start automatically on reboot with the following command: $ sudo systemctl enable ssh.service ensure the "ssh" service is running $ sudo systemctl start ssh.service
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000068
- Version
- UBTU-24-100820
- Vuln IDs
- V-270667
- Rule IDs
- SV-270667r1067107_rule
Fix: F-74601r1066489_fix
Configure Ubuntu 24.04 LTS to allow the SSH daemon to only implement FIPS-approved algorithms. Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr Restart the "sshd" service for changes to take effect: $ sudo systemctl restart sshd
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-001453
- Version
- UBTU-24-100830
- Vuln IDs
- V-270668
- Rule IDs
- SV-270668r1067110_rule
Fix: F-74602r1067109_fix
Configure Ubuntu 24.04 LTS to allow the SSH daemon to only use MACs that employ FIPS 140-3 approved ciphers. Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 Restart the "sshd" service for changes to take effect: $ sudo systemctl restart sshd
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000068
- Version
- UBTU-24-100840
- Vuln IDs
- V-270669
- Rule IDs
- SV-270669r1134804_rule
Fix: F-74603r1066495_fix
Configure the SSH daemon to use only FIPS-validated key exchange algorithms by adding or modifying the following line in "/etc/ssh/sshd_config": KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256 Restart the "sshd" service for changes to take effect: $ sudo systemctl restart sshd
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-001453
- Version
- UBTU-24-100850
- Vuln IDs
- V-270670
- Rule IDs
- SV-270670r1067115_rule
Fix: F-74604r1067114_fix
Configure the Ubuntu 24.04 LTS SSH client to use only ciphers employing FIPS 140-3 approved algorithms by updating the "/etc/ssh/ssh_config" file with the following line: Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr Restart the "ssh" service for changes to take effect: $ sudo systemctl restart ssh
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-001453
- Version
- UBTU-24-100860
- Vuln IDs
- V-270671
- Rule IDs
- SV-270671r1155244_rule
Fix: F-74605r1067117_fix
Configure the Ubuntu 24.04 LTS SSH client to use only MACs employing FIPS 140-3 approved algorithms by updating the "/etc/ssh/ssh_config" file with the following line: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 Restart the "ssh" service for changes to take effect: $ sudo systemctl restart ssh
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-001953
- Version
- UBTU-24-100900
- Vuln IDs
- V-270672
- Rule IDs
- SV-270672r1067161_rule
Fix: F-74606r1067160_fix
Configure Ubuntu 24.04 LTS to accept PIV credentials. Install the "opensc-pkcs11" package using the following command: $ sudo apt install -y opensc-pkcs11
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-001953
- Version
- UBTU-24-100910
- Vuln IDs
- V-270673
- Rule IDs
- SV-270673r1067164_rule
Fix: F-74607r1067163_fix
Configure Ubuntu 24.04 LTS to accept PIV credentials that are managed through the PAM framework. Install the "libpam-pkcs11" package using the following command: $ sudo apt install -y libpam-pkcs11
- RMF Control
- AC-11
- Severity
- M
- CCI
- CCI-000060
- Version
- UBTU-24-101000
- Vuln IDs
- V-270674
- Rule IDs
- SV-270674r1067167_rule
Fix: F-74608r1067166_fix
Install the "vlock" package (if it is not already installed) by running the following command: $ sudo apt install -y vlock
- RMF Control
- AC-3
- Severity
- H
- CCI
- CCI-000213
- Version
- UBTU-24-102000
- Vuln IDs
- V-270675
- Rule IDs
- SV-270675r1137691_rule
Fix: F-74609r1066513_fix
Configure the system to require a password for authentication upon booting into single-user and maintenance modes. Generate an encrypted (grub) password for root with the following command: $ grub-mkpasswd-pbkdf2 Enter Password: Reenter Password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG Using the hash from the output, modify the "/etc/grub.d/40_custom" file with the following command to add a boot password: $ sudo sed -i '$i set superusers=\"root\"\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom where <hash> is the hash generated by grub-mkpasswd-pbkdf2 command. Generate an updated "grub.conf" file with the new password by using the following command: $ sudo update-grub
- RMF Control
- AU-14
- Severity
- M
- CCI
- CCI-001464
- Version
- UBTU-24-102010
- Vuln IDs
- V-270676
- Rule IDs
- SV-270676r1155245_rule
Fix: F-74610r1155231_fix
Configure Ubuntu 24.04 LTS to produce audit records at system startup. Edit the "/etc/default/grub" file and add "audit=1" to the "GRUB_CMDLINE_LINUX" option and to the "GRUB_CMDLINE_LINUX_DEFAULT" option. GRUB_CMDLINE_LINUX_DEFAULT="audit=1" GRUB_CMDLINE_LINUX="audit=1" To update the grub config file, run: $ sudo update-grub
- RMF Control
- AC-10
- Severity
- L
- CCI
- CCI-000054
- Version
- UBTU-24-200000
- Vuln IDs
- V-270677
- Rule IDs
- SV-270677r1101774_rule
Fix: F-74611r1066519_fix
Configure Ubuntu 24.04 LTS to limit the number of concurrent sessions to 10 for all accounts and/or account types. Add the following line to the top of the /etc/security/limits.conf or in a ".conf" file defined in /etc/security/limits.d/: * hard maxlogins 10
- RMF Control
- AC-12
- Severity
- M
- CCI
- CCI-002361
- Version
- UBTU-24-200060
- Vuln IDs
- V-270680
- Rule IDs
- SV-270680r1066529_rule
Fix: F-74614r1066528_fix
Configure Ubuntu 24.04 LTS to automatically terminate a user session after inactivity timeouts have expired or at shutdown. Create the file "/etc/profile.d/99-terminal_tmout.sh" file if it does not exist. Modify or append the following line in the "/etc/profile.d/99-terminal_tmout.sh " file: TMOUT=600 This will set a timeout value of 10 minutes for all future sessions. To set the timeout for the current sessions, execute the following command over the terminal session: $ export TMOUT=600
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000067
- Version
- UBTU-24-200090
- Vuln IDs
- V-270681
- Rule IDs
- SV-270681r1134806_rule
Fix: F-74615r1066531_fix
Configure Ubuntu 24.04 LTS to monitor all remote access methods by adding the following lines to the "/etc/rsyslog.d/50-default.conf" file: auth.*,authpriv.* /var/log/secure daemon.* /var/log/messages For the changes to take effect, restart the "rsyslog" service with the following command: $ sudo systemctl restart rsyslog.service
- RMF Control
- Severity
- M
- CCI
- CCI-003627
- Version
- UBTU-24-200260
- Vuln IDs
- V-270683
- Rule IDs
- SV-270683r1066538_rule
Fix: F-74617r1066537_fix
Configure Ubuntu 24.04 LTS to disable account identifiers after 35 days of inactivity after the password expiration. Run the following command to change the configuration for adduser: $ sudo useradd -D -f 35 Note: DOD recommendation is 35 days, but a lower value is acceptable. The value "0" will disable the account immediately after the password expires.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- UBTU-24-200280
- Vuln IDs
- V-270684
- Rule IDs
- SV-270684r1066541_rule
Fix: F-74618r1066540_fix
Configure Ubuntu 24.04 LTS to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". Add or update the following rule to "/etc/audit/rules.d/stig.rules": -w /etc/passwd -p wa -k usergroup_modification To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- UBTU-24-200290
- Vuln IDs
- V-270685
- Rule IDs
- SV-270685r1066544_rule
Fix: F-74619r1066543_fix
Configure Ubuntu 24.04 LTS to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". Add or update the following rule to "/etc/audit/rules.d/stig.rules": -w /etc/group -p wa -k usergroup_modification To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- UBTU-24-200300
- Vuln IDs
- V-270686
- Rule IDs
- SV-270686r1066547_rule
Fix: F-74620r1066546_fix
Configure Ubuntu 24.04 LTS to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". Add or update the following rule to "/etc/audit/rules.d/stig.rules": -w /etc/shadow -p wa -k usergroup_modification To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- UBTU-24-200310
- Vuln IDs
- V-270687
- Rule IDs
- SV-270687r1066550_rule
Fix: F-74621r1066549_fix
Configure Ubuntu 24.04 LTS to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". Add or update the following rule to "/etc/audit/rules.d/stig.rules": -w /etc/gshadow -p wa -k usergroup_modification To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- UBTU-24-200320
- Vuln IDs
- V-270688
- Rule IDs
- SV-270688r1066553_rule
Fix: F-74622r1066552_fix
Configure Ubuntu 24.04 LTS to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd". Add or update the following rule to "/etc/audit/rules.d/stig.rules": -w /etc/security/opasswd -p wa -k usergroup_modification To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002233
- Version
- UBTU-24-200580
- Vuln IDs
- V-270689
- Rule IDs
- SV-270689r1066556_rule
Fix: F-74623r1066555_fix
Configure Ubuntu 24.04 LTS to audit the execution of all privileged functions. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv Notes: For 32-bit architectures, only the 32-bit specific entries are required. To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AC-7
- Severity
- L
- CCI
- CCI-000044
- Version
- UBTU-24-200610
- Vuln IDs
- V-270690
- Rule IDs
- SV-270690r1067126_rule
Fix: F-74624r1066558_fix
Configure Ubuntu 24.04 LTS to utilize the "pam_faillock" module. Edit the /etc/pam.d/common-auth file to add the following lines below the "auth" definition for pam_unix.so: auth [default=die] pam_faillock.so authfail auth sufficient pam_faillock.so authsucc Configure the "pam_faillock" module to use the following options: Edit the /etc/security/faillock.conf file and add/update the following keywords and values: audit silent deny = 3 fail_interval = 900 unlock_time = 0
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-000048
- Version
- UBTU-24-200650
- Vuln IDs
- V-270692
- Rule IDs
- SV-270692r1066565_rule
Fix: F-74626r1066564_fix
Configure Ubuntu 24.04 LTS to display the Standard Mandatory DOD Notice and Consent Banner before granting access to Ubuntu 24.04 LTS via a graphical user logon. Edit the "/etc/gdm3/greeter.dconf-defaults" file. Look for the "banner-message-enable" parameter under the "[org/gnome/login-screen]" section and uncomment it (remove the leading "#" characters): [org/gnome/login-screen] banner-message-enable=true Update the GDM with the new configuration: $ sudo dconf update $ sudo systemctl restart gdm3
- RMF Control
- Severity
- L
- CCI
- CCI-003992
- Version
- UBTU-24-300001
- Vuln IDs
- V-270695
- Rule IDs
- SV-270695r1066574_rule
Fix: F-74629r1066573_fix
Configure APT to prevent the installation of patches, service packs, device drivers, or Ubuntu 24.04 LTS components without verification they have been digitally signed using a certificate recognized and approved by the organization. Remove/update any APT configuration files that contain the variable "AllowUnauthenticated" to "false" or remove "AllowUnauthenticated" entirely from each file. Below is an example of setting the "AllowUnauthenticated" variable to "false": APT::Get::AllowUnauthenticated "false";
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- UBTU-24-300006
- Vuln IDs
- V-270696
- Rule IDs
- SV-270696r1107306_rule
Fix: F-74630r1107305_fix
Configure the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" to have mode 0755 or less permissive with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' -perm /022 -exec chmod go-w {} +
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- UBTU-24-300007
- Vuln IDs
- V-270697
- Rule IDs
- SV-270697r1107308_rule
Fix: F-74631r1107307_fix
Configure the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" to be owned by root with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -user root -exec chown root {} +
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- UBTU-24-300008
- Vuln IDs
- V-270698
- Rule IDs
- SV-270698r1101751_rule
Fix: F-74632r1101750_fix
Configure the library files and their respective parent directories to be protected from unauthorized access. Run the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec chown root '{}' \;
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- UBTU-24-300009
- Vuln IDs
- V-270699
- Rule IDs
- SV-270699r1107310_rule
Fix: F-74633r1107309_fix
Configure the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" to be group owned by root with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -group root -exec chown :root {} +
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- UBTU-24-300010
- Vuln IDs
- V-270700
- Rule IDs
- SV-270700r1066589_rule
Fix: F-74634r1066588_fix
Configure the system library directories to be protected from unauthorized access. Run the following command: $ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root '{}' \;
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- UBTU-24-300011
- Vuln IDs
- V-270701
- Rule IDs
- SV-270701r1066592_rule
Fix: F-74635r1066591_fix
Configure the system commands to be protected from unauthorized access. Run the following command: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \;
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- UBTU-24-300012
- Vuln IDs
- V-270702
- Rule IDs
- SV-270702r1066595_rule
Fix: F-74636r1066594_fix
Configure the system commands and their respective parent directories to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not owned by "root" or a required system account: $ sudo chown root [FILE]
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- UBTU-24-300013
- Vuln IDs
- V-270703
- Rule IDs
- SV-270703r1066598_rule
Fix: F-74637r1066597_fix
Configure the system commands to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not group-owned by "root" or a required system account: $ sudo chgrp [SYSTEMACCOUNT] [FILE]
- RMF Control
- Severity
- M
- CCI
- CCI-004061
- Version
- UBTU-24-300014
- Vuln IDs
- V-270704
- Rule IDs
- SV-270704r1066601_rule
Fix: F-74638r1066600_fix
Configure Ubuntu 24.04 LTS to prevent the use of dictionary words for passwords. Add or update the following line in the "/etc/security/pwquality.conf" file to include the "dictcheck=1" parameter: dictcheck=1
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- UBTU-24-300016
- Vuln IDs
- V-270705
- Rule IDs
- SV-270705r1066604_rule
Fix: F-74639r1066603_fix
Configure Ubuntu 24.04 LTS to use "pwquality" to enforce password complexity rules. Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): enforcing = 1 Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value): password requisite pam_pwquality.so retry=3 Note: Ensure the value of "retry" is between "1" and "3".
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- UBTU-24-300017
- Vuln IDs
- V-270706
- Rule IDs
- SV-270706r1068361_rule
Fix: F-74640r1066606_fix
Configure Ubuntu 24.04 LTS to enforce a delay of at least four seconds between logon prompts following a failed logon attempt. Edit the file "/etc/pam.d/common-auth" and set the parameter "pam_faildelay" to a value of "4000000" or greater: auth required pam_faildelay.so delay=4000000
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- UBTU-24-300021
- Vuln IDs
- V-270707
- Rule IDs
- SV-270707r1101786_rule
Fix: F-74641r1101785_fix
Remove any occurrence of "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- UBTU-24-300022
- Vuln IDs
- V-270708
- Rule IDs
- SV-270708r1066613_rule
Fix: F-74642r1066612_fix
Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Forwarding" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): X11Forwarding no Restart the SSH daemon for the changes to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- UBTU-24-300023
- Vuln IDs
- V-270709
- Rule IDs
- SV-270709r1066616_rule
Fix: F-74643r1066615_fix
Configure the SSH daemon to prevent remote hosts from connecting to the proxy display. Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11UseLocalhost" keyword and set its value to "yes" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): X11UseLocalhost yes Restart the SSH daemon for the changes to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- UBTU-24-300026
- Vuln IDs
- V-270712
- Rule IDs
- SV-270712r1068363_rule
Fix: F-74646r1067121_fix
Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands: $ sudo systemctl disable ctrl-alt-del.target [...] $ sudo systemctl mask ctrl-alt-del.target Created symlink /etc/systemd/system/ctrl-alt-del.target ? /dev/null. Reload the daemon to take effect: $ sudo systemctl daemon-reload
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- UBTU-24-300027
- Vuln IDs
- V-270713
- Rule IDs
- SV-270713r1066628_rule
Fix: F-74647r1066627_fix
Configure all accounts on the system to have a password or lock the account with the following commands: Perform a password reset: $ sudo passwd [username] Lock an account: $ sudo passwd -l [username]
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- UBTU-24-300028
- Vuln IDs
- V-270714
- Rule IDs
- SV-270714r1134808_rule
Fix: F-74648r1066630_fix
If an account is configured for password authentication but does not have an assigned password, it is possible to log on to the account without authenticating. Remove any instances of the "nullok" option in "/etc/pam.d/common-password" to prevent logons with empty passwords.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- UBTU-24-300029
- Vuln IDs
- V-270715
- Rule IDs
- SV-270715r1066634_rule
Fix: F-74649r1066633_fix
Configure Ubuntu 24.04 LTS to generate audit records for events that affect "/var/log/journal". Add or update the following rule to "/etc/audit/rules.d/stig.rules": -w /var/log/journal -p wa -k systemd_journal To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- UBTU-24-300030
- Vuln IDs
- V-270716
- Rule IDs
- SV-270716r1066637_rule
Fix: F-74650r1066636_fix
Configure the system to define the default permissions for all authenticated users in such a way that the user can read and modify only their own files. Edit the "UMASK" parameter in the "/etc/login.defs" file to match the example below: UMASK 077
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- UBTU-24-300031
- Vuln IDs
- V-270717
- Rule IDs
- SV-270717r1067177_rule
Fix: F-74651r1066639_fix
Configure Ubuntu 24.04 LTS to allow the SSH daemon to not allow unattended or automatic login to the system. Add or edit the following lines in the "/etc/ssh/sshd_config" file: PermitEmptyPasswords no PermitUserEnvironment no Restart the SSH daemon for the changes to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- Severity
- M
- CCI
- CCI-003959
- Version
- UBTU-24-300039
- Vuln IDs
- V-270718
- Rule IDs
- SV-270718r1134811_rule
Fix: F-74652r1134810_fix
Configure Ubuntu 24.04 LTS to disable using the USB storage kernel module with the following command: $ sudo su -c "echo install usb-storage /bin/false >> /etc/modprobe.d/DISASTIG.conf" Configure Ubuntu 24.04 LTS to disable the ability to use USB mass storage devices with the following command: $ sudo su -c "echo blacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf"
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- UBTU-24-400000
- Vuln IDs
- V-270720
- Rule IDs
- SV-270720r1066649_rule
Fix: F-74654r1066648_fix
Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000765
- Version
- UBTU-24-400020
- Vuln IDs
- V-270721
- Rule IDs
- SV-270721r1066652_rule
Fix: F-74655r1066651_fix
Configure Ubuntu 24.04 LTS to use multifactor authentication for access to accounts. Add or update "pam_pkcs11.so" in "/etc/pam.d/common-auth" to match the following line: auth [success=2 default=ignore] pam_pkcs11.so
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000765
- Version
- UBTU-24-400030
- Vuln IDs
- V-270722
- Rule IDs
- SV-270722r1067130_rule
Fix: F-74656r1066654_fix
Configure Ubuntu 24.04 LTS to use multifactor authentication for access to accounts. Set the sshd option "PubkeyAuthentication" to "yes" in the "/etc/ssh/sshd_config" file. PubkeyAuthentication yes
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-001954
- Version
- UBTU-24-400060
- Vuln IDs
- V-270723
- Rule IDs
- SV-270723r1066658_rule
Fix: F-74657r1066657_fix
Configure Ubuntu 24.04 LTS to do certificate status checking for multifactor authentication. Modify all of the "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on".
- RMF Control
- Severity
- M
- CCI
- CCI-004045
- Version
- UBTU-24-400110
- Vuln IDs
- V-270724
- Rule IDs
- SV-270724r1066661_rule
Fix: F-74658r1066660_fix
Configure Ubuntu 24.04 LTS to prevent direct logins to the root account by performing the following operations: $ sudo passwd -l root
- RMF Control
- Severity
- M
- CCI
- CCI-004062
- Version
- UBTU-24-400220
- Vuln IDs
- V-270725
- Rule IDs
- SV-270725r1101789_rule
Fix: F-74659r1101788_fix
Configure Ubuntu 24.04 LTS to store encrypted representations of passwords. Add or modify the "sha512" parameter value to the following line in "/etc/pam.d/common-password" file: password [success=1 default=ignore] pam_unix.so obscure sha512 shadow rounds=100000
- RMF Control
- Severity
- M
- CCI
- CCI-004065
- Version
- UBTU-24-400260
- Vuln IDs
- V-270726
- Rule IDs
- SV-270726r1066667_rule
Fix: F-74660r1066666_fix
Configure Ubuntu 24.04 LTS to enforce password complexity by requiring that at least one uppercase character be used. Add or update the "/etc/security/pwquality.conf" file to contain the "ucredit" parameter: ucredit=-1
- RMF Control
- Severity
- M
- CCI
- CCI-004065
- Version
- UBTU-24-400270
- Vuln IDs
- V-270727
- Rule IDs
- SV-270727r1066670_rule
Fix: F-74661r1066669_fix
Configure Ubuntu 24.04 LTS to enforce password complexity by requiring that at least one lowercase character be used. Add or update the "/etc/security/pwquality.conf" file to contain the "lcredit" parameter: lcredit=-1
- RMF Control
- Severity
- M
- CCI
- CCI-004065
- Version
- UBTU-24-400280
- Vuln IDs
- V-270728
- Rule IDs
- SV-270728r1066673_rule
Fix: F-74662r1066672_fix
Configure Ubuntu 24.04 LTS to enforce password complexity by requiring that at least one numeric character be used. Add or update the "/etc/security/pwquality.conf" file to contain the "dcredit" parameter: dcredit=-1
- RMF Control
- Severity
- M
- CCI
- CCI-004065
- Version
- UBTU-24-400290
- Vuln IDs
- V-270729
- Rule IDs
- SV-270729r1066676_rule
Fix: F-74663r1066675_fix
Configure Ubuntu 24.04 LTS to require the change of at least eight characters when passwords are changed. Add or update the "/etc/security/pwquality.conf" file to include the "difok=8" parameter: difok=8
- RMF Control
- Severity
- M
- CCI
- CCI-004065
- Version
- UBTU-24-400300
- Vuln IDs
- V-270730
- Rule IDs
- SV-270730r1066679_rule
Fix: F-74664r1066678_fix
Configure Ubuntu 24.04 LTS to enforce a 24 hours/1 day minimum password lifetime. Add or modify the following line in the "/etc/login.defs" file: PASS_MIN_DAYS 1
- RMF Control
- Severity
- M
- CCI
- CCI-004065
- Version
- UBTU-24-400310
- Vuln IDs
- V-270731
- Rule IDs
- SV-270731r1066682_rule
Fix: F-74665r1066681_fix
Configure Ubuntu 24.04 LTS to enforce a 60-day maximum password lifetime. Add or modify the following line in the "/etc/login.defs" file: PASS_MAX_DAYS 60
- RMF Control
- Severity
- M
- CCI
- CCI-004065
- Version
- UBTU-24-400320
- Vuln IDs
- V-270732
- Rule IDs
- SV-270732r1066685_rule
Fix: F-74666r1066684_fix
Configure Ubuntu 24.04 LTS to enforce a minimum 15-character password length. Add or modify the "minlen" parameter value to the "/etc/security/pwquality.conf" file: minlen=15
- RMF Control
- Severity
- M
- CCI
- CCI-004065
- Version
- UBTU-24-400330
- Vuln IDs
- V-270733
- Rule IDs
- SV-270733r1066688_rule
Fix: F-74667r1066687_fix
Configure Ubuntu 24.04 LTS to enforce password complexity by requiring that at least one special character be used. Add or update the following line in the "/etc/security/pwquality.conf" file to include the "ocredit=-1" parameter: ocredit=-1
- RMF Control
- IA-5
- Severity
- L
- CCI
- CCI-002007
- Version
- UBTU-24-400340
- Vuln IDs
- V-270734
- Rule IDs
- SV-270734r1155240_rule
Fix: F-74668r1066690_fix
Configure PAM to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[pam]": offline_credentials_expiration = 1 Note: It is valid for this configuration to be in a file with a name that ends with ".conf" and does not begin with a "." in the "/etc/sssd/conf.d/" directory instead of the "/etc/sssd/sssd.conf" file.
- RMF Control
- IA-5
- Severity
- H
- CCI
- CCI-000187
- Version
- UBTU-24-400370
- Vuln IDs
- V-270736
- Rule IDs
- SV-270736r1066697_rule
Fix: F-74670r1066696_fix
Configure sssd to map authenticated certificates to the appropriate user group by adding the following line to the "/etc/sssd/sssd.conf" file: ldap_user_certificate=userCertificate;binary
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000185
- Version
- UBTU-24-400375
- Vuln IDs
- V-270737
- Rule IDs
- SV-270737r1067178_rule
Fix: F-74671r1067168_fix
Configure Ubuntu 24.04 LTS, for PKI-based authentication, to validate certificates by constructing a certification path to an accepted trust anchor. Determine which pkcs11 module is being used via the "use_pkcs11_module" in "/etc/pam_pkcs11/pam_pkcs11.conf" and ensure "ca" is enabled in "cert_policy". Add or update the "cert_policy" to ensure "ca" is enabled: cert_policy = ca,signature,ocsp_on; If the system is missing an "/etc/pam_pkcs11/" directory and an "/etc/pam_pkcs11/pam_pkcs11.conf", find an example to copy into place and modify accordingly at "https://manpages.ubuntu.com/manpages/xenial/man8/pam_pkcs11.8.html".
- RMF Control
- Severity
- M
- CCI
- CCI-004068
- Version
- UBTU-24-400380
- Vuln IDs
- V-270738
- Rule IDs
- SV-270738r1066703_rule
Fix: F-74672r1066702_fix
Configure Ubuntu 24.04 LTS, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely. Add or update the "cert_policy" option in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "crl_auto" or "crl_offline". cert_policy = ca,signature,ocsp_on, crl_auto; If the system is missing an "/etc/pam_pkcs11/" directory and an "/etc/pam_pkcs11/pam_pkcs11.conf", find an example to copy into place and modify accordingly at "/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz".
- RMF Control
- IA-7
- Severity
- M
- CCI
- CCI-000803
- Version
- UBTU-24-400400
- Vuln IDs
- V-270739
- Rule IDs
- SV-270739r1067124_rule
Fix: F-74673r1066705_fix
Configure Ubuntu 24.04 LTS to encrypt all stored passwords. Edit/modify the following line in the "/etc/login.defs" file and set "ENCRYPT_METHOD" to SHA512: ENCRYPT_METHOD SHA512
- RMF Control
- MA-4
- Severity
- M
- CCI
- CCI-002884
- Version
- UBTU-24-500010
- Vuln IDs
- V-270740
- Rule IDs
- SV-270740r1066709_rule
Fix: F-74674r1066708_fix
Configure Ubuntu 24.04 LTS to audit activities performed during nonlocal maintenance and diagnostic sessions. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -w /var/log/sudo.log -p wa -k maintenance To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- MA-4
- Severity
- M
- CCI
- CCI-000877
- Version
- UBTU-24-500050
- Vuln IDs
- V-270741
- Rule IDs
- SV-270741r1066712_rule
Fix: F-74675r1066711_fix
Configure Ubuntu 24.04 LTS to use strong authentication when establishing nonlocal maintenance and diagnostic sessions. Add or modify the following line to /etc/ssh/sshd_config: UsePAM yes
- RMF Control
- SC-10
- Severity
- M
- CCI
- CCI-001133
- Version
- UBTU-24-600000
- Vuln IDs
- V-270742
- Rule IDs
- SV-270742r1066715_rule
Fix: F-74676r1066714_fix
Configure Ubuntu 24.04 LTS to automatically terminate inactive SSH sessions after a period of inactivity. Modify or append the following line in the "/etc/ssh/sshd_config" file, replacing "[Count]" with a value of 1: ClientAliveCountMax 1 Restart the SSH daemon for the changes to take effect: $ sudo systemctl restart ssh.service
- RMF Control
- SC-10
- Severity
- M
- CCI
- CCI-001133
- Version
- UBTU-24-600010
- Vuln IDs
- V-270743
- Rule IDs
- SV-270743r1066718_rule
Fix: F-74677r1066717_fix
Configure Ubuntu 24.04 LTS to automatically terminate all network connections associated with SSH traffic at the end of a session or after a 10-minute period of inactivity. In the file /etc/ssh/sshd_config set ClientAliveInterval to a value of "600" or less: ClientAliveInterval 600 Restart the SSH daemon for the changes to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- SC-13
- Severity
- H
- CCI
- CCI-002450
- Version
- UBTU-24-600030
- Vuln IDs
- V-270744
- Rule IDs
- SV-270744r1137699_rule
Fix: F-74678r1066720_fix
Configure the system to run in FIPS mode. Add "fips=1" to the kernel parameter during Ubuntu 24.04 LTSs install. Enabling a FIPS mode on a pre-existing system involves a number of modifications to Ubuntu 24.04 LTS. Refer to the Ubuntu Pro security certification documentation for instructions. A subscription to the "Ubuntu Pro" plan is required to obtain the FIPS Kernel cryptographic modules and enable FIPS. Note: Ubuntu Pro security certification instructions can be found at: https://ubuntu.com/security/certifications/docs/fips-enablement The basic steps use the following commands: $ sudo pro attach <token> $ sudo pro enable fips-updates
- RMF Control
- SC-24
- Severity
- M
- CCI
- CCI-001190
- Version
- UBTU-24-600070
- Vuln IDs
- V-270746
- Rule IDs
- SV-270746r1155242_rule
Fix: F-74680r1101768_fix
If kernel core dumps are not required, disable the "kdump-tools" service with the following command: $ sudo systemctl disable kdump-tools.service If kernel core dumps are required, document the need with the ISSO.
- RMF Control
- SC-4
- Severity
- L
- CCI
- CCI-001090
- Version
- UBTU-24-600140
- Vuln IDs
- V-270749
- Rule IDs
- SV-270749r1137695_rule
Fix: F-74683r1066735_fix
Configure Ubuntu 24.04 LTS to restrict access to the kernel message buffer. Set the system to the required kernel parameter by adding or modifying the following line in /etc/sysctl.conf or a config file in the /etc/sysctl.d/ directory: kernel.dmesg_restrict = 1 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/ /etc/sysctl.d/ /usr/local/lib/sysctl.d/ /usr/lib/sysctl.d/ /lib/sysctl.d/ /etc/sysctl.conf Reload settings from all system configuration files with the following command: $ sudo sysctl --system
- RMF Control
- SC-5
- Severity
- M
- CCI
- CCI-001095
- Version
- UBTU-24-600190
- Vuln IDs
- V-270753
- Rule IDs
- SV-270753r1066748_rule
Fix: F-74687r1066747_fix
Configure Ubuntu 24.04 LTS to use TCP syncookies with the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1 If "1" is not the system's default value, add or update the following line in "/etc/sysctl.conf": net.ipv4.tcp_syncookies = 1
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001312
- Version
- UBTU-24-700010
- Vuln IDs
- V-270756
- Rule IDs
- SV-270756r1134814_rule
Fix: F-74690r1134813_fix
Configure Ubuntu 24.04 LTS to set permissions of all log files under the /var/log directory to "640" or more restricted by using the following command: Note: The btmp, wtmp, lastlog, history, and eipp.log.xz files are excluded. Refer to the Discussion for details. $ sudo find /var/log -perm /137 ! -name '*[bw]tmp' ! -name '*lastlog' -type f -exec chmod 640 '{}' \;
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001312
- Version
- UBTU-24-700020
- Vuln IDs
- V-270757
- Rule IDs
- SV-270757r1184072_rule
Fix: F-74691r1184071_fix
Configure the system to set the appropriate permissions to the files and directories used by the systemd journal. Create a drop-in file if it does not already exist with the following command: $ sudo vi /etc/tmpfiles.d/zzz-systemd-stig.conf Add or modify the following lines in the "/usr/lib/tmpfiles.d/zzz-systemd-stig.conf" file: z /run/log/journal 0640 root systemd-journal - - Z /run/log/journal/%m ~0640 root systemd-journal - - z /var/log/journal 0640 root systemd-journal - - z /var/log/journal/%m 0640 root systemd-journal - - z /var/log/journal/%m/system.journal 0640 root systemd-journal - - Note: Restart the system for these settings to take effect.
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001312
- Version
- UBTU-24-700030
- Vuln IDs
- V-270758
- Rule IDs
- SV-270758r1066763_rule
Fix: F-74692r1066762_fix
Configure journalctl to have a permission set of "740": $ sudo chmod 740 /usr/bin/journalctl
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-24-700040
- Vuln IDs
- V-270759
- Rule IDs
- SV-270759r1068367_rule
Fix: F-74693r1066765_fix
Configure journalctl to be owned by "root": $ sudo chown root /usr/bin/journalctl
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-24-700050
- Vuln IDs
- V-270760
- Rule IDs
- SV-270760r1066769_rule
Fix: F-74694r1066768_fix
Configure journalctl to be group-owned by "root": $ sudo chown :root /usr/bin/journalctl
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-24-700060
- Vuln IDs
- V-270761
- Rule IDs
- SV-270761r1184074_rule
Fix: F-74695r1184073_fix
Configure the system to set the appropriate group-ownership to the directories used by the systemd journal. Create a drop-in file if it does not already exist with the following command: $ sudo vi /etc/tmpfiles.d/zzz-systemd-stig.conf Add or modify the following lines in the "/usr/lib/tmpfiles.d/zzz-systemd-stig.conf" file: z /run/log/journal 0640 root systemd-journal - - z /var/log/journal 0640 root systemd-journal - - Note: Restart the system for these settings to take effect.
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-24-700070
- Vuln IDs
- V-270762
- Rule IDs
- SV-270762r1184076_rule
Fix: F-74696r1184075_fix
Configure the system to set the appropriate group-ownership to the files used by the systemd journal. Create a drop-in file if it does not already exist with the following command: $ sudo vi /etc/tmpfiles.d/zzz-systemd-stig.conf Add or modify the following lines in the "/usr/lib/tmpfiles.d/zzz-systemd-stig.conf" file: Z /run/log/journal/%m ~0640 root systemd-journal - - z /var/log/journal/%m 0640 root systemd-journal - - z /var/log/journal/%m/system.journal 0640 root systemd-journal - - Note: Restart the system for these settings to take effect.
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-24-700080
- Vuln IDs
- V-270763
- Rule IDs
- SV-270763r1184078_rule
Fix: F-74697r1184077_fix
Configure the system to set the appropriate ownership to the directories used by the systemd journal. Create a drop-in file if it does not already exist with the following command: $ sudo vi /etc/tmpfiles.d/zzz-systemd-stig.conf Add or modify the following lines in the "/usr/lib/tmpfiles.d/zzz-systemd-stig.conf" file: z /run/log/journal 0640 root systemd-journal - - z /var/log/journal 0640 root systemd-journal - - Note: Restart the system for these settings to take effect.
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-24-700090
- Vuln IDs
- V-270764
- Rule IDs
- SV-270764r1184080_rule
Fix: F-74698r1184079_fix
Configure the system to set the appropriate ownership to the files used by the systemd journal. Create a drop-in file if it does not already exist with the following command: $ sudo vi /etc/tmpfiles.d/zzz-systemd-stig.conf Add or modify the following lines in the "/usr/lib/tmpfiles.d/zzz-systemd-stig.conf" file: Z /run/log/journal/%m ~0640 root systemd-journal - - z /var/log/journal/%m 0640 root systemd-journal - - z /var/log/journal/%m/system.journal 0640 root systemd-journal - - Note: Restart the system for these settings to take effect.
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-24-700100
- Vuln IDs
- V-270765
- Rule IDs
- SV-270765r1066784_rule
Fix: F-74699r1066783_fix
Configure Ubuntu 24.04 LTS to have syslog group-own the /var/log directory with the following command: $ sudo chgrp syslog /var/log
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-24-700110
- Vuln IDs
- V-270766
- Rule IDs
- SV-270766r1066787_rule
Fix: F-74700r1066786_fix
Configure Ubuntu 24.04 LTS to have root own the /var/log directory by running the following command: $ sudo chown root /var/log
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-24-700120
- Vuln IDs
- V-270767
- Rule IDs
- SV-270767r1066790_rule
Fix: F-74701r1066789_fix
Configure Ubuntu 24.04 LTS to have permissions of "0755" for the /var/log directory by running the following command: $ sudo chmod 0755 /var/log
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-24-700130
- Vuln IDs
- V-270768
- Rule IDs
- SV-270768r1066793_rule
Fix: F-74702r1066792_fix
Configure Ubuntu 24.04 LTS to have adm group-own the /var/log/syslog file by running the following command: $ sudo chgrp adm /var/log/syslog
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-24-700140
- Vuln IDs
- V-270769
- Rule IDs
- SV-270769r1066796_rule
Fix: F-74703r1066795_fix
Configure Ubuntu 24.04 LTS to have syslog own the /var/log/syslog file by running the following command: $ sudo chown syslog /var/log/syslog
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- UBTU-24-700150
- Vuln IDs
- V-270770
- Rule IDs
- SV-270770r1066799_rule
Fix: F-74704r1066798_fix
Configure Ubuntu 24.04 LTS to have permissions of "0640" for the /var/log/syslog file by running the following command: $ sudo chmod 0640 /var/log/syslog
- RMF Control
- SI-16
- Severity
- M
- CCI
- CCI-002824
- Version
- UBTU-24-700310
- Vuln IDs
- V-270772
- Rule IDs
- SV-270772r1066805_rule
Fix: F-74706r1066804_fix
Remove the "kernel.randomize_va_space" entry found in the "/etc/sysctl.conf" file or any file located in the "/etc/sysctl.d/" directory. After the line has been removed, the kernel settings from all system configuration files must be reloaded before any of the changes will take effect. Run the following command to reload all of the kernel system configuration files: $ sudo sysctl --system
- RMF Control
- SI-2
- Severity
- M
- CCI
- CCI-002617
- Version
- UBTU-24-700320
- Vuln IDs
- V-270773
- Rule IDs
- SV-270773r1066808_rule
Fix: F-74707r1066807_fix
Configure APT to remove all software components after updated versions have been installed. Add or update the following options to the "/etc/apt/apt.conf.d/50unattended-upgrades" file: Unattended-Upgrade::Remove-Unused-Dependencies "true"; Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000171
- Version
- UBTU-24-900040
- Vuln IDs
- V-270775
- Rule IDs
- SV-270775r1068369_rule
Fix: F-74709r1066813_fix
Configure /etc/audit/audit.rules, /etc/audit/rules.d/*, and /etc/audit/auditd.conf files to have a mode of "0640" by using the following command: $ sudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000171
- Version
- UBTU-24-900050
- Vuln IDs
- V-270776
- Rule IDs
- SV-270776r1066817_rule
Fix: F-74710r1066816_fix
Configure /etc/audit/audit.rules, /etc/audit/rules.d/*, and /etc/audit/auditd.conf files to be owned by "root" user by using the following command: $ sudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000171
- Version
- UBTU-24-900060
- Vuln IDs
- V-270777
- Rule IDs
- SV-270777r1066820_rule
Fix: F-74711r1066819_fix
Configure /etc/audit/audit.rules, /etc/audit/rules.d/*, and /etc/audit/auditd.conf files to be owned by "root" group by using the following command: $ sudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900070
- Vuln IDs
- V-270778
- Rule IDs
- SV-270778r1066823_rule
Fix: F-74712r1066822_fix
Configure Ubuntu 24.04 LTS to generate audit records when successful/unsuccessful attempts to use the "su" command occur. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-priv_change To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900080
- Vuln IDs
- V-270779
- Rule IDs
- SV-270779r1066826_rule
Fix: F-74713r1066825_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "chfn" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900090
- Vuln IDs
- V-270780
- Rule IDs
- SV-270780r1066829_rule
Fix: F-74714r1066828_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "mount" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900100
- Vuln IDs
- V-270781
- Rule IDs
- SV-270781r1066832_rule
Fix: F-74715r1066831_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "umount" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-umount To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900110
- Vuln IDs
- V-270782
- Rule IDs
- SV-270782r1066835_rule
Fix: F-74716r1066834_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-agent" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900120
- Vuln IDs
- V-270783
- Rule IDs
- SV-270783r1066838_rule
Fix: F-74717r1066837_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-keysign" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900130
- Vuln IDs
- V-270784
- Rule IDs
- SV-270784r1068371_rule
Fix: F-74718r1066840_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod Note: For 32-bit architectures, only the 32-bit specific entries are required. To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900140
- Vuln IDs
- V-270785
- Rule IDs
- SV-270785r1068373_rule
Fix: F-74719r1066843_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chown", "fchown", "fchownat", and "lchown" system calls. Add or update the following rules in the "/etc/audit/rules.d/stig.rules": -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k perm_chng -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k perm_chng Note: For 32-bit architectures, only the 32-bit specific entries are required. To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900150
- Vuln IDs
- V-270786
- Rule IDs
- SV-270786r1068375_rule
Fix: F-74720r1066846_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chmod", "fchmod", and "fchmodat" system calls. Add or update the following rules in the "/etc/audit/rules.d/stig.rules": -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng Note: For 32-bit architectures, only the 32-bit specific entries are required. To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900160
- Vuln IDs
- V-270787
- Rule IDs
- SV-270787r1068378_rule
Fix: F-74721r1068377_fix
Configure the audit system to generate an audit event for any unsuccessful use of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access Note: For 32-bit architectures, only the 32-bit specific entries are required. To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900170
- Vuln IDs
- V-270788
- Rule IDs
- SV-270788r1066853_rule
Fix: F-74722r1066852_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "sudo" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900180
- Vuln IDs
- V-270789
- Rule IDs
- SV-270789r1066856_rule
Fix: F-74723r1066855_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "sudoedit" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules": -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900190
- Vuln IDs
- V-270790
- Rule IDs
- SV-270790r1068380_rule
Fix: F-74724r1066858_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chsh" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900200
- Vuln IDs
- V-270791
- Rule IDs
- SV-270791r1066862_rule
Fix: F-74725r1066861_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "newgrp" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900210
- Vuln IDs
- V-270792
- Rule IDs
- SV-270792r1066865_rule
Fix: F-74726r1066864_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chcon" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900220
- Vuln IDs
- V-270793
- Rule IDs
- SV-270793r1066868_rule
Fix: F-74727r1066867_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "apparmor_parser" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900230
- Vuln IDs
- V-270794
- Rule IDs
- SV-270794r1066871_rule
Fix: F-74728r1066870_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "setfacl" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900240
- Vuln IDs
- V-270795
- Rule IDs
- SV-270795r1066874_rule
Fix: F-74729r1066873_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chacl" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900250
- Vuln IDs
- V-270796
- Rule IDs
- SV-270796r1066877_rule
Fix: F-74730r1066876_fix
Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "faillog" file. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -w /var/log/faillog -p wa -k logins To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900260
- Vuln IDs
- V-270797
- Rule IDs
- SV-270797r1066880_rule
Fix: F-74731r1066879_fix
Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "lastlog" file. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -w /var/log/lastlog -p wa -k logins To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900270
- Vuln IDs
- V-270798
- Rule IDs
- SV-270798r1068382_rule
Fix: F-74732r1066882_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "passwd" command. Add or update the following rule in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-passwd To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900280
- Vuln IDs
- V-270799
- Rule IDs
- SV-270799r1066886_rule
Fix: F-74733r1066885_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "unix_update" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900290
- Vuln IDs
- V-270800
- Rule IDs
- SV-270800r1066889_rule
Fix: F-74734r1066888_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "gpasswd" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-gpasswd To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900300
- Vuln IDs
- V-270801
- Rule IDs
- SV-270801r1066892_rule
Fix: F-74735r1066891_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "chage" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chage To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900310
- Vuln IDs
- V-270802
- Rule IDs
- SV-270802r1066895_rule
Fix: F-74736r1066894_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "usermod" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-usermod To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900320
- Vuln IDs
- V-270803
- Rule IDs
- SV-270803r1066898_rule
Fix: F-74737r1066897_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "crontab" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-crontab To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900330
- Vuln IDs
- V-270804
- Rule IDs
- SV-270804r1066901_rule
Fix: F-74738r1066900_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "pam_timestamp_check" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-pam_timestamp_check To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900340
- Vuln IDs
- V-270805
- Rule IDs
- SV-270805r1068384_rule
Fix: F-74739r1066903_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "init_module" and "finit_module" syscalls. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng Note: For 32-bit architectures, only the 32-bit specific entries are required. To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900350
- Vuln IDs
- V-270806
- Rule IDs
- SV-270806r1068386_rule
Fix: F-74740r1066906_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "delete_module" syscall. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1 -k module_chng -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k module_chng Note: For 32-bit architectures, only the 32-bit specific entries are required. To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900510
- Vuln IDs
- V-270807
- Rule IDs
- SV-270807r1066910_rule
Fix: F-74741r1066909_fix
Configure Ubuntu 24.04 LTS to generate audit records for all modifications that affect "/etc/sudoers". Add or update the following rule to "/etc/audit/rules.d/stig.rules": -w /etc/sudoers -p wa -k privilege_modification To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900520
- Vuln IDs
- V-270808
- Rule IDs
- SV-270808r1067100_rule
Fix: F-74742r1066912_fix
Configure Ubuntu 24.04 LTS to generate audit records for all modifications that affect "/etc/sudoers.d" directory. Add or update the following rule to "/etc/audit/rules.d/stig.rules": -w /etc/sudoers.d -p wa -k privilege_modification To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900540
- Vuln IDs
- V-270809
- Rule IDs
- SV-270809r1068388_rule
Fix: F-74743r1066915_fix
Configure the audit system to generate audit events for any successful/unsuccessful use of "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -k delete -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -k delete Note: For 32-bit architectures, only the 32-bit specific entries are required. To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900590
- Vuln IDs
- V-270810
- Rule IDs
- SV-270810r1066919_rule
Fix: F-74744r1066918_fix
Configure the audit system to generate audit events showing start and stop times for user access via the "/var/log/wtmp" file. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -w /var/log/wtmp -p wa -k logins To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900600
- Vuln IDs
- V-270811
- Rule IDs
- SV-270811r1066922_rule
Fix: F-74745r1066921_fix
Configure the audit system to generate audit events showing start and stop times for user access via the "/var/run/utmp" file. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -w /var/run/utmp -p wa -k logins To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900610
- Vuln IDs
- V-270812
- Rule IDs
- SV-270812r1066925_rule
Fix: F-74746r1066924_fix
Configure the audit system to generate audit events showing start and stop times for user access via the "/var/log/btmp file". Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: -w /var/log/btmp -p wa -k logins To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900730
- Vuln IDs
- V-270813
- Rule IDs
- SV-270813r1066928_rule
Fix: F-74747r1066927_fix
Configure Ubuntu 24.04 LTS to audit the execution of the module management program "modprobe". Add or update the following rule in the "/etc/audit/rules.d/stig.rules" file: -w /sbin/modprobe -p x -k modules To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900740
- Vuln IDs
- V-270814
- Rule IDs
- SV-270814r1066931_rule
Fix: F-74748r1066930_fix
Configure Ubuntu 24.04 LTS to audit the execution of the module management program "kmod". Add or update the following rule in the "/etc/audit/rules.d/stig.rules" file: -w /bin/kmod -p x -k modules To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-900750
- Vuln IDs
- V-270815
- Rule IDs
- SV-270815r1066934_rule
Fix: F-74749r1066933_fix
Configure Ubuntu 24.04 LTS to audit the execution of the partition management program "fdisk". Add or update the following rule in the "/etc/audit/rules.d/stig.rules" file: -w /usr/sbin/fdisk -p x -k fdisk To reload the rules file, issue the following command: $ sudo augenrules --load
- RMF Control
- AU-8
- Severity
- L
- CCI
- CCI-001890
- Version
- UBTU-24-901220
- Vuln IDs
- V-270820
- Rule IDs
- SV-270820r1066949_rule
Fix: F-74754r1066948_fix
To configure the system time zone to use UTC or GMT, run the following command, replacing [ZONE] with UTC or GMT: $ sudo timedatectl set-timezone [ZONE]
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001494
- Version
- UBTU-24-901230
- Vuln IDs
- V-270821
- Rule IDs
- SV-270821r1134818_rule
Fix: F-74755r1066951_fix
Configure the audit tools on Ubuntu 24.04 LTS to be protected from unauthorized access by setting the correct permissive mode using the following command: $ sudo chmod 0755 [audit_tool] Replace "[audit_tool]" with the audit tool that does not have the correct permissions.
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001494
- Version
- UBTU-24-901240
- Vuln IDs
- V-270822
- Rule IDs
- SV-270822r1134821_rule
Fix: F-74756r1134820_fix
Configure the audit tools on Ubuntu 24.04 LTS to be protected from unauthorized access by setting the file owner as root using the following command: $ sudo chown root [audit_tool] Replace "[audit_tool]" with each audit tool not owned by root.
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001494
- Version
- UBTU-24-901250
- Vuln IDs
- V-270823
- Rule IDs
- SV-270823r1134824_rule
Fix: F-74757r1134823_fix
Configure the audit tools on Ubuntu 24.04 LTS to be protected from unauthorized access by setting the file group as root using the following command: $ sudo chown :root [audit_tool] Replace "[audit_tool]" with each audit tool not group owned by root.
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001495
- Version
- UBTU-24-901260
- Vuln IDs
- V-270824
- Rule IDs
- SV-270824r1066961_rule
Fix: F-74758r1066960_fix
Configure the system commands directories to be protected from unauthorized access. Run the following command: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \;
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001495
- Version
- UBTU-24-901270
- Vuln IDs
- V-270825
- Rule IDs
- SV-270825r1066964_rule
Fix: F-74759r1066963_fix
Configure the system commands directories to be protected from unauthorized access. Run the following command: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec chown root '{}' \;
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001495
- Version
- UBTU-24-901280
- Vuln IDs
- V-270826
- Rule IDs
- SV-270826r1066967_rule
Fix: F-74760r1066966_fix
Configure the system commands directories to be protected from unauthorized access. Run the following command: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec chgrp root '{}' \;
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000162
- Version
- UBTU-24-901300
- Vuln IDs
- V-270827
- Rule IDs
- SV-270827r1066970_rule
Fix: F-74761r1066969_fix
Configure the audit log files to have a mode of "0600" or less permissive. Determine where the audit logs are stored with the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the path of the directory containing the audit logs, configure the audit log files to have a mode of "0600" or less permissive by using the following command: $ sudo chmod 0600 /var/log/audit/*
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000162
- Version
- UBTU-24-901310
- Vuln IDs
- V-270828
- Rule IDs
- SV-270828r1066973_rule
Fix: F-74762r1066972_fix
Configure the audit log directory and its underlying files to be owned by "root" user. Determine where the audit logs are stored with the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the path of the directory containing the audit logs, configure the audit log files to be owned by "root" user by using the following command: $ sudo chown root /var/log/audit/*
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000162
- Version
- UBTU-24-901350
- Vuln IDs
- V-270829
- Rule IDs
- SV-270829r1066976_rule
Fix: F-74763r1066975_fix
Configure the audit log directory and its underlying files to be owned by "root" group. Set the "log_group" parameter of the audit configuration file to the "root" value so when a new log file is created, its group owner is properly set: $ sudo sed -i '/^log_group/D' /etc/audit/auditd.conf $ sudo sed -i /^log_file/a'log_group = root' /etc/audit/auditd.conf Signal the audit daemon to reload the configuration file to update the group owners of existing files: $ sudo systemctl kill auditd -s SIGHUP
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000164
- Version
- UBTU-24-901380
- Vuln IDs
- V-270830
- Rule IDs
- SV-270830r1068397_rule
Fix: F-74764r1068396_fix
Configure the audit log directory to have a mode of "0750" or less permissive. Determine where the audit logs are stored with the following command: $ sudo grep -iw ^log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the path of the directory containing the audit logs, configure the audit log directory to have a mode of "0750" or less permissive by using the following command: $ sudo chmod -R 750 /var/log/audit
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001496
- Version
- UBTU-24-909890
- Vuln IDs
- V-270831
- Rule IDs
- SV-270831r1135002_rule
Fix: F-74765r1135002_fix
Add or update the following selection lines for "/etc/aide/aide.conf" to protect the integrity of the audit tools: # Audit Tools /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000163
- Version
- UBTU-24-909000
- Vuln IDs
- V-270832
- Rule IDs
- SV-270832r1068399_rule
Fix: F-74766r1068398_fix
Configure the audit system to set the audit rules to be immutable by adding the following line to the end of "/etc/audit/rules.d/audit.rules": -e 2
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- UBTU-24-300020
- Vuln IDs
- V-274868
- Rule IDs
- SV-274868r1107313_rule
Fix: F-78874r1101744_fix
Configure the operating system to not allow users to execute privileged actions without authenticating with a password. Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. $ sudo find /etc/sudoers /etc/sudoers.d -type f -exec sed -i '/NOPASSWD/ s/^/# /g' {} \;
- RMF Control
- IA-11
- Severity
- M
- CCI
- CCI-002038
- Version
- UBTU-24-300019
- Vuln IDs
- V-274869
- Rule IDs
- SV-274869r1107312_rule
Fix: F-78875r1101747_fix
Configure the operating system to restrict privilege elevation to authorized personnel. Remove the following entries from the /etc/sudoers file or any configuration file under /etc/sudoers.d/: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- UBTU-24-200270
- Vuln IDs
- V-274870
- Rule IDs
- SV-274870r1155243_rule
Fix: F-78876r1155226_fix
Configure Ubuntu 24.04 LTS to audit the execution of any system call made by cron as root or as any privileged user. Add or update the following file system rules to "/etc/audit/rules.d/audit.rules": -w /etc/cron.d/ -p wa -k cronjobs -w /var/spool/cron/ -p wa -k cronjobs To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- UBTU-24-700400
- Vuln IDs
- V-278917
- Rule IDs
- SV-278917r1155246_rule
Fix: F-83356r1134999_fix
Upgrade to a supported version of Ubuntu 24.04 LTS.