Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify the version of the Ubuntu operating system is vendor supported. Check the version of the Ubuntu operating system with the following command: # cat /etc/lsb-release DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS" Validate that "Extended Security Maintenance" support has been purchased from the vendor. If the operating system does not have a documented "Extended Security Maintenance" agreement in place, this is a finding.
Upgrade to a supported version of the Ubuntu operating system.
Verify the Ubuntu operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). Obtain the list of available package security updates from Ubuntu. The URL for updates is https://www.Ubuntu.com/usn/. It is important to note that updates provided by Ubuntu may not be present on the system if the underlying packages are not installed. Check that the available package security updates have been installed on the system with the following command: # /usr/lib/update-notifier/apt-check --human-readable 246 packages can be updated. 0 updates are security updates. If security package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding. Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from JFHQ-DoDIN. If the Ubuntu operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.
Install the Ubuntu operating system patches or updated packages available from Canonical within 30 days or sooner as local policy dictates.
Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the Ubuntu operating system via a Gnome graphical user logon. Note: If the system does not have a graphical user logon this item is Not Applicable. Note: If the system is using lightdm, this is a finding. There is no greater configuration that can be applied to meet the requirement. Check that the Ubuntu operating system displays a banner at the logon screen with the following command: # grep banner-message-enable /etc/dconf/db/local.d/* banner-message-enable=true If "banner-message-enable" is not set to "true", is missing, set to "false", or is commented out, this is a finding.
Configure the Ubuntu operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. Create a database that will contain the system wide graphical user logon settings (if it does not already exist) with the following command: # sudo touch /etc/dconf/db/local.d/01-banner-message Add the following line to the "[org/gnome/login-screen]" section of the "/etc/dconf/db/local.d/01-banner-message" file: [org/gnome/login-screen] banner-message-enable=true
Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the Ubuntu operating system via a command line user logon. Check that the Ubuntu operating system displays a banner at the command line login screen with the following command: # cat /etc/issue If the banner is set correctly it will return the following text: “You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.” If the banner text does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding.
Configure the Ubuntu operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via command line logon. Edit the "/etc/issue" file to replace the default text with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Verify the operating system allows a user to lock the current graphical user interface session. Note: If the Ubuntu operating system does not have a graphical user interface installed, this requirement is Not Applicable. Check to see if the Ubuntu operating system allows the user to lock the current graphical user interface session with the following command: # gsettings get org.gnome.desktop.lock-enabled true If "lock-enabled" is not set to "true", this is a finding.
Configure the Ubuntu operating system so that it allows a user to lock the current Graphical User Interface session. Set the "lock-enabled" setting in the graphical user interface to allow session locks with the following command: Note: The command must be performed from a terminal window inside the graphical user interface. # sudo gsettings set org.gnome.desktop.lock-enabled true
Verify the Ubuntu operating system has the 'vlock' package installed, by running the following command: # dpkg -l | grep vlock vlock_2.2.2-7 If "vlock" is not installed, this is a finding.
Install the "vlock" (if it is not already installed) package by running the following command: # sudo apt-get install vlock
Verify the Ubuntu operating system initiates a session logout after a "15" minutes of inactivity. Check that the proper auto logout script exists with the following command: # cat /etc/profile.d/autologout.sh TMOUT=900 readonly TMOUT export TMOUT If the file "/etc/profile.d/autologout.sh" does not exist, the timeout values are commented out, the output from the function call are not the same, this is a finding.
Configure the Ubuntu operating system to initiate a session logout after a "15" minutes of inactivity. Create a file to contain the system-wide session auto logout script (if it does not already exist) with the following command: # sudo touch /etc/profile.d/autologout.sh Add the following lines to the "/etc/profile.d/autologout.sh" script: TMOUT=900 readonly TMOUT export TMOUT
Verify that the Ubuntu operating system limits the number of concurrent sessions to "10" for all accounts and/or account types by running the following command: # grep maxlogins /etc/security/limits.conf The result must contain the following line: * hard maxlogins 10 If the "maxlogins" item is missing or the value is not set to "10" or less, or is commented out, this is a finding.
Configure the Ubuntu operating system to limit the number of concurrent sessions to ten for all accounts and/or account types. Add the following line to the top of the /etc/security/limits.conf: * hard maxlogins 10
Verify the Ubuntu operating system prevents direct logins to the root account. Check that the Ubuntu operating system prevents direct logins to the root account with the following command: # grep root /etc/shadow root L 11/11/2017 0 99999 7 -1 If any output is returned and the second field is not an "L", this is a finding.
Configure the Ubuntu operating system to prevent direct logins to the root account. Run the following command to lock the root account: # passwd -l root
Verify that the "libpam-pwquality" module is installed: # dpkg -l | grep libpam-pwquality ii libpam-pwquality:amd64 1.3.0-0ubuntu1 If the "libpam-pwquality" package is not installed, this is a finding. Verify the operating system uses "pwquality" to enforce the password complexity rules. Check for the use of "pwquality" with the following command: # cat /etc/pam.d/common-password | grep pam_pwquality password required pam_pwquality.so retry=3 If the command does not return an uncommented line containing the value "pam_pwquality.so", this is a finding. If the value of "retry" is set to "0" or greater than "3", this is a finding.
Configure the operating system to use "pam_pwquality" to enforce password complexity rules. Install the "libpam-pwquality" package: # sudo apt install libpam-pwquality Add the following line to "/etc/pam.d/common-password" (or modify the line to have the required value): password required pam_pwquality.so retry=3 Note: The value of "retry" should be between "1" and "3".
Verify the Ubuntu operating system enforces password complexity by requiring that at least one upper-case character be used. Determine if the field "ucredit" is set in the "/etc/security/pwquality.conf" or "/etc/pwquality.conf.d/*.conf" files with the following command: # grep -i "ucredit" /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf ucredit=-1 If the "ucredit" parameter is not equal to "-1", or is commented out, this is a finding.
Configure the Ubuntu operating system to enforce password complexity by requiring that at least one upper-case character be used. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "ucredit" parameter: ucredit=-1
Verify the Ubuntu operating system enforces password complexity by requiring that at least one lower-case character be used. Determine if the field "lcredit" is set in the "/etc/security/pwquality.conf" or "/etc/pwquality.conf.d/*.conf" files with the following command: # grep -i "lcredit" /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf lcredit=-1 If the "lcredit" parameter is not equal to "-1", or is commented out, this is a finding.
Configure the Ubuntu operating system to enforce password complexity by requiring that at least one lower-case character be used. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "lcredit" parameter: lcredit=-1
Verify the Ubuntu operating system enforces password complexity by requiring that at least one numeric character be used. Determine if the field "dcredit" is set in the "/etc/security/pwquality.conf" or "/etc/pwquality.conf.d/*.conf" files with the following command: # grep -i "dcredit" /etc/security/pwquality.conf etc/pwquality.conf.d/*.conf dcredit=-1 If the "dcredit" parameter is not equal to "-1", or is commented out, this is a finding.
Configure the Ubuntu operating system to enforce password complexity by requiring that at least one numeric character be used. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "dcredit" parameter: dcredit=-1
Verify the Ubuntu operating system enforces password complexity by requiring that at least one special character be used. Determine if the field "ocredit" is set in the "/etc/security/pwquality.conf" file or "/etc/pwquality.conf.d/*.conf" files with the following command: # grep -i "ocredit" /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf ocredit=-1 If the "ocredit" parameter is not equal to "-1", or is commented out, this is a finding.
Configure the Ubuntu operating system to enforce password complexity by requiring that at least one special character be used. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "ocredit" parameter: ocredit=-1
Verify the Ubuntu operating system requires the change of at least "8" characters when passwords are changed. Determine if the field "difok" is set in the "/etc/security/pwquality.conf" or "/etc/pwquality.conf.d/*.conf" files with the following command: # grep -i "difok" /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf difok=8 If the "difok" parameter is less than "8", or is commented out, this is a finding.
Configure the Ubuntu operating system to require the change of at least "8" characters when passwords are changed. Add or update the following line in the "/etc/security/pwquality.conf" or "/etc/pwquality.conf.d/*.conf" files to include the "difok=8" parameter: difok=8
Verify that the shadow password suite configuration is set to encrypt password with a FIPS 140-2 approved cryptographic hashing algorithm. Check the hashing algorithm that is being used to hash passwords with the following command: # cat /etc/login.defs | grep -i crypt ENCRYPT_METHOD SHA512 If "ENCRYPT_METHOD" does not equal SHA512 or greater, this is a finding.
Configure the Ubuntu operating system to encrypt all stored passwords. Edit/Modify the following line in the "/etc/login.defs" file and set "[ENCRYPT_METHOD]" to SHA512. ENCRYPT_METHOD SHA512
Verify the shadow password suite configuration is set to encrypt interactive user passwords using a strong cryptographic hash with the following command: Confirm that the interactive user account passwords are using a strong password hash with the following command: # sudo cut -d: -f2 /etc/shadow $6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/ Password hashes "!" or "*" indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with "$6", this is a finding.
Configure the Ubuntu operating system to encrypt all stored passwords with a strong cryptographic hash. Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated.
Verify the shadow password suite configuration is set to create passwords using a strong cryptographic hash with the following command: Check that a minimum number of hash rounds is configured by running the following command: # grep rounds /etc/pam.d/common-password password [success=1 default=ignore] pam_unix.so obscure sha512 rounds=5000 If "rounds" has a value below "5000", or is commented out, this is a finding.
Configure the Ubuntu operating system to encrypt all stored passwords with a strong cryptographic hash. Edit/modify the following line in the "/etc/pam.d/common-password" file and set "rounds" to a value no lower than "5000": password [success=1 default=ignore] pam_unix.so obscure sha512 rounds=5000
Verify that pam_unix.so auth is configured to use sha512. Check that pam_unix.so auth is configured to use sha512 with the following command: # grep password /etc/pam.d/common-password | grep pam_unix password [success=1 default=ignore] pam_unix.so obscure sha512 If "sha512" is not an option of the output, or is commented out, this is a finding.
Configure the Ubuntu operating system to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. Edit/modify the following line in the file "/etc/pam.d/common-password" file to include the sha512 option for pam_unix.so: password [success=1 default=ignore] pam_unix.so obscure sha512 shadow remember=5
Verify the Ubuntu operating system is configured such that the emergency administrator account is never automatically removed or disabled. Check to see if the root account password or account expires with the following command: # sudo chage -l root Password expires :never If "Password expires" or "Account expires" is set to anything other than "never", this is a finding.
Replace "[Emergency_Administrator]" in the following command with the correct emergency administrator account. Run the following command as an administrator: # sudo chage -I -1 -M 99999 [Emergency_Administrator]
Verify that the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for new user accounts by running the following command: # grep -i pass_min_days /etc/login.defs PASS_MIN_DAYS 1 If the "PASS_MIN_DAYS" parameter value is less than "1", or commented out, this is a finding.
Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime. Add, or modify the following line in the "/etc/login.defs" file: PASS_MIN_DAYS 1
Verify that the Ubuntu operating system enforces a 60-day maximum password lifetime for new user accounts by running the following command: # grep -i pass_max_days /etc/login.defs PASS_MAX_DAYS 60 If the "PASS_MAX_DAYS" parameter value is less than "60", or commented out, this is a finding.
Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime. Add, or modify the following line in the "/etc/login.defs" file: PASS_MAX_DAYS 60
Verify that the Ubuntu operating system prevents passwords from being reused for a minimum of five generations by running the following command: # grep -i remember /etc/pam.d/common-password password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5 rounds=5000 If the "remember" parameter value is not greater than or equal to "5", is commented out, or is not set at all this is a finding.
Configure the Ubuntu operating system prevents passwords from being reused for a minimum of five generations. Add or modify the "remember" parameter value to the following line in "/etc/pam.d/common-password" file: password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5 rounds=5000
Verify that the Ubuntu operating system enforces a minimum "15" character password length. Determine if the field "minlen" is set in the "/etc/security/pwquality.conf" or "/etc/pwquality.conf.d/*.conf" files with the following command: # grep -i minlen /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf minlen=15 If "minlen" parameter value is not "15" or higher, or is commented out, this is a finding.
Configure the Ubuntu operating system to enforce a minimum 15-character password length. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "minlen" parameter: minlen=15
To verify that null passwords cannot be used, run the following command: # grep pam_unix.so /etc/pam.d/* | grep nullok* If this produces any output, it may be possible to log on with accounts with empty passwords. If null passwords can be used, this is a finding.
Remove any instances of the "nullok" option in files under "/etc/pam.d/" to prevent logons with empty passwords.
Verify the Ubuntu operating system prevents the use of dictionary words for passwords. Determine if the field "dictcheck" is set in the "/etc/security/pwquality.conf" or "/etc/pwquality.conf.d/*.conf" files with the following command: # grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf dictcheck=1 If the "dictcheck" parameter is not set to "1", or is commented out, this is a finding.
Configure the Ubuntu operating system to prevent the use of dictionary words for passwords. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "dictcheck" parameter: dictcheck=1
Verify the "passwd" command uses the common-password settings. Check that the "passwd" command uses the common-password option with the following command: # grep common-password /etc/pam.d/passwd @ include common-password If the command does not return a line, or the line is commented out, this is a finding.
Configure the Ubuntu operating system to prevent the use of dictionary words for passwords. Edit the file "/etc/pam.d/passwd" and add the following line: @ include common-password
Verify the account identifiers (individuals, groups, roles, and devices) are disabled after "35" days of inactivity with the following command: Check the account inactivity value by performing the following command: # sudo grep -i inactive /etc/default/useradd INACTIVE=35 If "INACTIVE" is not set to a value "0<[VALUE]<=35", or is commented out, this is a finding.
Configure the Ubuntu operating system to disable account identifiers after 35 days of inactivity after the password expiration. Run the following command to change the configuration for useradd: # sudo useradd -D -f 35 DoD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" will disable the account immediately after the password expires.
Verify the Ubuntu operating system automatically locks an account until the account lock is released by an administrator when three unsuccessful logon attempts are made. Check that the Ubuntu operating system automatically locks an account after three unsuccessful attempts with the following command: # grep pam_tally /etc/pam.d/common-auth auth required pam_tally2.so onerr=fail deny=3 If "onerr=fail deny=3" is not used in "/etc/pam.d/common-auth" or is called with "unlock_time", this is a finding.
Configure the Ubuntu operating system to automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts are made by appending the following line to the "/etc/pam.d/common-auth file": "auth required pam_tally2.so onerr=fail deny=3"
Verify the operating system automatically locks an account for the maximum period for which the system can be configured. Check that the system locks an account for the maximum period after three unsuccessful logon attempts within a period of 15 minutes with the following command: # grep pam_faillock.so /etc/pam.d/password-auth /etc/pam.d/system-auth auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 account required pam_faillock.so If the "unlock_time" parameter is not set to "0", "never", or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. Note: The maximum configurable value for "unlock_time" is "604800". If any line referencing the "pam_faillock.so" module is commented out, this is a finding.
Configure the Ubuntu operating system to automatically lock an account for the maximum configurable period when three unsuccessful logon attempts are made by appending the following lines to the "etc/pam.d/password-auth" or "/etc/pam.d/system-auth" files" auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 account required pam_faillock.so
Verify that "/etc/sudoers" has no occurrences of "NOPASSWD" or "!authenticate". Check that the "/etc/sudoers" file has no occurrences of "NOPASSWD" or "!authenticate" by running the following command: # sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers /etc/sudoers.d/* %wheel ALL=(ALL) NOPASSWD: ALL If any occurrences of "NOPASSWD" or "!authenticate" return from the command, this is a finding.
Remove any occurrence of "NOPASSWD" or "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.
Verify that temporary accounts have been provisioned with an expiration date for 72 hours. For every existing temporary account, run the following command to obtain its account expiration information. # sudo chage -l system_account_name Verify each of these accounts has an expiration date set within 72 hours. If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.
If a temporary account must be created configure the system to terminate the account after a 72 hour time period with the following command to set an expiration date on it. Substitute "system_account_name" with the account to be created. # sudo chage -E `date -d "+3 days" +%Y-%m-%d` system_account_name
Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon prompts following a failed logon attempt. Check that the Ubuntu operating system enforces a delay of at least 4 seconds between logon prompts with the following command: # grep pam_faildelay /etc/pam.d/common-auth* auth required pam_faildelay.so delay=4000000 If the line is not present, or is commented out, this is a finding.
Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt. Edit the file "/etc/pam.d/common-auth" and set the parameter "pam_faildelay" to a value of 4000000 or greater: auth required pam_faildelay.so delay=4000000
Verify that unattended or automatic login via the Graphical User Interface is disabled. Check that unattended or automatic login is disabled with the following command: # sudo grep -i autologin /etc/lightdm/lightdm.conf /etc/lightdm.d/*.conf | grep -v '#' If any results are returned, this is a finding.
Configure the Graphical User Interface to not allow unattended or automatic login to the system. Comment or remove the following lines in "/etc/lightdm/lightdm.conf" file: #autologin-user=<username> #autologin-user-timeout=0
Verify users are provided with feedback on when account accesses last occurred. Check that "pam_lastlog" is used and not silent with the following command: # grep pam_lastlog /etc/pam.d/login session required pam_lastlog.so showfailed If "pam_lastlog" is missing from "/etc/pam.d/login" file, or the "silent" option is present, this is a finding.
Configure the Ubuntu operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin-ac". Add the following line to the top of "/etc/pam.d/login": session required pam_lastlog.so showfailed
Verify there are no ".shosts" files on the Ubuntu operating system. Check the system for the existence of these files with the following command: # sudo find / -name '*.shosts' If any ".shosts" files are found, this is a finding.
Remove any found ".shosts" files from the Ubuntu operating system. # rm /[path]/[to]/[file]/.shosts
Verify there are no "shosts.equiv" files on the Ubuntu operating system. Check for the existence of these files with the following command: # find / -name shosts.equiv If a "shosts.equiv" file is found, this is a finding.
Remove any found "shosts.equiv" files from the Ubuntu operating system. # rm /etc/ssh/shosts.equiv
Verify the system is configured to run in FIPS mode. Check that the system is configured to run in FIPS mode with the following command: # grep -i 1 /proc/sys/crypto/fips_enabled 1 If a value of "1" is not returned, this is a finding.
Configure the system to run in FIPS mode. Add "fips=1" to the kernel parameter during the Ubuntu operating systems install. Note: Enabling a FIPS mode on a pre-existing system involves a number of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 16.04 FIPS 140-2 security policy document for instructions. A subscription to the "Ubuntu Advantage" plan is required in order to obtain the FIPS Kernel cryptographic modules and enable FIPS.
Verify that an encrypted root password is set. This is only applicable on systems that use a basic Input/Output System BIOS. Run the following command to verify the encrypted password is set: # grep –i password /boot/grub/grub.cfg password_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG If the root password entry does not begin with “password_pbkdf2”, this is a finding.
Configure the system to require a password for authentication upon booting into single-user and maintenance modes. Generate an encrypted (grub) password for root with the following command: # grub-mkpasswd-pbkdf2 Enter Password: Reenter Password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG It will generate a long password encrypted like this: grub.pbkdf2.sha512.10000.FC58373BCA15A797C418C1EA7FFB007BF5A5 Copy the complete generated code. Edit the file /etc/grub.d/40_custom (or a custom configuration file in the /etc/grub.d/ directory): At the end of the file add the following commands: set superusers="root" password_pbkdf2 root grub.pbkdf2.sha512.10000.LONGSTRING Save the file and exit Run: sudo update-grub Reboot
Verify that an encrypted root password is set. This is only applicable on Ubuntu operating systems that use UEFI. Run the following command to verify the encrypted password is set: # grep -i password /boot/efi/EFI/ubuntu/grub.cfg password_pbkdf2 root grub.pbkdf2.sha512.10000.VeryLongString If the root password entry does not begin with “password_pbkdf2”, this is a finding.
Configure the system to require a password for authentication upon booting into single-user and maintenance modes. Generate an encrypted (grub) password for root with the following command: # grub-mkpasswd-pbkdf2 Enter Password: Reenter Password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG Using the hash from the output, modify the "/etc/grub.d/10_linux" file with the following command to add a boot password for the root entry: # cat << EOF > set superusers="root" password_pbkdf2 root grub.pbkdf2.sha512.VeryLongString > EOF Generate an updated "grub.conf" file with the new password using the following commands: # grub-mkconfig --output=/tmp/grub2.cfg # mv /tmp/grub2.cfg /boot/efi/EFI/ubuntu/grub.cfg
Verify the Ubuntu operating system prevents unauthorized disclosure or modification of all information requiring at rest protection by using disk encryption. If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable. Determine the partition layout for the system with the following command: # fdisk –l Verify that the system partitions are all encrypted with the following command: # more /etc/crypttab Every persistent disk partition present must have an entry in the file. If any partitions other than pseudo file systems (such as /proc or /sys) are not listed, this is a finding.
Configure the Ubuntu operating system to prevent unauthorized modification of all information at rest by using disk encryption. Encrypting a partition in an already-installed system is more difficult, because you need to resize and change existing partitions. To encrypt an entire partition, dedicate a partition for encryption in the partition layout.
Verify that all public directories are owned by root to prevent unauthorized and unintended information transferred via shared system resources. Check to see that all public directories have the public sticky bit set by running the following command: # sudo find / -type d -perm -0002 -exec ls -lLd {} \; drwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp If any of the returned directories are not owned by root, this is a finding.
Configure all public directories to be owned by root to prevent unauthorized and unintended information transferred via shared system resources. Set the owner of all public directories as root using the command, replace "[Public Directory]" with any directory path not owned by root: # sudo chown root [Public Directory]
Verify that all world-writable directories are group-owned by root to prevent unauthorized and unintended information transferred via shared system resources. Check the system for world-writable directories with the following command: # sudo find / -type d -perm -0002 -exec ls -lLd {} \; drwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp If any world-writable directories are not owned by root, sys, bin, or an application group associated with the directory, this is a finding.
Change the group of the world-writable directories to root, sys, bin, or an application group with the following command, replacing "[world-writable Directory]": # sudo chgrp root [world-writable Directory]
Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions. Check that the AIDE package is installed with the following command: # sudo apt list aide aide/xenial,now 0.16~a2.git20130520-3 amd64 [installed] If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. If there is no application installed to perform integrity checks, this is a finding.
Install the AIDE package by running the following command: # sudo apt-get install aide
Verify that Advanced Intrusion Detection Environment (AIDE) performs a verification of the operation of security functions every 30 days. Note: A file integrity tool other than AIDE may be used, but the tool must be executed at least once per week. Check that AIDE is being executed every 30 days or less with the following command: # ls -al /etc/cron.daily/aide -rwxr-xr-x 1 root root 26049 Oct 24 2014 /etc/cron.daily/aide If the "/etc/cron.daily/aide" file does not exist or the cron job is not configured to run at least every 30 days, this is a finding.
The cron file for AIDE is fairly complex as it creates the report. The easiest way to create the file is to update the AIDE package with the following command: # sudo apt-get install aide
Verify the file integrity tool is configured to verify Access Control Lists (ACLs). Use the following command to determine if the file is in a location other than "/etc/aide/aide.conf": # find / -name aide.conf Check the "aide.conf" file to determine if the "acl" rule has been added to the rule list being applied to the files and directories selection lists with the following command: # egrep "[+]?acl" /etc/aide/aide.conf VarFile = OwnerMode+n+l+X+acl If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, is commented out, or ACLs are not being checked by another file integrity tool, this is a finding.
Configure the file integrity tool to check file and directory ACLs. If AIDE is installed, ensure the "acl" rule is present on all file and directory selection lists.
Verify the file integrity tool is configured to verify extended attributes. Check to see if Advanced Intrusion Detection Environment (AIDE) is installed with the following command: # dpkg -l |grep aide ii aide 0.16~a2.git20130520-3 ii aide-common 0.16~a2.git20130520-3 If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. If there is no application installed to perform integrity checks, this is a finding. Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. Use the following command to determine if the file is in another location: # find / -name aide.conf Check the "aide.conf" file to determine if the "xattrs" rule has been added to the rule list being applied to the files and directories selection lists with the following command: # egrep "[+]?xattrs" /etc/aide/aide.conf VarFile = OwnerMode+n+l+X+xattrs If the "xattrs" rule is not being used on all selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.
Configure the file integrity tool to check file and directory extended attributes. If AIDE is installed, ensure the "xattrs" rule is present on all file and directory selection lists.
Verify that Advanced Intrusion Detection Environment (AIDE) notifies the system administrator when anomalies in the operation of any security functions are discovered. Check that AIDE notifies the system administrator when anomalies in the operation of any security functions are discovered with the following command: # sudo grep SILENTREPORTS /etc/default/aide SILENTREPORTS=no If the "/etc/default/aide" file does not exist, the cron job is configured with the "SILENTREPORTS=yes" option, or the line is commented out, this is a finding.
Modify the "SILENTREPORTS" parameter in "/etc/default/aide" file with a value "no" or if it does not already exist: SILENTREPORTS=no
Verify that Advanced Intrusion Detection Environment (AIDE) to properly configured to use cryptographic mechanisms to protect the integrity of audit tools. Check the selection lines that aide is configured to add/check with the following command: # egrep '(\/usr\/sbin\/(audit|au))' /etc/aide/aide.conf /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattr+sha512 /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattr+sha512 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattr+sha512 /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattr+sha512 /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattr+sha512 /usr/sbin/audispd p+i+n+u+g+s+b+acl+xattr+sha512 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattr+sha512 If any of the seven audit tools does not have an appropriate selection line, this is a finding.
Add or update the following selection lines to "/etc/aide/aide.conf", in order to protect the integrity of the audit tools. # Audit Tools /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattr+sha512 /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattr+sha512 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattr+sha512 /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattr+sha512 /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattr+sha512 /usr/sbin/audispd p+i+n+u+g+s+b+acl+xattr+sha512 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattr+sha512
Verify that Advance package Tool (APT) is configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. Check that the "AllowUnauthenticated" variable is not set at all or set to "false" with the following command: # grep -i allowunauth /etc/apt/apt.conf.d/* /etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated "false"; If any of the files returned from the command with "AllowUnauthenticated" set to "true", this is a finding.
Configure Advance package Tool (APT) to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. Remove/Update any APT configuration file that contain the variable "AllowUnauthenticated" to "false", or remove "AllowUnauthenticated" entirely from each file. Below is an example of setting the "AllowUnauthenticated" variable to "false": APT::Get::AllowUnauthenticated "false";
Verify Advance package Tool (APT) is configured to remove all software components after updated versions have been installed. Check that APT is configured to remove all software components after updating with the following command: # grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades Unattended-Upgrade::Remove-Unused-Dependencies "true"; If the "Remove-Unused-Dependencies" parameter is not set to "true", or is missing, this is a finding.
Configure APT to remove all software components after updated versions have been installed. Add or updated the following option to the "/etc/apt/apt.conf.d/50unattended-upgrades" file: Unattended-Upgrade::Remove-Unused-Dependencies "true";
Verify that automatic mounting of the Universal Serial Bus (USB) mass storage driver has been disabled. Check that the USB mass storage drive has not been loaded with the following command: #lsmod | grep usb-storage If a "usb-storage" line is returned, this is a finding. Check that automatic mounting of the USB mass storage driver has been disabled with the following command: #sudo modprobe -vn usb-storage install /bin/true If “install /bin/true” is not returned, this is a finding.
Disable the mounting of the Universal Serial Bus (USB) mass storage driver by running the following command: # sudo echo “install usb-storage /bin/true” >> /etc/modprobe.d/DISASTIG.conf
Verify the Ubuntu operating system disables the ability to automount devices. Check to see if automounter service is active with the following command: # systemctl status autofs autofs.service - LSB: Automounts filesystems on demand Loaded: loaded (/etc/init.d/autofs; bad; vendor preset: enabled) Active: active (running) since Thu 2017-05-04 07:53:51 EDT; 6 days ago Docs: man:systemd-sysv-generator(8) CGroup: /system.slice/autofs.service +-24206 /usr/sbin/automount --pid-file /var/run/autofs.pid If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Configure the Ubuntu operating system to disable the ability to automount devices. Turn off the automount service with the following command: # sudo systemctl stop autofs If "autofs" is required for Network File System (NFS), it must be documented with the Information System Security Officer (ISSO).
Verify the Ubuntu operating system is configured to allow system administrators to pass information to any other Ubuntu operating system administrator or user. Check that "Pam_Apparmor" is installed on the system with the following command: # sudo apt list libpam-apparmor libpam-apparmor/xenial-updates,now 2.10.95-0ubuntu2.7 amd64 [installed] If the "Pam_Apparmor" package is not installed, this is a finding. Check that Pam_Apparmor has properly configured profiles # sudo apparmor_status apparmor module is loaded. 13 profiles are loaded. 13 profiles are in enforce mode. /sbin/dhclient ... lxc-container-default-with-nesting 0 profiles are in complain mode. If all loaded profiles are not in "enforce" mode, or there are any profiles in "complain" mode, this is a finding.
Configure the Ubuntu operating system to allow system administrators to pass information to any other Ubuntu operating system administrator or user. Install "Pam_Apparmor" (if it is not installed) with the following command: # sudo apt-get install libpam-apparmor Enable/Activate "Apparmor" (if it is not already active) with the following command: # sudo systemctl enable apparmor.service Start "Apparmor" with the following command: # sudo systemctl start apparmor.service Note: Pam_Apparmor must have properly configured profiles. All configurations will be based on the actual system setup and organization. See the "Pam_Apparmor" documentation for more information on configuring profiles.
Verify the Ubuntu operating system is configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and access to user home directories. Check that "Apparmor" is configured to employ application whitelisting and home directory access control with the following command: # sudo apparmor_status apparmor module is loaded. 13 profiles are loaded. 13 profiles are in enforce mode. /sbin/dhclient ... lxc-container-default-with-nesting 0 profiles are in complain mode. If the defined profiles do not match the organization’s list of authorized software, this is a finding.
Configure the Ubuntu operating system to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. Install "Apparmor" (if it is not installed) with the following command: # sudo apt-get install libpam-apparmor Enable/Activate "Apparmor" (if it is not already active) with the following command: # sudo systemctl enable apparmor.service Start "Apparmor" with the following command: # sudo systemctl start apparmor.service Note: Apparmor must have properly configured profiles for applications and home directories. All configurations will be based on the actual system setup and organization and normally are on a per role basis. See the "Apparmor" documentation for more information on configuring profiles.
Verify the Ubuntu operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed. Check that the "ctrl-alt-del.target" (otherwise also known as reboot.target) is not active with the following command: # systemctl status ctrl-alt-del.target reboot.target - Reboot Loaded: loaded (/usr/lib/systemd/system/reboot.target; disabled) Active: inactive (dead) Docs: man:systemd.special(7) If the "ctrl-alt-del.target" is active, this is a finding.
Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following command: # sudo systemctl mask ctrl-alt-del.target And reload the daemon to take effect # sudo systemctl daemon-reload
Verify the Ubuntu operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed when using a graphical user interface. Check that the "logout" target is not bound to an action with the following command: # grep logout /etc/dconf/db/local.d/* logout='' If the "logout" key is bound to an action, is commented out, or is missing, this is a finding.
Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user interface. Note: These settings are examples using the operating system's default (GNOME) graphical user interface. Create or edit the /etc/dconf/db/local.d/00-disable-CAD file. Add the setting to disable the Ctrl-Alt-Delete sequence: [org/gnome/settings-daemon/plugins/media-keys] logout=’’ Then update the dconf settings: # dconf update
Verify the Ubuntu operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files. Check that the Ubuntu operating system defines default permissions for all authenticated users with the following command: # grep -i "umask" /etc/login.defs UMASK 077 If the "UMASK" variable is set to "000", this is a finding with the severity raised to a CAT I. If the value of "UMASK" is not set to "077", "UMASK" is commented out or "UMASK" is missing completely, this is a finding.
Configure the system to define the default permissions for all authenticated users in such a way that the user can only read and modify their own files. Edit the "UMASK" parameter in the "/etc/login.defs" file to match the example below: UMASK 077
Verify all accounts on the system are assigned to an active system, application, or user account. Obtain the list of authorized system accounts from the Information System Security Officer (ISSO). Check the system accounts on the system with the following command: # more /etc/passwd root:x:0:0:root:/root:/bin/bash ... games:x:5:60:games:/usr/games:/usr/sbin/nologin Accounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions. If the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding.
Configure the system so all accounts on the system are assigned to an active system, application, or user account. Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. Document all authorized accounts on the system.
Verify that the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive users. Check that the Ubuntu operating system contains no duplicate UIDs for interactive users with the following command: # awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd If output is produced, and the accounts listed are interactive user accounts, this is a finding.
Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate User ID (UID) with a unique UID.
Check the Ubuntu operating system for duplicate User ID (UID) "0" assignments with the following command: # awk -F: '$3 == 0 {print $1}' /etc/passwd root If any accounts other than root have a UID of "0", this is a finding.
Change the User ID (UID) of any account on the system, other than root, that has a UID of "0". If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.
Verify a policy exists that ensures when a user account is created, it is created using a method that forces a user to change their password upon their next login. If a policy does not exist, this is a finding.
Create a policy that ensures when a user is created, it is created using a method that forces a user to change their password upon their next login. Below are two examples of how to create a user account that requires the user to change their password upon their next login. # chage -d 0 [UserName] or # passwd -e [UserName]
Verify that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day. Note: If smart card authentication is not being used on the system this item is Not Applicable. Check that PAM prohibits the use of cached authentications after one day with the following command: # sudo grep -i "timestamp_timeout" /etc/pam.d/* timestamp_timeout=86400 If "timestamp_timeout" is not set to a value of "86400" or less, or is commented out, this is a finding.
Configure Pluggable Authentication Module (PAM) to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/pam.d/common-auth" or "/etc/pam.d/common-session" just below the line "[pam]". timestamp_timeout = 86400
Verify all files and directories on the Ubuntu operating system have a valid owner. Check the owner of all files and directories with the following command: # sudo find / -nouser If any files on the system do not have an assigned owner, this is a finding.
Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the Ubuntu operating system with the "chown" command: # sudo chown <user> <file>
Verify all files and directories on the Ubuntu operating system have a valid group. Check the owner of all files and directories with the following command: # sudo find / -nogroup If any files on the system do not have an assigned group, this is a finding.
Either remove all files and directories from the Ubuntu operating system that do not have a valid group, or assign a valid group to all files and directories on the system with the "chgrp" command: # sudo chgrp <group> <file>
Verify local interactive users on the Ubuntu operating system have a home directory assigned. Check for missing local interactive user home directories with the following command: # sudo pwck -r user 'lp': directory '/var/spool/lpd' does not exist user 'news': directory '/var/spool/news' does not exist user 'uucp': directory '/var/spool/uucp' does not exist user 'www-data': directory '/var/www' does not exist Ask the System Administrator (SA) if any users found without home directories are local interactive users. If the SA is unable to provide a response, check for users with a User Identifier (UID) of 1000 or greater with the following command: # sudo cut -d: -f 1,3 /etc/passwd | egrep ":[1-4][0-9]{2}$|:[0-9]{1,2}$" If any interactive users do not have a home directory assigned, this is a finding.
Assign home directories to all local interactive users on the Ubuntu operating system that currently do not have a home directory assigned.
Verify all local interactive users on the Ubuntu operating system are assigned a home directory upon creation. Check to see if the system is configured to create home directories for local interactive users with the following command: # grep -i create_home /etc/login.defs CREATE_HOME yes If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.
Configure the Ubuntu operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows. CREATE_HOME yes
Verify the assigned home directory of all local interactive users on the Ubuntu operating system exists. Check the home directory assignment for all local interactive non-privileged users with the following command: $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd smithj 1001 /home/smithj Note: This may miss interactive users that have been assigned a privileged User ID (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. Check that all referenced home directories exist with the following command: $ sudo pwck -r user 'smithj': directory '/home/smithj' does not exist If any home directories referenced in "/etc/passwd" are returned as not defined, this is a finding.
Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd": Note: The example will be for the user smithj, who has a home directory of "/home/smithj", a User ID (UID) of "smithj", and a Group Identifier (GID) of "users assigned" in "/etc/passwd". $ sudo mkdir /home/smithj $ sudo chown smithj /home/smithj $ sudo chgrp users /home/smithj $ sudo chmod 0750 /home/smithj
Verify the assigned home directory of all local interactive users has a mode of "0750" or less permissive. Check the home directory assignment for all non-privileged users with the following command: Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.
Change the mode of interactive user’s home directories to "0750". To change the mode of a local interactive user’s home directory, use the following command: Note: The example will be for the user "smithj". $ sudo chmod 0750 /home/smithj
Verify the assigned home directory of all local interactive users is group-owned by that user’s primary Group Identifier (GID). Check the home directory assignment for all non-privileged users on the system with the following command: Note: This may miss local interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory "/home/smithj" is used as an example. $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj Check the user's primary group with the following command: $ sudo grep admin /etc/group admin:x:250:smithj,jonesj,jacksons If the user home directory referenced in "/etc/passwd" is not group-owned by that user’s primary GID, this is a finding.
Change the group owner of a local interactive user’s home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user’s home directory, use the following command: Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users. $ sudo chgrp users /home/smithj
Verify that all local initialization files have a mode of "0740" or less permissive. Check the mode on all local initialization files with the following command: Note: The example will be for the smithj user, who has a home directory of "/home/smithj". # ls -al /home/smithj/.* | more -rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile -rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login -rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something If any local initialization files have a mode more permissive than "0740", this is a finding.
Set the mode of the local initialization files to "0740" with the following command: Note: The example will be for the smithj user, who has a home directory of "/home/smithj". # chmod 0740 /home/smithj/.<INIT_FILE>
Verify that all local interactive user initialization files' executable search path statements do not contain statements that will reference a working directory other than the users’ home directory or the system default. Check the executable search path statement for all local interactive user initialization files in the users' home directory with the following commands: Note: The example will be for the smithj user, which has a home directory of "/home/smithj". # grep -i path /home/smithj/.* /home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin /home/smithj/.bash_profile:export PATH If any local interactive user initialization files have executable search path statements that include directories outside of their home directory, and the additional path statements are not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Edit the local interactive user initialization files to change any PATH variable statements for executables that reference directories other than their home directory or the system default. If a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the Information System Security Officer (ISSO).
Verify that local initialization files do not execute world-writable programs. Check the system for world-writable files with the following command: # sudo find / -perm -002 -type f -exec ls -ld {} \; | more For all files listed, check for their presence in the local initialization files with the following commands: Note: The example will be for a system that is configured to create users’ home directories in the "/home" directory. # grep <file> /home/*/.* If any local initialization files are found to reference world-writable files, this is a finding.
Set the mode on files being executed by the local initialization files with the following command: # chmod 0755 <file>
Verify file systems that contain user home directories are mounted with the "nosuid" option. Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is not a finding as the "nosuid" option cannot be used on the "/" system. Find the file system(s) that contain the user home directories with the following command: # awk -F: '($3>=1000)&&($1!="nobody"){print $1,$3,$6}' /etc/passwd smithj:1001: /home/smithj robinst:1002: /home/robinst Check the file systems that are mounted at boot time with the following command: # more /etc/fstab UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4 rw,relatime,discard,data=ordered,nosuid 0 2 If a file system found in "/etc/fstab" refers to the user home directory file system and it does not have the "nosuid" option set, this is a finding.
Configure the "/etc/fstab" to use the "nosuid" option on file systems that contain user home directories for interactive users.
Verify file systems that are used for removable media are mounted with the "nosuid" option. Check the file systems that are mounted at boot time with the following command: # more /etc/fstab UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0 If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.
Configure the "/etc/fstab" to use the "nosuid" option on file systems that are associated with removable media.
Verify file systems that are being Network File System (NFS) imported are mounted with the "nosuid" option. Find the file system(s) that contain the directories being exported with the following command: # grep nfs /etc/fstab | grep nosuid UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0 If a file system found in "/etc/fstab" refers to NFS and it does not have the "nosuid" option set, this is a finding.
Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via Network File System (NFS).
Verify file systems that are being Network File System (NFS) imported are mounted with the "noexec" option. Find the file system(s) that contain the directories being exported with the following command: # grep nfs /etc/fstab | grep noexec UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0 If a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, and use of NFS exported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via Network File System (NFS).
Verify that kernel core dumps are disabled unless needed. Check the status of the "kdump" service with the following command: # systemctl status kdump.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead) If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO). If the service is active and is not documented, this is a finding.
If kernel core dumps are not required, disable the "kdump" service with the following command: # systemctl disable kdump.service If kernel core dumps are required, document the need with the Information System Security Officer (ISSO).
Verify that a separate file system/partition has been created for non-privileged local interactive user home directories. Check the home directory assignment for all non-privileged users, users with a User Identifier (UID) greater than 1000, on the system with the following command: # awk -F: '($3>=1000)&&($1!="nobody"){print $1,$3,$6}' /etc/passwd adamsj 1001 /home/adamsj jacksonm 1002 /home/jacksonm smithj 1003 /home/smithj The output of the command will give the directory/partition that contains the home directories for the non-privileged users on the system (in this example, "/home") and users’ shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users. Check that a file system/partition has been created for the non-privileged interactive users with the following command: Note: The partition of "/home" is used in the example. # grep /home /etc/fstab UUID=333ada18 /home ext4 noatime,nobarrier,nodev 1 2 If a separate entry for the file system/partition that contains the non-privileged interactive users' home directories does not exist, this is a finding.
Migrate the "/home" directory onto a separate file system/partition.
Verify that a separate file system/partition has been created for "/var". Check that a file system/partition has been created for "/var" with the following command: # grep /var /etc/fstab UUID=c274f65f /var ext4 noatime,nobarrier 1 2 If a separate entry for "/var" is not in use, this is a finding.
Migrate the "/var" path onto a separate file system.
Verify that a separate file system/partition has been created for the system audit data path. Check that a file system/partition has been created for the system audit data path with the following command: Note: /var/log/audit is used as the example as it is a common location. #grep /var/log/audit /etc/fstab UUID=3645951a /var/log/audit ext4 defaults 1 2 If a separate entry for "/var/log/audit" does not exist, ask the System Administrator if the system audit logs are being written to a different file system/partition on the system, then grep for that file system/partition. If a separate file system/partition does not exist for the system audit data path, this is a finding.
Migrate the system audit data path onto a separate file system.
Verify the "/var/log" directory is group-owned by syslog. Check that the "/var/log" directory is group owned by syslog with the following command: # ls -lad /var/log | cut -d' ' -f4 syslog If "syslog" is not returned as a result, this is a finding.
Change the group of the directory "/var/log" to "syslog" by running the following command: # sudo chgrp syslog /var/log
Verify the /var/log directory is owned by root. Check that the /var/log directory is owned by root with the following command: # ls -lad /var/log | cut -d' ' -f3 root If "root" is not returned as a result, this is a finding.
Change the owner of the directory /var/log to root by running the following command: # sudo chown root /var/log
Verify that the "/var/log" directory has a mode of "0770" or less. Check the mode of the "/var/log" directory with the following command: # stat -c "%a %n" /var/log 770 If a value of "0770" or less permissive is not returned, this is a finding.
Change the permissions of the directory "/var/log" to "0770" by running the following command: # sudo chmod 0770 /var/log
Verify the "/var/log/syslog" file is group-owned by "adm". Check that "/var/log/syslog" is group-owned by "adm" with the following command: # ls -la /var/log/syslog | cut -d' ' -f4 adm If "adm" is not returned as a result, this is a finding.
Change the group of the file "/var/log/syslog" to "adm" by running the following command: # sudo chgrp adm /var/log/syslog
Verify that the /var/log/syslog file is owned by syslog. Check that the /var/log/syslog file is owned by syslog with the following command: # ls -la /var/log/syslog | cut -d' ' -f3 syslog If "syslog" is not returned as a result, this is a finding.
Change the owner of the file /var/log/syslog to syslog by running the following command: # sudo chown syslog /var/log/syslog
Verify that the "/var/log/syslog" file has mode "0640" or less permissive. Check that "/var/log/syslog" has mode "0640" or less permissive with the following command: # stat -c "%a %n" /var/log/syslog 640 /var/log/syslog If a value of "640" or less permissive is not returned, this is a finding.
Change the permissions of the file "/var/log/syslog" to "0640" by running the following command: # sudo chmod 0640 /var/log/syslog
Verify the system-wide shared library files contained in the following directories have mode "0755" or less permissive. Check that the system-wide shared library files contained in the following directories have mode "0755" or less permissive with the following command: Note: Replace "[directory]" with one of the following paths: /lib /lib64 /usr/lib # find /lib /lib64 /usr/lib -perm /022 -type f | xargs ls -la /usr/lib64/pkcs11-spy.so If any system-wide shared library file is found to be group-writable or world-writable, this is a finding.
Configure the library files to be protected from unauthorized access. Run the following command, replacing "[file]" with any library file with a mode more permissive than 0755. # sudo chmod 0755 [file]
Verify the system-wide shared library files are owned by "root". Check that the system-wide shared library files are owned by "root" with the following command: # sudo find /lib /usr/lib /lib64 ! -user root | xargs ls -la If any system wide shared library file is returned, this is a finding.
Configure the system-wide shared library files (/lib, /usr/lib, /lib64) to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any library file not owned by "root". # sudo chown root [FILE]
Verify the system-wide shared library files contained in the following directories are group-owned by "root". Check that the system-wide shared library files are group-owned by "root" with the following command: # sudo find /lib /usr/lib /lib64 ! -group root | xargs ls -la If any system wide shared library file is returned, this is a finding.
Configure the library files to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any library file not group-owned by root. # sudo chgrp root [FILE]
Verify the system commands contained in the following directories have mode "0755" or less permissive. Check that the system command files contained in the following directories have mode "0755" or less permissive with the following command: # find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 | xargs ls -la If any system commands are found to be group-writable or world-writable, this is a finding.
Configure the system commands to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command with a mode more permissive than "0755". # sudo chmod 0755 [FILE]
Verify the system commands contained in the following directories are owned by "root". Check that the system command files contained in the following directories are owned by "root" with the following command: # sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root | xargs ls -la If any system commands are returned, this is a finding.
Configure the system commands to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not owned by "root". # sudo chown root [FILE]
Verify the system commands contained in the following directories are group-owned by "root". Check that the system command files contained in the following directories are group-owned by "root" with the following command: # sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root | xargs ls -la If the command returns any files that are not group-owned by "root", and if they are not SGID and owned by a privileged group, this is a finding.
Configure the system commands to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not group-owned by "root". # sudo chgrp root [FILE]
Verify the audit service is configured to produce audit records. Check that the audit service is installed properly with the following command: # dpkg -l | grep auditd If the "auditd" package is not installed, this is a finding. Check that the audit service is properly running and active on the system with the following command: # systemctl is-active auditd.service active If the command above returns "inactive", this is a finding.
Configure the audit service to produce audit records containing the information needed to establish when (date and time) an event occurred. Install the audit service (if the audit service is not already installed) with the following command: # sudo apt-get install auditd Enable the audit service with the following command: # sudo systemctl enable auditd.service Restart the audit service with the following command: # sudo systemctl restart auditd.service
Verify the audit service is active. Check that the audit service is active with the following command: # service auditd status Active: active (running) If the service is not active this is a finding.
Start the auditd service, and enable the auditd service with the following commands: Start the audit service. # systemctl start auditd.service Enable auditd in the targets of the system. # systemctl enable auditd.service
Verify the Ubuntu operating system allocates audit record storage capacity to store at least one week's worth of audit records when audit records are not immediately sent to a central audit record storage facility. Determine which partition the audit records are being written to with the following command: # sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Check the size of the partition that audit records are written to (with the example being /var/log/audit/) with the following command: # df –h /var/log/audit/ /dev/sda2 24G 10.4G 13.6G 43% /var/log/audit If the audit records are not written to a partition made specifically for audit records (/var/log/audit is a separate partition), determine the amount of space being used by other files in the partition with the following command: #du –sh [audit_partition] 1.8G /var/log/audit Note: The partition size needed to capture a week's worth of audit records is based on the activity level of the system and the total storage capacity available. In normal circumstances, 10.0 GB of storage space for audit records will be sufficient. If the audit record partition is not allocated for sufficient storage capacity, this is a finding.
Allocate enough storage capacity for at least one week's worth of audit records when audit records are not immediately sent to a central audit record storage facility. If audit records are stored on a partition made specifically for audit records, use the "X" program to resize the partition with sufficient space to contain one week's worth of audit records. If audit records are not stored on a partition made specifically for audit records, a new partition with sufficient amount of space will need be to be created.
Verify the Ubuntu operating system notifies the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. Check the system configuration to determine the partition the audit records are being written to with the following command: # sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Check the size of the partition that audit records are written to (with the example being "/var/log/audit/"): # df -h /var/log/audit/ 1.0G /var/log/audit If the audit records are not being written to a partition specifically created for audit records (in this example "/var/log/audit" is a separate partition), determine the amount of space other files in the partition are currently occupying with the following command: # du -sh <partition> 1.0G /var Determine what the threshold is for the system to take action when 75% of the repository maximum audit record storage capacity is reached: # grep -i space_left /etc/audit/auditd.conf space_left = 250 If the value of the "space_left" keyword is not set to 25% of the total partition size, this is a finding.
Configure the operating system to immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. Check the system configuration to determine the partition the audit records are being written to: # grep log_file /etc/audit/auditd.conf Determine the size of the partition that audit records are written to (with the example being "/var/log/audit/"): # df -h /var/log/audit/ Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25% of the partition size.
Verify the Ubuntu operating system notifies the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. Check that the Ubuntu operating system notifies the SA and ISSO (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity with the following commands: #sudo grep space_left_action /etc/audit/auditd.conf space_left_action email If the space_left_action is set to "email" check the value of the "action_mail_acct" parameter with the following command: #sudo grep action_mail_acct parameter /etc/audit/auditd.conf action_mail_acct parameter root@localhost If the space_left_action or the action_mail_accnt parameters are set to blanks, this is a finding. If the space_left_action is set to "syslog", the system logs the event, this is not a finding. If the space_left_action is set to "exec", the system executes a designated script. If this script informs the SA of the event, this is not a finding. The action_mail_acct parameter, if missing, defaults to "root". If the "action_mail_acct parameter" is not set to the e-mail address of the system administrator(s) and/or ISSO, this is a finding. Note: If the email address of the system administrator is on a remote system a mail package must be available.
Configure the operating system to immediately notify the SA and ISSO (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. Edit "/etc/audit/auditd.conf" and set the "space_left_action" parameter to "exec", "email", or "syslog". If the "space_left_action" parameter is set to "email" set the "action_mail_acct" parameter to an e-mail address for the System Administrator (SA) and Information System Security Officer (ISSO).
Verify that the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) are notified in the event of an audit processing failure. Check that the Ubuntu operating system notifies the SA and ISSO (at a minimum) in the event of an audit processing failure with the following command: #sudo grep space_left_action /etc/audit/auditd.conf action_mail_acct = root If the value of the "action_mail_acct" keyword is not set to "root" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the retuned line is commented out, this is a finding.
Configure "auditd" service to notify the System Administrator (SA) and Information System Security Officer (ISSO) in the event of an audit processing failure. Edit the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations: action_mail_acct = root
Verify that the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) are notified when the audit storage volume is full. Check which action the Ubuntu operating system takes when the audit storage volume is full with the following command: # sudo grep max_log_file_action /etc/audit/auditd.conf max_log_file_action=syslog If the value of the "max_log_file_action" option is set to "ignore", "rotate", or "suspend", or the line is commented out, this is a finding.
Configure the Ubuntu operating system to notify the System Administrator (SA) and Information System Security Officer (ISSO) when the audit storage volume is full by configuring the "max_log_file_action" parameter in the "/etc/audit/auditd.conf" file with the a value of "syslog" or "keep_logs": max_log_file_action=syslog
Verify the Ubuntu operating system takes the appropriate action when the audit storage volume is full. Check that the Ubuntu operating system takes the appropriate action when the audit storage volume is full with the following command: # sudo grep disk_full_action /etc/audit/auditd.conf disk_full_action = HALT If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding.
Configure the Ubuntu operating system to shut down by default upon audit failure (unless availability is an overriding concern). Add or update the following line (depending on configuration "disk_full_action" can be set to "SYSLOG" or "SINGLE" depending on configuration) in "/etc/audit/auditd.conf" file: disk_full_action = HALT
Verify the action that the remote audit system takes when the storage volume becomes full. Check the action that the remote audit system takes when the storage volume becomes full with the following command: # sudo grep disk_full /etc/audisp/audisp-remote.conf disk_full_action = single If the value of the "disk_full_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.
Configure the remote audit system to take an appropriate action when the audit storage is full. Add, edit or uncomment the "disk_full_action" option in "/etc/audisp/audisp-remote.conf". Set it to "syslog", "single" or "halt" like the below example: disk_full_action = single
Verify the audit system authenticates off-loading audit records to a different system. Check that the off-loading of audit records to a different system is authenticated with the following command: # sudo grep enable /etc/audisp/audisp-remote.conf enable_krb5 = yes If “enable_krb5” option is not set to "yes" or the line is commented out, this is a finding.
Configure the audit system to authenticate off-loading audit records to a different system. Uncomment the "enable_krb5" option in "/etc/audisp/audisp-remote.conf" and set it to "yes". See the example below. enable_krb5 = yes
Verify the audit logs have a mode of "0600" or less permissive. First determine where the audit logs are stored with the following command: # sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the location of the audit log file, check if the audit log has a mode of "0600" or less permissive with the following command: # sudo stat -c "%a %n" /var/log/audit/audit.log 600 /var/log/audit/audit.log If the audit log has a mode more permissive than "0600", this is a finding.
Configure the audit log to be protected from unauthorized read access by setting the correct permissive mode with the following command: # sudo chmod 0600 [audit_log_file] Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log".
Verify the audit log directories have a mode of "0750" or less permissive by first determining where the audit logs are stored with the following command: # sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the location of the audit log, determine the directory where the audit logs are stored (ex: "/var/log/audit"). Run the following command to determine the permissions for the audit log folder: # sudo stat -c "%a %n" /var/log/audit 750 /var/log/audit If the audit log directory has a mode more permissive than "0750", this is a finding.
Configure the audit log directory to be protected from unauthorized read access by setting the correct permissive mode with the following command: # sudo chmod 0750 [audit_log_directory] Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit".
Verify the audit logs are owned by "root". First determine where the audit logs are stored with the following command: # sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the location of the audit log file, determine if the audit log is owned by "root" using the following command: # sudo ls -la /var/log/audit/audit.log rw------- 2 root root 8096 Jun 26 11:56 /var/log/audit/audit.log If the audit log is not owned by "root", this is a finding.
Configure the audit log to be protected from unauthorized read access, by setting the correct owner as "root" with the following command: # sudo chown root [audit_log_file] Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log".
Verify the audit logs are group-owned by "root". First determine where the audit logs are stored with the following command: # sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the location of the audit log file, determine if the audit log is group-owned by "root" using the following command: # sudo ls -la /var/log/audit/audit.log rw------- 2 root root 8096 Jun 26 11:56 /var/log/audit/audit.log If the audit log is not group-owned by "root", this is a finding.
Configure the audit log to be protected from unauthorized read access, by setting the correct group-owner as "root" with the following command: # sudo chgrp root [audit_log_file] Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log".
Verify the audit log directory is owned by "root" to prevent unauthorized read access. Determine where the audit logs are stored with the following command: # sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Determine the audit log directory by using the output of the above command (ex: "/var/log/audit/"). Run the following command with the correct audit log directory path: # sudo ls -ld /var/log/audit drwxr-x--- 2 root root 8096 Jun 26 11:56 /var/log/audit If the audit log directory is not owned by "root", this is a finding.
Configure the audit log to be protected from unauthorized read access, by setting the correct owner as "root" with the following command: # sudo chown root [audit_log_directory] Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit".
Verify the audit log directory is group-owned by "root" to prevent unauthorized read access. Determine where the audit logs are stored with the following command: # sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Determine the audit log directory by using the output of the above command (ex: "/var/log/audit/"). Run the following command with the correct audit log directory path: # sudo ls -ld /var/log/audit drwxr-x--- 2 root root 8096 Jun 26 11:56 /var/log/audit If the audit log directory is not group-owned by "root", this is a finding.
Configure the audit log to be protected from unauthorized read access, by setting the correct group-owner as "root" with the following command: # sudo chgrp root [audit_log_directory] Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit".
Verify that the /etc/audit/audit.rule and /etc/audit/auditd.conf file have a mode of 0640 or less permissive by using the following command: # sudo ls -la /etc/audit/audit.rules -rw-r----- 1 root root 1280 Feb 16 17:09 audit.rules -rw-r----- 1 root root 621 Sep 22 2014 auditd.conf If the "/etc/audit/audit.rule" or "/etc/audit/auditd.conf" file have a mode more permissive than "0640", this is a finding.
Configure the /etc/audit/audit.rule and /etc/audit/auditd.conf file to have a mode of 0640 with the following command: # sudo chmod 0640 /etc/audit/audit.rule # sudo chmod 0640 /etc/audit/audit.conf
Verify the audit log files are owned by "root". Check where the audit logs are stored on the system using the following command: # sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the audit log path from the command above, replace "[log_path]" in the following command: # sudo ls -la [log_path] | cut -d' ' -f3 root If the audit logs are not group-owned by "root", this is a finding.
Change the owner of the audit log file by running the following command: Use the following command to get the audit log path: # sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the audit log path from the command above, replace "[log_path]" in the following command: # sudo chown root [log_path]
Verify the audit tools are protected from unauthorized access, deletion, or modification by checking the permissive mode. Check the octal permission of each audit tool by running the following command: #stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules 755 /sbin/augenrules If any of the audit tools has a mode more permissive than "0755", this is a finding.
Configure the audit tools to be protected from unauthorized access by setting the correct permissive mode using the following command: # sudo chmod 0755 [audit_tool] Replace "[audit_tool]" with the audit tool that does not have the correct permissive mode.
Verify the audit tools are owned by "root" to prevent any unauthorized access, deletion, or modification. Check the owner of each audit tool by running the following command: # ls -la /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules -rwxr-xr-x 1 root root 97128 Jan 18 2016 /sbin/augenrules If any of the audit tools are not owned by "root", this is a finding.
Configure the audit tools to be owned by "root", by running the following command: # sudo chown root [audit_tool] Replace "[audit_tool]" with each audit tool not owned by "root".
Verify the audit tools are group-owned by "root" to prevent any unauthorized access, deletion, or modification. Check the owner of each audit tool by running the following commands: # ls -la /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules -rwxr-xr-x 1 root root 97128 Jan 18 2016 /sbin/augenrules If any of the audit tools are not group-owned by "root", this is a finding.
Configure the audit tools to be group-owned by "root", by running the following command: # sudo chgrp root [audit_tool] Replace "[audit_tool]" with each audit tool not group-owned by "root".
Verify the audit event multiplexor is configured to off-load audit records to a different system or storage media from the system being audited. Check that the records are being off-loaded to a remote server with the following command: # sudo grep -i active /etc/audisp/plugins.d/au-remote.conf active = yes If "active" is not set to "yes", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media. If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, this is a finding.
Configure the audit event multiplexor to off-load audit records to a different system or storage media from the system being audited. Set the "active" option in "/etc/audisp/plugins.d/au-remote.conf" to "yes": active = yes In order for the changes to take effect, the audit daemon must be restarted. The audit daemon can be restarted with the following command: # sudo systemctl restart auditd.service
Verify the audit system off-loads audit records to a different system or storage media from the system being audited. Check that the records are being off-loaded to a remote server with the following command: # sudo grep -i remote_server /etc/audisp/audisp-remote.conf remote_server = 10.0.1.2 If "remote_server" is not configured, or the line is commented out, this is a finding.
Configure the audit system to off-load audit records to a different system or storage media from the system being audited. Set the "remote_server" option in "/etc/audisp/audisp-remote.conf" with the IP address of the log server. See the example below. remote_server = 10.0.1.2 In order for the changes to take effect, the audit daemon must be restarted. The audit daemon can be restarted with the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". Check the auditing rules in "/etc/audit/audit.rules" with the following command: # sudo grep /etc/passwd /etc/audit/audit.rules -w /etc/passwd -p wa -k audit_rules_usergroup_modification If the command does not return a line, or the line is commented out, this is a finding.
Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". Add or update the following file system rule to "/etc/audit/audit.rules": -w /etc/passwd -p wa -k identity The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". Check the auditing rules in "/etc/audit/audit.rules" with the following command: # sudo grep /etc/group /etc/audit/audit.rules -w /etc/group -p wa -k audit_rules_usergroup_modification If the command does not return a line, or the line is commented out, this is a finding.
Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". Add or update the following file system rule to "/etc/audit/audit.rules": -w /etc/group -p wa -k identity The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". Check the auditing rules in "/etc/audit/audit.rules" with the following command: # sudo grep /etc/gshadow /etc/audit/audit.rules -w /etc/gshadow -p wa -k audit_rules_usergroup_modification If the command does not return a line, or the line is commented out, this is a finding.
Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". Add or update the following file system rule to "/etc/audit/audit.rules": -w /etc/gshadow -p wa -k identity The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". Check the auditing rules in "/etc/audit/audit.rules" with the following command: # sudo grep /etc/shadow /etc/audit/audit.rules -w /etc/shadow -p wa -k audit_rules_usergroup_modification If the command does not return a line, or the line is commented out, this is a finding.
Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". Add or update the following file system rule to "/etc/audit/audit.rules": -w /etc/shadow -p wa -k identity The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd". Check the auditing rules in "/etc/audit/audit.rules" with the following command: # sudo grep /etc/security/opasswd /etc/audit/audit.rules -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the command does not return a line, or the line is commented out, this is a finding.
Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd". Add or update the following file system rule to "/etc/audit/audit.rules": -w /etc/security/opasswd -p wa -k identity The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system audits the execution of privilege functions. Check if the Ubuntu operating system is configured to audit the execution of the "execve" system call, by running the following command: # sudo grep execve /etc/audit/audit.rules -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv If the command does not return all lines, or the lines are commented out, this is a finding.
Configure the Ubuntu operating system to audit the execution of the "execve" system call. Add or update the following file system rules to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates audit records when successful/unsuccessful attempts to use the "su" command occur. Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -iw /bin/su /etc/audit/audit.rules -a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change If the command does not return a line, or the line is commented out, this is a finding.
Configure the Ubuntu operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur. Add or update the following rule in "/etc/audit/audit.rules": -a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify that an audit event is generated for any successful/unsuccessful use of the "chfn" command. Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep chfn /etc/audit/audit.rules -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-chfn If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "passwd" command. Add or update the following rule in the "/etc/audit/audit.rules" file: -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-chfn The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the operating system generates audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur. Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": # grep -iw "mount" /etc/audit/audit.rules -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount -a always,exit -F path=/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount If both the "b32" and "b64" audit rules are not defined for the "mount" syscall, this is a finding. If all uses of the "mount" command are not being audited, this is a finding.
Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur. Add or update the following rules in "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount -a always,exit -F path=/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount The audit daemon must be restarted for the changes to take effect: # sudo systemctl restart auditd.service
Verify that an audit event is generated for any successful/unsuccessful use of the "umount" command. Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep umount /etc/audit/audit.rules -a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "umount" command. Add or update the following rule in the "/etc/audit/audit.rules" file: -a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "ssh-agent" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep ssh-agent /etc/audit/audit.rules -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-agent" command. Add or update the following rule in the "/etc/audit/audit.rules" file: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "ssh-keysign" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep ssh-keysign /etc/audit/audit.rules -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-keysign" command. Add or update the following rule in the "/etc/audit/audit.rules" file: -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify if the Ubuntu operating system is configured to audit the execution of the module management program "kmod", by running the following command: # sudo grep "/bin/kmod" /etc/audit/audit.rules -w /bin/kmod -p x -k modules If the command does not return a line, or the line is commented out, this is a finding.
Configure the Ubuntu operating system to audit the execution of the module management program "kmod" by adding the following line to "/etc/audit/audit.rules": -w /bin/kmod -p x -k modules The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify if the Ubuntu operating system is configured to audit the execution of the "setxattr" system call, by running the following command: # sudo grep -w setxattr /etc/audit/audit.rules -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod If the command does not return all lines, or the lines are commented out, this is a finding.
Configure the Ubuntu operating system to audit the execution of the "setxattr" system call, by adding the following lines to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify if the Ubuntu operating system is configured to audit the execution of the "lsetxattr" system call, by running the following command: # sudo grep -w lsetxattr /etc/audit/audit.rules -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod If the command does not return all lines, or the lines are commented out, this is a finding.
Configure the Ubuntu operating system to audit the execution of the "lsetxattr" system call, by adding the following lines to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify if the Ubuntu operating system is configured to audit the execution of the "fsetxattr" system call, by running the following command: # sudo grep -w fsetxattr /etc/audit/audit.rules -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod If the command does not return all lines, or the lines are commented out, this is a finding.
Configure the Ubuntu operating system to audit the execution of the "fsetxattr" system call, by adding the following lines to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify if the Ubuntu operating system is configured to audit the execution of the "removexattr" system call, by running the following command: # sudo grep -w removexattr /etc/audit/audit.rules -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod If the command does not return all lines, or the lines are commented out, this is a finding.
Configure the Ubuntu operating system to audit the execution of the "removexattr" system call, by adding the following lines to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify if the Ubuntu operating system is configured to audit the execution of the "lremovexattr" system call, by running the following command: # sudo grep -w lremovexattr /etc/audit/audit.rules -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod If the command does not return all lines, or the lines are commented out, this is a finding.
Configure the Ubuntu operating system to audit the execution of the "lremovexattr" system call, by adding the following lines to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify if the Ubuntu operating system is configured to audit the execution of the "fremovexattr" system call, by running the following command: # sudo grep -w fremovexattr /etc/audit/audit.rules -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod If the command does not return all lines, or the lines are commented out, this is a finding.
Configure the Ubuntu operating system to audit the execution of the "fremovexattr" system call by adding the following lines to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "chown" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w chown /etc/audit/audit.rules -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_chng -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_chng If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chown" command by adding the following line to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_chng -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_chng The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "fchown" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w fchown /etc/audit/audit.rules -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "fchown" command by adding the following line to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "fchownat" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w fchownat /etc/audit/audit.rules -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_chng -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_chng If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "fchownat" command by adding the following lines to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_chng -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_chng The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "lchown" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w lchown /etc/audit/audit.rules -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "lchown" command by adding the following lines to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "chmod" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w chmod /etc/audit/audit.rules -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_chng -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_chng If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chmod" command by adding the following line to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_chng -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_chng The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "fchmod" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w fchmod /etc/audit/audit.rules -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_chng -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_chng If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "fchmod" command by adding the following line to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_chng -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_chng The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "fchmodat" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w fchmodat /etc/audit/audit.rules -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "fchmodat" command by adding the following lines to "/etc/audit/audit.rules": -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "open" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -iw open /etc/audit/audit.rules -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access If the command does not return all lines, or the lines are commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "open" command. Add or update the following rules in the "/etc/audit/audit.rules" file: -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "truncate" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -iw truncate /etc/audit/audit.rules -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access If the command does not return all lines, or the lines are commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "truncate" command. Add or update the following rules in the "/etc/audit/audit.rules" file: -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "ftruncate" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -iw ftruncate /etc/audit/audit.rules -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access If the command does not return all lines, or the lines are commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ftruncate" command. Add or update the following rules in the "/etc/audit/audit.rules" file: -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "creat" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -iw creat /etc/audit/audit.rules -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access If the command does not return all lines, or the lines are commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "creat" command. Add or update the following rules in the "/etc/audit/audit.rules" file: -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "openat" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -iw openat /etc/audit/audit.rules -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access If the command does not return all lines, or the lines are commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "openat" command. Add or update the following rules in the "/etc/audit/audit.rules" file: -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "open_by_handle_at" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -iw open_by_handle_at /etc/audit/audit.rules -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access If the command does not return all lines, or the lines are commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "open_by_handle_at" command. Add or update the following rules in the "/etc/audit/audit.rules" file: -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify that an audit event is generated for any successful/unsuccessful use of the "sudo" command. Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w sudo /etc/audit/audit.rules -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "sudo" command. Add or update the following rule in the "/etc/audit/audit.rules" file: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "chsh" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w chsh /etc/audit/audit.rules -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chsh" command. Add or update the following rule in the "/etc/audit/audit.rules" file: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "newgrp" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w newgrp /etc/audit/audit.rules -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "newgrp" command. Add or update the following rule in the "/etc/audit/audit.rules" file: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "chcon" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w chcon /etc/audit/audit.rules -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chcon" command. Add or update the following rule in the "/etc/audit/audit.rules" file: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "apparmor_parser" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w apparmor_parser /etc/audit/audit.rules -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "apparmor_parser" command. Add or update the following rule in the "/etc/audit/audit.rules" file: -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "setfacl" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w setfacl /etc/audit/audit.rules -a always,exit -F path=/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "setfacl" command. Add or update the following rules in the "/etc/audit/audit.rules" file: -a always,exit -F path=/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "chacl" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w chacl /etc/audit/audit.rules -a always,exit -F path=/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chacl" command. Add or update the following rules in the "/etc/audit/audit.rules" file: -a always,exit -F path=/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful modifications to the "tallylog" file occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w tallylog /etc/audit/audit.rules -w /var/log/tallylog -p wa -k logins If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "tallylog" file occur. Add or update the following rules in the "/etc/audit/audit.rules" file: -w /var/log/tallylog -p wa -k logins The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful modifications to the "faillog" file occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w faillog /etc/audit/audit.rules -w /var/log/faillog -p wa -k logins If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "faillog" file occur. Add or update the following rules in the "/etc/audit/audit.rules" file: -w /var/log/faillog -p wa -k logins The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful modifications to the "lastlog" file occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w lastlog /etc/audit/audit.rules -w /var/log/lastlog -p wa -k logins If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "lastlog" file occur. Add or update the following rules in the "/etc/audit/audit.rules" file: -w /var/log/lastlog -p wa -k logins The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify that an audit event is generated for any successful/unsuccessful use of the "passwd" command. Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w passwd /etc/audit/audit.rules -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "passwd" command. Add or update the following rule in the "/etc/audit/audit.rules" file: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify that an audit event is generated for any successful/unsuccessful use of the "unix_update" command. Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w "unix_update" /etc/audit/audit.rules -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "unix_update" command. Add or update the following rules in the "/etc/audit/audit.rules" file: -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify that an audit event is generated for any successful/unsuccessful use of the "gpasswd" command. Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w gpasswd /etc/audit/audit.rules -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "gpasswd" command. Add or update the following rule in the "/etc/audit/audit.rules" file: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify that an audit event is generated for any successful/unsuccessful use of the "chage" command. Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w chage /etc/audit/audit.rules -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "chage" command. Add or update the following rules in the "/etc/audit/audit.rules" file: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify that an audit event is generated for any successful/unsuccessful use of the "usermod" command. Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w usermod /etc/audit/audit.rules -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "usermod" command. Add or update the following rule in the "/etc/audit/audit.rules" file: -a always,exit -F arch=b64 path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify that an audit event is generated for any successful/unsuccessful use of the "crontab" command. Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w crontab /etc/audit/audit.rules -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "crontab" command. Add or update the following rule in the "/etc/audit/audit.rules" file: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify that an audit event is generated for any successful/unsuccessful use of the "pam_timestamp_check" command. Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w pam_timestamp_check /etc/audit/audit.rules -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "pam_timestamp_check" command. Add or update the following rule in the "/etc/audit/audit.rules" file: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "init_module" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w "init_module" /etc/audit/audit.rules -a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=4294967295 -k module_chng -a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=4294967295 -k module_chng If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "init_module" command. Add or update the following rules in the "/etc/audit/audit.rules" file: -a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=4294967295 -k module_chng -a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=4294967295 -k module_chng The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "finit_module" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w "finit_module" /etc/audit/audit.rules -a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng -a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "finit_module" command. Add or update the following rules in the "/etc/audit/audit.rules" file: -a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng -a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify the Ubuntu operating system generates an audit record when successful/unsuccessful attempts to use the "delete_module" command occur. Check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -w "delete_module" /etc/audit/audit.rules -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=4294967295 -k module_chng -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=4294967295 -k module_chng If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "delete_module" command. Add or update the following rules in the "/etc/audit/audit.rules" file: -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=4294967295 -k module_chng -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=4294967295 -k module_chng The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: # sudo systemctl restart auditd.service
Verify that the telnet package is not installed on the Ubuntu operating system. Check that the telnet daemon is not installed on the Ubuntu operating system by running the following command: # sudo apt list telnetd If the package is installed, this is a finding.
Remove the telnet package from the Ubuntu operating system by running the following command: # sudo apt-get remove telnetd
Verify that the Network Information Service (NIS) package is not installed on the Ubuntu operating system. Check to see if the NIS package is installed with the following command: # sudo apt list nis If the NIS package is installed, this is a finding.
Configure the Ubuntu operating system to disable non-essential capabilities by removing the Network Information Service (NIS) package from the system with the following command: # sudo apt-get remove nis
Verify that the rsh-server package is not installed on the Ubuntu operating system. Check to see if the rsh-server package is installed with the following command: # sudo apt list rsh-server If the rsh-server package is installed, this is a finding.
Configure the Ubuntu operating system to disable non-essential capabilities by removing the rsh-server package from the system with the following command: # sudo apt-get remove rsh-server
Verify that the Uncomplicated Firewall is installed. Check that the Uncomplicated Firewall is installed with the following command: # sudo apt list ufw ii ufw 0.35-0Ubuntu2 [installed] If the "ufw" package is not installed, ask the System Administrator if another application firewall is installed. If no application firewall is installed this is a finding.
Install Uncomplicated Firewall with the following command: # sudo apt-get install ufw
Verify the Uncomplicated Firewall is enabled on the system by running the following command: # sudo systemctl is-enabled ufw enabled If the above command returns the status as "disabled", this is a finding. If the Uncomplicated Firewall is not installed, ask the System Administrator if another application firewall is installed. If no application firewall is installed this is a finding.
Enable the Uncomplicated Firewall by using the following commands: # sudo systemctl start ufw # sudo systemctl enable ufw
Verify the Uncomplicated Firewall is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems. Check the Uncomplicated Firewall configuration with the following command: # sudo ufw status Status: active To Action From -- ------ ---- [ 1] 22 LIMIT IN Anywhere If any services, ports, or applications are "allowed" and are not documented with the organization, this is a finding.
Configure the Uncomplicated Firewall to employ a deny-all, allow-by-exception policy for allowing connections to other systems. Remove any service that is not needed or documented by the organization with the following command (replace [NUMBER] with the rule number): # sudo ufw delete [NUMBER] Another option would be to set the Uncomplicated Firewall back to default with the following commands: # sudo ufw default deny incoming # sudo ufw default allow outgoing Note: UFW’s defaults are to deny all incoming connections and allow all outgoing connections.
Verify the Uncomplicated Firewall is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems. Check the Uncomplicated Firewall configuration with the following command: # sudo ufw status Status: active To Action From -- ------ ---- [ 1] 22 LIMIT IN Anywhere If any services, ports, or applications are "allowed" and are not documented with the organization, this is a finding.
Add/Modify the Ubuntu operating system's firewall settings and/or running services to comply with the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL).
Verify that all world writable directories have the sticky bit set. Check to see that all world writable directories have the sticky bit set by running the following command: # sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null drwxrwxrwxt 7 root root 4096 Jul 26 11:19 /tmp If any of the returned directories are world writable and do not have the sticky bit set, this is a finding.
Configure all world writable directories have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources. Set the sticky bit on all world writable directories using the command, replace "[World-Writable Directory]" with any directory path missing the sticky bit: # sudo chmod 1777 [World-Writable Directory]
The system clock must be configured to compare the system clock at least every 24 hours to the authoritative time source. Note: If the system is not networked this item is Not Applicable. The value of [source] should be an authoritative DoD time source. Verify that "Chrony" is active and enabled by running the following command: # sudo systemctl status chrony.service chrony.service - LSB: Controls chronyd NTP time daemon Loaded: loaded (/etc/init.d/chrony; bad; vendor preset: enabled) Active: active (running) since Wed 2020-01-08 14:01:47 EST; 50min ago Docs: man:systemd-sysv-generator(8) If "chrony.service" is not "loaded", this is a finding. If "chrony.service" is not "active (running)", this is a finding. Verify that the "chrony.conf" file is configured to an authoritative DoD time source by running the following command: # grep -i ^server /etc/chrony/chrony.conf server [source] iburst maxpoll 17 If the parameter "server" is not set, is not set to an authoritative DoD time source, or is commented out, this is a finding. Check the value of "maxpoll" in the "/etc/chrony/chrony.conf" file with the following command: # sudo grep -i maxpoll /etc/chrony/chrony.conf server [source] iburst maxpoll 17 If "maxpoll" is not set to "17" or does not exist, this is a finding.
Note: If the system is not networked this item is Not Applicable. To configure the system clock to compare the system clock at least every 24 hours to the authoritative time source, edit the "/etc/chrony/chrony.conf" file. Add or correct the following lines, by replacing "[source]" in the following line with an authoritative DoD time source: server [source] iburst maxpoll 17 If the "chrony" service was running and the value of "maxpoll" or "server" was updated, then the service must be restarted using the following command: # sudo systemctl restart chrony.service If the "chrony" service was not running then it must be started: # sudo systemctl start chrony.service
Verify that Network Time Protocol (NTP) is running in continuous mode. Check that NTP is running in continuous mode with the following command: # grep ntpdate /etc/init.d/ntpd if ntpdate -u -s -b -p 4 -t 5 $NTPSERVER ; then If the option "-q" is present, this is a finding.
The Network Time Protocol (NTP) will run in continuous mode by default. If the query only option (-q) has been added to the ntpdate command in /etc/init.d/ntpd it must be removed.