Riverbed NetIM OS Security Technical Implementation Guide
Pick two releases to diff their requirements.
Open a previous version of this STIG.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000171
- Version
- RIIM-OS-100006
- Vuln IDs
-
- V-275534
- Rule IDs
-
- SV-275534r1147652_rule
Checks: C-79636r1147650_chk
Verify "/etc/audit/audit.rules", "/etc/audit/auditd.conf", and "/etc/audit/rules.d/*" files have a mode of "640" or less permissive by using the following command: $ sudo ls -al /etc/audit/audit.rules /etc/audit/auditd.conf /etc/audit/rules.d/* | awk '{print $1, $9}' -rw-r----- /etc/audit/audit.rules -rw-r----- /etc/audit/auditd.conf -rw-r----- /etc/audit/rules.d/audit.rules If "/etc/audit/audit.rules", "/etc/audit/auditd.conf", or "/etc/audit/rules.d/*" files have a mode more permissive than "640", this is a finding.
Fix: F-79541r1147651_fix
Configure /etc/audit/audit.rules", "/etc/audit/auditd.conf", and "/etc/audit/rules.d/*" files to have a mode of "640" by using the following command: $ sudo chmod -R 640 /etc/audit/audit.rules /etc/audit/auditd.conf /etc/audit/rules.d/*
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RIIM-OS-211015
- Vuln IDs
-
- V-275565
- Rule IDs
-
- SV-275565r1147745_rule
Checks: C-79667r1147743_chk
Verify Ubuntu OS is not configured to reboot the system when Ctrl-Alt-Delete is pressed by using the following command: $ systemctl status ctrl-alt-del.target ctrl-alt-del.target Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.) Active: inactive (dead) If the "ctrl-alt-del.target" is not masked, this is a finding.
Fix: F-79572r1147744_fix
Configure Ubuntu OS to disable the Ctrl-Alt-Delete sequence for the command line by using the following commands: $ sudo systemctl disable ctrl-alt-del.target $ sudo systemctl mask ctrl-alt-del.target Reload the daemon to take effect: $ sudo systemctl daemon-reload
- RMF Control
- AC-3
- Severity
- H
- CCI
- CCI-000213
- Version
- RIIM-OS-212010
- Vuln IDs
-
- V-275566
- Rule IDs
-
- SV-275566r1147748_rule
Checks: C-79668r1147746_chk
Verify Ubuntu OS requires a password for authentication upon booting into single-user and maintenance modes by using the following command: $ sudo grep -i password /boot/grub/grub.cfg password_pbkdf2 root grub.pbkdf2.sha512.10000.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771 If the root password entry does not begin with "password_pbkdf2", this is a finding.
Fix: F-79573r1147747_fix
Configure Ubuntu OS to require a password for authentication upon booting into single-user and maintenance modes. Note: GRUB password will need to be disabled prior to upgrade of the NETIM System if done unattended. Generate an encrypted (grub) password for root by using the following command: $ grub-mkpasswd-pbkdf2 Enter Password: Reenter Password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771 Using the hash from the output, modify the "/etc/grub.d/40_custom" file by using the following command to add a boot password: $ sudo sed -i '$i set superusers=\"root\"\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom where <hash> is the hash generated by grub-mkpasswd-pbkdf2 command. Generate an updated "grub.conf" file with the new password by using the following command: $ sudo update-grub
- RMF Control
- SC-4
- Severity
- M
- CCI
- CCI-001090
- Version
- RIIM-OS-213010
- Vuln IDs
-
- V-275567
- Rule IDs
-
- SV-275567r1147751_rule
Checks: C-79669r1147749_chk
Verify Ubuntu OS is configured to restrict access to the kernel message buffer by using the following command: $ sysctl kernel.dmesg_restrict kernel.dmesg_restrict = 1 If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding. Verify there are no configurations that enable the kernel dmesg function: $ sudo grep -ir kernel.dmesg_restrict /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null /etc/sysctl.d/10-kernel-hardening.conf:kernel.dmesg_restrict = 1 If "kernel.dmesg_restrict" is not set to "1", is commented out, is missing, or conflicting results are returned, this is a finding.
Fix: F-79574r1147750_fix
Configure Ubuntu OS to restrict access to the kernel message buffer. Add or modify the following line in the "/etc/sysctl.conf" file: kernel.dmesg_restrict = 1 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/ /etc/sysctl.d/ /usr/local/lib/sysctl.d/ /usr/lib/sysctl.d/ /lib/sysctl.d/ /etc/sysctl.conf Reload settings from all system configuration files by using the following command: $ sudo sysctl --system Note: This is set by default as part of the NetIM Ubuntu baseline.
- RMF Control
- SC-24
- Severity
- M
- CCI
- CCI-001190
- Version
- RIIM-OS-213015
- Vuln IDs
-
- V-275568
- Rule IDs
-
- SV-275568r1148289_rule
Checks: C-79670r1147752_chk
Verify kernel core dumps are disabled with the following command: $ systemctl is-active kdump.service inactive If the "kdump" service is active, ask the system administrator (SA) if the use of the service is required and documented with the information system security officer (ISSO). If the service is active, this is a finding.
Fix: F-79575r1147753_fix
Disable the "kdump" service with the following command: $ sudo systemctl disable kdump.service If kernel core dumps are required, document the need with the ISSO.
- RMF Control
- SI-16
- Severity
- M
- CCI
- CCI-002824
- Version
- RIIM-OS-213020
- Vuln IDs
-
- V-275569
- Rule IDs
-
- SV-275569r1147757_rule
Checks: C-79671r1147755_chk
Verify Ubuntu OS implements address space layout randomization (ASLR) by using the following command: $ sysctl kernel.randomize_va_space kernel.randomize_va_space = 2 If no output is returned, verify the kernel parameter "randomize_va_space" is set to "2" by using the following command: $ cat /proc/sys/kernel/randomize_va_space 2 If "kernel.randomize_va_space" is not set to "2", this is a finding. Verify that a saved value of the "kernel.randomize_va_space" variable is not defined. $ sudo grep -ER "^kernel.randomize_va_space=[^2]" /etc/sysctl.conf /etc/sysctl.d If this returns a result, this is a finding.
Fix: F-79576r1147756_fix
Remove the "kernel.randomize_va_space" entry found in the "/etc/sysctl.conf" file or any file located in the "/etc/sysctl.d/" directory. Reload the system configuration files for the changes to take effect by using the following command: $ sudo sysctl --system
- RMF Control
- SI-16
- Severity
- M
- CCI
- CCI-002824
- Version
- RIIM-OS-213025
- Vuln IDs
-
- V-275570
- Rule IDs
-
- SV-275570r1147760_rule
Checks: C-79672r1147758_chk
Verify the NX (no-execution) bit flag is set on the system by using the following command: $ sudo dmesg | grep -i "execute disable" [ 0.000000] NX (Execute Disable) protection: active If "dmesg" does not show "NX (Execute Disable) protection: active", check the hardware capabilities of the installed CPU by using the following command: $ grep flags /proc/cpuinfo | grep -o nx | sort -u nx If no output is returned, this is a finding.
Fix: F-79577r1147759_fix
Configure Ubuntu OS to enable NX. If the installed CPU is hardware capable of NX protection, check if the system's BIOS/UEFI setup configuration permits toggling the "NX bit" or "no execution bit", and set it to "enabled".
- RMF Control
- Severity
- H
- CCI
- CCI-003992
- Version
- RIIM-OS-214010
- Vuln IDs
-
- V-275571
- Rule IDs
-
- SV-275571r1147763_rule
Checks: C-79673r1147761_chk
Verify APT is configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate recognized and approved by the organization by using the following command: $ grep -i allowunauthenticated /etc/apt/apt.conf.d/* /etc/apt/apt.conf.d/01-vendor-ubuntu:APT::Get::AllowUnauthenticated "false"; If "APT::Get::AllowUnauthenticated" is not set to "false", is commented out, or is missing, this is a finding.
Fix: F-79578r1147762_fix
Configure APT to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate recognized and approved by the organization. Add or modify the following line in any file under the "/etc/apt/apt.conf.d/" directory: APT::Get::AllowUnauthenticated "false";
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RIIM-OS-215010
- Vuln IDs
-
- V-275573
- Rule IDs
-
- SV-275573r1147769_rule
Checks: C-79675r1147767_chk
Verify Ubuntu OS has the "libpam-pwquality" package installed with the following command: $ dpkg -l | grep libpam-pwquality ii libpam-pwquality:amd64 1.4.4-1build2 amd64 PAM module to check password strength If "libpam-pwquality" is not installed, this is a finding.
Fix: F-79580r1147768_fix
Install the "pam_pwquality" package by using the following command: $ sudo apt-get install libpam-pwquality
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RIIM-OS-215020
- Vuln IDs
-
- V-275574
- Rule IDs
-
- SV-275574r1147772_rule
Checks: C-79676r1147770_chk
Verify the "systemd-timesyncd" package is not installed by using the following command: $ dpkg -l | grep systemd-timesyncd If the "systemd-timesyncd" package is installed, this is a finding.
Fix: F-79581r1147771_fix
The "systemd-timesyncd" package will be uninstalled as part of the "chrony" package install. The remaining configuration files for "systemd-timesyncd" must be purged from the operating system: $ sudo dpkg -P --force-all systemd-timesyncd
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RIIM-OS-215025
- Vuln IDs
-
- V-275575
- Rule IDs
-
- SV-275575r1147775_rule
Checks: C-79677r1147773_chk
Verify the "ntp" package is not installed by using the following command: $ dpkg -l | grep ntp If the "ntp" package is installed, this is a finding.
Fix: F-79582r1147774_fix
Uninstall the "ntp" package by using the following command: $ sudo dpkg -P --force-all ntp
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- RIIM-OS-215030
- Vuln IDs
-
- V-275576
- Rule IDs
-
- SV-275576r1147778_rule
Checks: C-79678r1147776_chk
Verify the "rsh-server" package is not installed by using the following command: $ dpkg -l | grep rsh-server If the "rsh-server" package is installed, this is a finding.
Fix: F-79583r1147777_fix
Remove the "rsh-server" package by using the following command: $ sudo apt-get remove rsh-server
- RMF Control
- IA-5
- Severity
- H
- CCI
- CCI-000197
- Version
- RIIM-OS-215035
- Vuln IDs
-
- V-275577
- Rule IDs
-
- SV-275577r1147781_rule
Checks: C-79679r1147779_chk
Verify the "telnetd" package is not installed on Ubuntu OS by using the following command: $ dpkg -l | grep telnetd If the "telnetd" package is installed, this is a finding.
Fix: F-79584r1147780_fix
Remove the "telnetd" package by using the following command: $ sudo apt-get remove telnetd
- RMF Control
- SC-28
- Severity
- M
- CCI
- CCI-001199
- Version
- RIIM-OS-231010
- Vuln IDs
-
- V-275578
- Rule IDs
-
- SV-275578r1147784_rule
Checks: C-79680r1147782_chk
Verify Ubuntu OS prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. Note: If there is a documented and approved reason for not having data-at-rest encryption, this requirement is not applicable. Determine the partition layout for the system by using the following command: $ sudo fdisk -l ... Device Start End Sectors Size Type /dev/sda1 2048 2203647 2201600 1G EFI System /dev/sda2 2203648 6397951 4194304 2G Linux filesystem /dev/sda3 6397952 536868863 530470912 252.9G Linux filesystem ... Verify the system partitions are all encrypted by using the following command: # more /etc/crypttab Every persistent disk partition present must have an entry in the file. If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.
Fix: F-79585r1147783_fix
To encrypt an entire partition, dedicate a partition for encryption in the partition layout. Note: Encrypting a partition in an already-installed system is more difficult because it will need to be resized, and existing partitions changed.
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001495
- Version
- RIIM-OS-232010
- Vuln IDs
-
- V-275579
- Rule IDs
-
- SV-275579r1147787_rule
Checks: C-79681r1147785_chk
Verify the system commands directories have mode "755" or less permissive by using the following command: $ find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c "%n %a" '{}' \; If any directories are found to be group-writable or world-writable, this is a finding.
Fix: F-79586r1147786_fix
Configure Ubuntu OS commands directories to be protected from unauthorized access. Run the following command: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \;
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- RIIM-OS-232015
- Vuln IDs
-
- V-275580
- Rule IDs
-
- SV-275580r1147790_rule
Checks: C-79682r1147788_chk
Verify the system commands contained in the following directories have mode "755" or less permissive by using the following command: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec stat -c "%n %a" '{}' \; If any files are found to be group-writable or world-writable, this is a finding.
Fix: F-79587r1147789_fix
Configure Ubuntu OS commands to be protected from unauthorized access. Run the following command: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \;
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- RIIM-OS-232020
- Vuln IDs
-
- V-275581
- Rule IDs
-
- SV-275581r1147793_rule
Checks: C-79683r1147791_chk
Verify the systemwide shared library files contained in the directories "/lib", "/lib64", and "/usr/lib" have mode "755" or less permissive by using the following command: $ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec stat -c "%n %a" '{}' \; If any files are found to be group-writable or world-writable, this is a finding.
Fix: F-79588r1147792_fix
Configure the library files to be protected from unauthorized access. Run the following command: $ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \;
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001314
- Version
- RIIM-OS-232025
- Vuln IDs
-
- V-275582
- Rule IDs
-
- SV-275582r1147796_rule
Checks: C-79684r1147794_chk
Verify the "/var/log" directory has mode of "755" or less permissive by using the following command: Note: If rsyslog is active and enabled on the operating system, this requirement is not applicable. $ stat -c "%n %a" /var/log /var/log 755 If a value of "755" or less permissive is not returned, this is a finding.
Fix: F-79589r1147795_fix
Configure the "/var/log" directory to have permissions of "0755" by using the following command: $ sudo chmod 0755 /var/log
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001312
- Version
- RIIM-OS-232026
- Vuln IDs
-
- V-275583
- Rule IDs
-
- SV-275583r1147799_rule
Checks: C-79685r1147797_chk
Verify Ubuntu OS has all system log files under the "/var/log" directory with a permission set to "640" or less permissive by using the following command: Note: The btmp, wtmp, and lastlog files are excluded. Refer to the Vul Discussion for details. $ sudo find /var/log -perm /137 ! -name '*[bw]tmp' ! -name '*lastlog' -type f -exec stat -c "%n %a" {} \; If the command displays any output, this is a finding.
Fix: F-79590r1147798_fix
Configure Ubuntu OS to set permissions of all log files under the "/var/log" directory to "640" or more restricted by using the following command: Note: The btmp, wtmp, and lastlog files are excluded. Refer to the Vul Discussion for details. $ sudo find /var/log -perm /137 ! -name '*[bw]tmp' ! -name '*lastlog' -type f -exec chmod 640 '{}' \;
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001312
- Version
- RIIM-OS-232027
- Vuln IDs
-
- V-275584
- Rule IDs
-
- SV-275584r1147802_rule
Checks: C-79686r1147800_chk
Verify the /run/log/journal and /var/log/journal directories have permissions set to "2750" or less permissive by using the following command: $ sudo find /run/log/journal /var/log/journal -type d -exec stat -c "%n %a" {} \; /run/log/journal 2750 /var/log/journal 2750 /var/log/journal/3b018e681c904487b11671b9c1987cce 2750 If any output returned has a permission set greater than "2750", this is a finding. Verify all files in the /run/log/journal and /var/log/journal directories have permissions set to "640" or less permissive by using the following command: $ sudo find /run/log/journal /var/log/journal -type f -exec stat -c "%n %a" {} \; /var/log/journal/3b018e681c904487b11671b9c1987cce/system@99dcc72bb1134aaeae4bf157aa7606f4-0000000000003c7a-0006073f8d1c0fec.journal 640 /var/log/journal/3b018e681c904487b11671b9c1987cce/system.journal 640 /var/log/journal/3b018e681c904487b11671b9c1987cce/user-1000.journal 640 /var/log/journal/3b018e681c904487b11671b9c1987cce/user-1000@bdedf14602ff4081a77dc7a6debc8626-00000000000062a6-00060b4b414b617a.journal 640 /var/log/journal/3b018e681c904487b11671b9c1987cce If any output returned has a permission set greater than "640", this is a finding.
Fix: F-79591r1147801_fix
Configure Ubuntu OS to set the appropriate permissions to the files and directories used by the systemd journal: Add or modify the following lines in the "`/usr/lib/tmpfiles.d/systemd.conf" file: z /run/log/journal 2750 root systemd-journal - - Z /run/log/journal/%m ~2750 root systemd-journal - - z /var/log/journal 2750 root systemd-journal - - z /var/log/journal/%m 2750 root systemd-journal - - z /var/log/journal/%m/system.journal 0640 root systemd-journal - - Restart the system for the changes to take effect.
- RMF Control
- SI-12
- Severity
- M
- CCI
- CCI-001315
- Version
- RIIM-OS-232030
- Vuln IDs
-
- V-275585
- Rule IDs
-
- SV-275585r1147805_rule
Checks: C-79687r1147803_chk
Verify that Ubuntu OS configures the "/var/log/syslog" file with mode "640" or less permissive by using the following command: $ stat -c "%n %a" /var/log/syslog /var/log/syslog 640 If a value of "640" or less permissive is not returned, this is a finding.
Fix: F-79592r1147804_fix
Configure Ubuntu OS to have permissions of "640" for the "/var/log/syslog" file by using the following command: $ sudo chmod 0640 /var/log/syslog
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001493
- Version
- RIIM-OS-232035
- Vuln IDs
-
- V-275586
- Rule IDs
-
- SV-275586r1147808_rule
Checks: C-79688r1147806_chk
Verify Ubuntu OS configures the audit tools to have a file permission of "755" or less to prevent unauthorized access by using the following command: $ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd* /sbin/augenrules /sbin/auditctl 755 /sbin/aureport 755 /sbin/ausearch 755 /sbin/autrace 755 /sbin/auditd 755 /sbin/audispd-zos-remote 755 /sbin/augenrules 755 If any of the audit tools have a mode more permissive than "0755", this is a finding.
Fix: F-79593r1147807_fix
Configure the audit tools on Ubuntu OS to be protected from unauthorized access by setting the correct permissive mode using the following command: $ sudo chmod 755 <audit_tool_name> Replace "<audit_tool_name>" with the audit tool that does not have the correct permissions.
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001495
- Version
- RIIM-OS-232040
- Vuln IDs
-
- V-275587
- Rule IDs
-
- SV-275587r1147811_rule
Checks: C-79689r1147809_chk
Verify the system commands directories are owned by "root" by using the following command: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec stat -c "%n %U" '{}' \; If any system commands directories are returned, this is a finding.
Fix: F-79594r1147810_fix
Configure Ubuntu OS commands directories to be protected from unauthorized access. Run the following command: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec chown root '{}' \;
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001495
- Version
- RIIM-OS-232045
- Vuln IDs
-
- V-275588
- Rule IDs
-
- SV-275588r1147814_rule
Checks: C-79690r1147812_chk
Verify the system commands directories are group-owned by "root" by using the following command: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec stat -c "%n %G" '{}' \; If any system commands directories are returned that are not Set Group ID up on execution (SGID) files and owned by a privileged account, this is a finding.
Fix: F-79595r1147813_fix
Configure Ubuntu OS commands directories to be protected from unauthorized access. Run the following command: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec chgrp root '{}' \;
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- RIIM-OS-232050
- Vuln IDs
-
- V-275589
- Rule IDs
-
- SV-275589r1147817_rule
Checks: C-79691r1147815_chk
Verify the system commands contained in the following directories are owned by "root", or a required system account, by using the following command: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c "%n %U" '{}' \; If any system commands are returned and are not owned by a required system account, this is a finding.
Fix: F-79596r1147816_fix
Configure Ubuntu OS commands and their respective parent directories to be protected from unauthorized access. Run the following command, replacing "<command_name>" with any system command not owned by "root" or a required system account: $ sudo chown root <command_name>
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- RIIM-OS-232055
- Vuln IDs
-
- V-275590
- Rule IDs
-
- SV-275590r1147820_rule
Checks: C-79692r1147818_chk
Verify the system commands contained in the following directories are group-owned by "root" or a required system account by using the following command: $ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec stat -c "%n %G" '{}' \; If any system commands are returned that are not Set Group ID upon execution (SGID) files and group-owned by a required system account, this is a finding.
Fix: F-79597r1147819_fix
Configure Ubuntu OS commands to be protected from unauthorized access. Run the following command, replacing "<command_name>" with any system command not group-owned by "root" or a required system account: $ sudo chgrp root <command_name>
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- RIIM-OS-232060
- Vuln IDs
-
- V-275591
- Rule IDs
-
- SV-275591r1147823_rule
Checks: C-79693r1147821_chk
Verify the systemwide shared library directories "/lib", "/lib64", and "/usr/lib" are owned by "root" by using the following command: $ sudo find /lib /usr/lib /lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \; If any systemwide library directory is returned, this is a finding.
Fix: F-79598r1147822_fix
Configure the library files and their respective parent directories to be protected from unauthorized access. Run the following command: $ sudo find /lib /usr/lib /lib64 ! -user root -type d -exec chown root '{}' \;
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- RIIM-OS-232065
- Vuln IDs
-
- V-275592
- Rule IDs
-
- SV-275592r1147826_rule
Checks: C-79694r1147824_chk
Verify the systemwide library directories "/lib", "/lib64", and "/usr/lib" are group-owned by "root" by using the following command: $ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \; If any systemwide shared library directory is returned, this is a finding.
Fix: F-79599r1147825_fix
Configure Ubuntu OS library directories to be protected from unauthorized access. Run the following command: $ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root '{}' \;
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- RIIM-OS-232070
- Vuln IDs
-
- V-275593
- Rule IDs
-
- SV-275593r1147829_rule
Checks: C-79695r1147827_chk
Verify the systemwide shared library files contained in the directories "/lib", "/lib64", and "/usr/lib" are owned by "root" by using the following command: $ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec stat -c "%n %U" '{}' \; If any systemwide library file is returned, this is a finding.
Fix: F-79600r1147828_fix
Configure Ubuntu OS library files to be protected from unauthorized access. Run the following command: $ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root '{}' \;
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- RIIM-OS-232075
- Vuln IDs
-
- V-275594
- Rule IDs
-
- SV-275594r1147832_rule
Checks: C-79696r1147830_chk
Verify the systemwide library files contained in the directories "/lib", "/lib64", and "/usr/lib" are group-owned by "root", or a required system account, by using the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type f -exec stat -c "%n %G" '{}' \; If any systemwide shared library file is returned and is not group-owned by a required system account, this is a finding.
Fix: F-79601r1147831_fix
Configure Ubuntu OS library files to be protected from unauthorized access. Run the following command, replacing "<command_name>" with any system command not group-owned by "root" or a required system account: $ sudo chgrp root <command_name>
- RMF Control
- SI-13
- Severity
- M
- CCI
- CCI-001316
- Version
- RIIM-OS-232080
- Vuln IDs
-
- V-275595
- Rule IDs
-
- SV-275595r1147835_rule
Checks: C-79697r1147833_chk
Verify the /run/log/journal and /var/log/journal directories are owned by "root" by using the following command: $ sudo find /run/log/journal /var/log/journal -type d -exec stat -c "%n %U" {} \; /run/log/journal root /var/log/journal root /var/log/journal/3b018e681c904487b11671b9c1987cce root If any output returned is not owned by "root", this is a finding.
Fix: F-79602r1147834_fix
Configure Ubuntu OS to set the appropriate ownership to the directories used by the systemd journal: Add or modify the following lines in the "/usr/lib/tmpfiles.d/systemd.conf" file: z /run/log/journal 2640 root systemd-journal - - z /var/log/journal 2640 root systemd-journal - - Restart the system for the changes to take effect.
- RMF Control
- SI-13
- Severity
- M
- CCI
- CCI-001317
- Version
- RIIM-OS-232085
- Vuln IDs
-
- V-275596
- Rule IDs
-
- SV-275596r1147838_rule
Checks: C-79698r1147836_chk
Verify the /run/log/journal and /var/log/journal directories are group-owned by "systemd-journal" by using the following command: $ sudo find /run/log/journal /var/log/journal -type d -exec stat -c "%n %G" {} \; /run/log/journal systemd-journal /var/log/journal systemd-journal /var/log/journal/3b018e681c904487b11671b9c1987cce systemd-journal If any output returned is not group-owned by "systemd-journal", this is a finding.
Fix: F-79603r1147837_fix
Configure Ubuntu OS to set the appropriate group-ownership to the directories used by the systemd journal: Add or modify the following lines in the "/usr/lib/tmpfiles.d/systemd.conf" file: z /run/log/journal 2640 root systemd-journal - - z /var/log/journal 2640 root systemd-journal - - Restart the system for the changes to take effect.
- RMF Control
- SI-13
- Severity
- M
- CCI
- CCI-001318
- Version
- RIIM-OS-232090
- Vuln IDs
-
- V-275597
- Rule IDs
-
- SV-275597r1147841_rule
Checks: C-79699r1147839_chk
Verify the /run/log/journal and /var/log/journal files are owned by "root" by using the following command: $ sudo find /run/log/journal /var/log/journal -type f -exec stat -c "%n %U" {} \; /var/log/journal/3b018e681c904487b11671b9c1987cce/system@99dcc72bb1134aaeae4bf157aa7606f4-0000000000003c7a-0006073f8d1c0fec.journal root /var/log/journal/3b018e681c904487b11671b9c1987cce/system.journal root /var/log/journal/3b018e681c904487b11671b9c1987cce/user-1000.journal root /var/log/journal/3b018e681c904487b11671b9c1987cce/user-1000@bdedf14602ff4081a77dc7a6debc8626-00000000000062a6-00060b4b414b617a.journal root /var/log/journal/3b018e681c904487b11671b9c1987cce/system@99dcc72bb1134aaeae4bf157aa7606f4-0000000000005301-000609a409 593.journal root /var/log/journal/3b018e681c904487b11671b9c1987cce/system@99dcc72bb1134aaeae4bf157aa7606f4-0000000000000001-000604dae53225ee.journal root /var/log/journal/3b018e681c904487b11671b9c1987cce/user-1000@bdedf14602ff4081a77dc7a6debc8626-000000000000083b-000604dae72c7e3b.journal root If any output returned is not owned by "root", this is a finding.
Fix: F-79604r1147840_fix
Configure Ubuntu OS to set the appropriate ownership to the files used by the systemd journal: Add or modify the following lines in the "/usr/lib/tmpfiles.d/systemd.conf" file: Z /run/log/journal/%m ~2640 root systemd-journal - - z /var/log/journal/%m 2640 root systemd-journal - - z /var/log/journal/%m/system.journal 0640 root systemd-journal - - Restart the system for the changes to take effect.
- RMF Control
- SI-13
- Severity
- M
- CCI
- CCI-001319
- Version
- RIIM-OS-232095
- Vuln IDs
-
- V-275598
- Rule IDs
-
- SV-275598r1147844_rule
Checks: C-79700r1147842_chk
Verify the /run/log/journal and /var/log/journal files are group-owned by "systemd-journal" by using the following command: $ sudo find /run/log/journal /var/log/journal -type f -exec stat -c "%n %G" {} \; /var/log/journal/3b018e681c904487b11671b9c1987cce/system@99dcc72bb1134aaeae4bf157aa7606f4-0000000000003c7a-0006073f8d1c0fec.journal systemd-journal /var/log/journal/3b018e681c904487b11671b9c1987cce/system.journal systemd-journal /var/log/journal/3b018e681c904487b11671b9c1987cce/user-1000.journal systemd-journal /var/log/journal/3b018e681c904487b11671b9c1987cce/user-1000@bdedf14602ff4081a77dc7a6debc8626-00000000000062a6-00060b4b414b617a.journal systemd-journal /var/log/journal/3b018e681c904487b11671b9c1987cce/system@99dcc72bb1134aaeae4bf157aa7606f4-0000000000005301-000609a409 593.journal systemd-journal /var/log/journal/3b018e681c904487b11671b9c1987cce/system@99dcc72bb1134aaeae4bf157aa7606f4-0000000000000001-000604dae53225ee.journal systemd-journal /var/log/journal/3b018e681c904487b11671b9c1987cce/user-1000@bdedf14602ff4081a77dc7a6debc8626-000000000000083b-000604dae72c7e3b.journal systemd-journal If any output returned is not group-owned by "systemd-journal", this is a finding.
Fix: F-79605r1147843_fix
Configure Ubuntu OS to set the appropriate group-ownership to the files used by the systemd journal: Add or modify the following line in the "/usr/lib/tmpfiles.d/systemd.conf" file: Z /run/log/journal/%m ~2640 root systemd-journal - - z /var/log/journal/%m 2640 root systemd-journal - - z /var/log/journal/%m/system.journal 0640 root systemd-journal - - Restart the system for the changes to take effect.
- RMF Control
- SI-13
- Severity
- M
- CCI
- CCI-001320
- Version
- RIIM-OS-232100
- Vuln IDs
-
- V-275599
- Rule IDs
-
- SV-275599r1147847_rule
Checks: C-79701r1147845_chk
Verify that the "journalctl" command is owned by "root" by using the following command: $ sudo find /usr/bin/journalctl -exec stat -c "%n %U" {} \; /usr/bin/journalctl root If "journalctl" is not owned by "root", this is a finding.
Fix: F-79606r1147846_fix
Configure "journalctl" to be owned by "root": $ sudo chown root /usr/bin/journalctl
- RMF Control
- SI-13
- Severity
- M
- CCI
- CCI-001321
- Version
- RIIM-OS-232105
- Vuln IDs
-
- V-275600
- Rule IDs
-
- SV-275600r1147850_rule
Checks: C-79702r1147848_chk
Verify that the "journalctl" command is group-owned by "root" by using the following command: $ sudo find /usr/bin/journalctl -exec stat -c "%n %G" {} \; /usr/bin/journalctl root If "journalctl" is not group-owned by "root", this is a finding.
Fix: F-79607r1147849_fix
Configure "journalctl" to be group-owned by "root": $ sudo chown :root /usr/bin/journalctl
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001493
- Version
- RIIM-OS-232110
- Vuln IDs
-
- V-275601
- Rule IDs
-
- SV-275601r1147853_rule
Checks: C-79703r1147851_chk
Verify Ubuntu OS configures the audit tools to be owned by "root" to prevent any unauthorized access with the following command: $ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd* /sbin/augenrules /sbin/auditctl root /sbin/aureport root /sbin/ausearch root /sbin/autrace root /sbin/auditd root /sbin/audispd-zos-remote root /sbin/augenrules root If any of the audit tools are not owned by "root", this is a finding.
Fix: F-79608r1147852_fix
Configure the audit tools on Ubuntu OS to be protected from unauthorized access by setting the file owner as root using the following command: $ sudo chown root <audit_tool_name> Replace "<audit_tool_name>" with each audit tool not owned by "root".
- RMF Control
- SI-13
- Severity
- M
- CCI
- CCI-001321
- Version
- RIIM-OS-232120
- Vuln IDs
-
- V-275602
- Rule IDs
-
- SV-275602r1147856_rule
Checks: C-79704r1147854_chk
Verify Ubuntu OS configures the "/var/log" directory to be owned by "root" by using the following command: $ stat -c "%n %U" /var/log /var/log root If the "/var/log" directory is not owned by "root", this is a finding.
Fix: F-79609r1147855_fix
Configure Ubuntu OS to have root own the "/var/log" directory by using the following command: $ sudo chown root /var/log
- RMF Control
- SI-13
- Severity
- M
- CCI
- CCI-001321
- Version
- RIIM-OS-232125
- Vuln IDs
-
- V-275603
- Rule IDs
-
- SV-275603r1147859_rule
Checks: C-79705r1147857_chk
Verify that Ubuntu OS configures the "/var/log" directory to be group-owned by "syslog" by using the following command: $ stat -c "%n %G" /var/log /var/log syslog If the "/var/log" directory is not group-owned by "syslog", this is a finding.
Fix: F-79610r1147858_fix
Configure Ubuntu OS to have syslog group-own the "/var/log" directory by using the following command: $ sudo chgrp syslog /var/log
- RMF Control
- SI-13
- Severity
- M
- CCI
- CCI-001321
- Version
- RIIM-OS-232130
- Vuln IDs
-
- V-275604
- Rule IDs
-
- SV-275604r1147862_rule
Checks: C-79706r1147860_chk
Verify that Ubuntu OS configures the "/var/log/syslog" file to be owned by "syslog" by using the following command: $ stat -c "%n %U" /var/log/syslog /var/log/syslog If the "/var/log/syslog" file is not owned by "syslog", this is a finding.
Fix: F-79611r1147861_fix
Configure Ubuntu OS to have syslog own the "/var/log/syslog" file by using the following command: $ sudo chown syslog /var/log/syslog
- RMF Control
- SI-13
- Severity
- M
- CCI
- CCI-001321
- Version
- RIIM-OS-232135
- Vuln IDs
-
- V-275605
- Rule IDs
-
- SV-275605r1147865_rule
Checks: C-79707r1147863_chk
Verify that Ubuntu OS configures the "/var/log/syslog" file to be group-owned by "adm" by using the following command: $ stat -c "%n %G" /var/log/syslog /var/log/syslog adm If the "/var/log/syslog" file is not group-owned by "adm", this is a finding.
Fix: F-79612r1147864_fix
Configure Ubuntu OS to have adm group-own the "/var/log/syslog" file by using the following command: $ sudo chgrp adm /var/log/syslog
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001312
- Version
- RIIM-OS-232140
- Vuln IDs
-
- V-275606
- Rule IDs
-
- SV-275606r1147868_rule
Checks: C-79708r1147866_chk
Verify that the "journalctl" command has a permission set of "740" by using the following command: $ sudo find /usr/bin/journalctl -exec stat -c "%n %a" {} \; /usr/bin/journalctl 740 If "journalctl" is not set to "740", this is a finding.
Fix: F-79613r1147867_fix
Configure "journalctl" to have a permission set of "740": $ sudo chmod 740 /usr/bin/journalctl
- RMF Control
- SC-4
- Severity
- M
- CCI
- CCI-001090
- Version
- RIIM-OS-232145
- Vuln IDs
-
- V-275607
- Rule IDs
-
- SV-275607r1147871_rule
Checks: C-79709r1147869_chk
Verify that all public directories have the public sticky bit set by using the following command: $ sudo find / -type d -perm -002 ! -perm -1000 If any public directories are found missing the sticky bit, this is a finding.
Fix: F-79614r1147870_fix
Configure all public directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources. Set the sticky bit on all public directories using the following command, replacing "<public_directory_name>" with any directory path missing the sticky bit: $ sudo chmod +t <public_directory_name>
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-002314
- Version
- RIIM-OS-251010
- Vuln IDs
-
- V-275608
- Rule IDs
-
- SV-275608r1147874_rule
Checks: C-79710r1147872_chk
Verify the Uncomplicated Firewall (ufw) is installed by using the following command: $ dpkg -l | grep ufw ii ufw 0.36.1-4ubuntu0.1 all program for managing a Netfilter firewall If the "ufw" package is not installed, ask the system administrator if another application firewall is installed. If no application firewall is installed, this is a finding.
Fix: F-79615r1147873_fix
Install the ufw by using the following command: $ sudo apt-get install ufw
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-002314
- Version
- RIIM-OS-251015
- Vuln IDs
-
- V-275609
- Rule IDs
-
- SV-275609r1147877_rule
Checks: C-79711r1147875_chk
Verify the ufw is enabled on the system with the following command: $ sudo ufw status Status: active If the above command returns the status as "inactive" or any type of error, this is a finding.
Fix: F-79616r1147876_fix
Enable the ufw by using the following command: $ sudo ufw enable
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RIIM-OS-251020
- Vuln IDs
-
- V-275610
- Rule IDs
-
- SV-275610r1147880_rule
Checks: C-79712r1147878_chk
Verify the Uncomplicated Firewall (ufw) is enabled on the system with the following command: $ systemctl status ufw.service | grep -i "active:" Active: active (exited) since Thu 2022-12-25 00:00:01 NZTD; 365 days 11h ago If "ufw.service" is "inactive", this is a finding. If the ufw is not installed, ask the system administrator if another application firewall is installed. If no application firewall is installed, this is a finding.
Fix: F-79617r1147879_fix
Enable and start the ufw by using the following command: $ sudo systemctl enable ufw.service --now
- RMF Control
- SC-5
- Severity
- M
- CCI
- CCI-002385
- Version
- RIIM-OS-251025
- Vuln IDs
-
- V-275611
- Rule IDs
-
- SV-275611r1147883_rule
Checks: C-79713r1147881_chk
Verify an application firewall is configured to rate limit any connection to the system. Check all the services listening to the ports by using the following command: $ ss -l46ut Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process tcp LISTEN 0 511 *:http *:* tcp LISTEN 0 128 [::]:ssh tcp LISTEN 0 128 [::]:ipp [::]:* tcp LISTEN 0 128 [::]:smtp [::]:* For each entry, verify that the ufw is configured to rate limit the service ports by using the following command: $ sudo ufw status Status: active To Action From -- ------ ---- 80/tcp LIMIT Anywhere 25/tcp LIMIT Anywhere Anywhere DENY 240.9.19.81 443 LIMIT Anywhere 22/tcp LIMIT Anywhere 80/tcp (v6) LIMIT Anywhere 25/tcp (v6) LIMIT Anywhere 22/tcp (v6) LIMIT Anywhere (v6) 25 DENY OUT Anywhere 25 (v6) DENY OUT Anywhere (v6) If any port with a state of "LISTEN" that does not have an action of "DENY", is not marked with the "LIMIT" action, this is a finding.
Fix: F-79618r1147882_fix
Configure the application firewall to protect against or limit the effects of DoS attacks by ensuring Ubuntu OS is implementing rate-limiting measures on impacted network interfaces. For each service with a port listening to connections, run the following command, replacing "<service_name>" with the service that needs to be rate limited. $ sudo ufw limit <service_name> Rate-limiting can also be done on an interface. An example of adding a rate limit on the "ens160" interface follows: $ sudo ufw limit in on ens160
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000382
- Version
- RIIM-OS-251030
- Vuln IDs
-
- V-275612
- Rule IDs
-
- SV-275612r1147886_rule
Checks: C-79714r1147884_chk
Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services by using the following command: $ sudo ufw show raw Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Ask the system administrator for the site or program PPSM Components Local Services Assessment (CLSA). Verify the services allowed by the firewall match the PPSM CLSA. If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.
Fix: F-79619r1147885_fix
Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command: $ sudo ufw allow <direction> <port/protocol/service> Where the direction is "in" or "out" and the port is the one corresponding to the protocol or service allowed. To deny access to ports, protocols, or services, use: $ sudo ufw deny <direction> <port/protocol/service>
- RMF Control
- Severity
- M
- CCI
- CCI-004923
- Version
- RIIM-OS-252010
- Vuln IDs
-
- V-275613
- Rule IDs
-
- SV-275613r1149439_rule
Checks: C-79715r1147887_chk
Verify Ubuntu OS is configured to compare the system clock at least every 24 hours to the authoritative time source by using the following command: Note: If the system is not networked, this requirement is not applicable. $ sudo grep maxpoll -ir /etc/chrony* server tick.usno.navy.mil iburst maxpoll 16 If the "maxpoll" option is set to a number greater than 16, the line is commented out, or is missing, this is a finding. Verify that the "chrony.conf" file is configured to an authoritative DOD time source by using the following command: $ sudo grep -ir server /etc/chrony* server tick.usno.navy.mil iburst maxpoll 16 server tock.usno.navy.mil iburst maxpoll 16 server ntp2.usno.navy.mil iburst maxpoll 16 If "server" is not defined, is not set to an authoritative DOD time source, is commented out, or missing, this is a finding.
Fix: F-79620r1147888_fix
Configure Ubuntu OS to compare the system clock at least every 24 hours to the authoritative time source. Add or modify the following line in the "/etc/chrony/chrony.conf" file: server [source] iburst maxpoll = 16 Restart "chrony.service" for the changes to take effect by using the following command: $ sudo systemctl restart chrony.service
- RMF Control
- Severity
- M
- CCI
- CCI-004926
- Version
- RIIM-OS-252015
- Vuln IDs
-
- V-275614
- Rule IDs
-
- SV-275614r1147892_rule
Checks: C-79716r1147890_chk
Verify Ubuntu OS synchronizes internal system clocks to the authoritative time source when the time difference is greater than one second. Note: If the system is not networked, this requirement is not applicable. Check the value of "makestep" by using the following command: $ grep -ir makestep /etc/chrony* makestep 1 -1 If "makestep" is not set to "1 -1", is commented out, or is missing, this is a finding. Verify the NTP service is active and the system clock is synchronized with the authoritative time source: $ timedatectl | grep -Ei '(synchronized|service)' System clock synchronized: yes NTP service: active If the NTP service is not active, this is a finding. If the system clock is not synchronized, this is a finding.
Fix: F-79621r1147891_fix
Configure chrony to synchronize the internal system clocks to the authoritative source when the time difference is greater than one second by doing the following: Edit the "/etc/chrony/chrony.conf" file and add: makestep 1 -1 Restart the chrony service: $ sudo systemctl restart chrony.service
- RMF Control
- AU-8
- Severity
- L
- CCI
- CCI-001890
- Version
- RIIM-OS-252020
- Vuln IDs
-
- V-275615
- Rule IDs
-
- SV-275615r1147895_rule
Checks: C-79717r1147893_chk
Verify the time zone is configured to use UTC by using the following command: $ timedatectl status | grep -i "time zone" Time zone: Etc/UTC (UTC, +0000) If "Time zone" is not set to UTC, this is a finding.
Fix: F-79622r1147894_fix
To Configure Ubuntu OS time zone to use UTC, run the following command: $ sudo timedatectl set-timezone Etc/UTC
- RMF Control
- SC-5
- Severity
- M
- CCI
- CCI-001095
- Version
- RIIM-OS-253010
- Vuln IDs
-
- V-275616
- Rule IDs
-
- SV-275616r1147898_rule
Checks: C-79718r1147896_chk
Verify Ubuntu OS is configured to use TCP syncookies by using the following command: $ sysctl net.ipv4.tcp_syncookies net.ipv4.tcp_syncookies = 1 If the value is not "1", this is a finding. Check the saved value of TCP syncookies by using the following command: $ sudo grep -ir net.ipv4.tcp_syncookies /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf 2> /dev/null If the "net.ipv4.tcp_syncookies" option is not set to "1", is commented out, or is missing, this is a finding. If conflicting results are returned, this is a finding.
Fix: F-79623r1147897_fix
Configure Ubuntu OS to use TCP syncookies by using the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1 If "1" is not the system's default value, add or update the following line in "/etc/sysctl.conf": net.ipv4.tcp_syncookies = 1
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- RIIM-OS-255010
- Vuln IDs
-
- V-275617
- Rule IDs
-
- SV-275617r1148290_rule
Checks: C-79719r1147899_chk
Verify firewall rule exists to restrict SSH to allow specific IP addresses only by using the following commands: $ sudo ufw status If a firewall rule does not exist to restrict port 22 to allow specific IP addresses and deny all other address, this is a finding.
Fix: F-79624r1147900_fix
Deny all other SSH connections and allow SSH connections from a specific IP address by using the following commands. Allow from NetIM core/worker(s)/manager in a base configuration with UFW allow. $ sudo ufw deny from any to any port 22 $ sudo ufw allow from <NETIM_IP_ADDRESS node list> to any port 22 Where NETIM_IP_ADDRESS list are the list of NETIM IP addresses for all nodes. Note: This will restrict system admins to use of the CONSOLE mechanism available depending on the Virtual Platform being used.
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-001384
- Version
- RIIM-OS-255020
- Vuln IDs
-
- V-275619
- Rule IDs
-
- SV-275619r1147907_rule
Checks: C-79721r1147905_chk
Verify Ubuntu 22.04 LTS displays the Standard Mandatory DOD Notice and Consent Banner before granting access to Ubuntu 22.04 LTS via an SSH logon by using the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH 'banner' /etc/ssh/sshd_config:Banner /etc/issue.net The command will return the banner option along with the name of the file that contains the SSH banner. If the line is commented out, missing, or conflicting results are returned, this is a finding. Verify the specified banner file matches the Standard Mandatory DOD Notice and Consent Banner exactly: $ cat /etc/issue.net You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. If the banner text does not match the Standard Mandatory DOD Notice and Consent Banner exactly, this is a finding.
Fix: F-79626r1147906_fix
Set the parameter Banner in "/etc/ssh/sshd_config" to point to the "/etc/issue.net" file: $ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config $ sudo sed -i '$aBanner /etc/issue.net' /etc/ssh/sshd_config Replace the text in "/etc/issue.net" with the Standard Mandatory DOD Notice and Consent Banner: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Restart the SSH daemon for the changes to take effect and then signal the SSH server to reload the configuration file: $ sudo systemctl -s SIGHUP kill sshd
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- RIIM-OS-255025
- Vuln IDs
-
- V-275620
- Rule IDs
-
- SV-275620r1147910_rule
Checks: C-79722r1147908_chk
Verify unattended or automatic login via SSH is disabled by using the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iEH '(permit(.*?)(passwords|environment))' /etc/ssh/sshd_config:PermitEmptyPasswords no /etc/ssh/sshd_config:PermitUserEnvironment no If "PermitEmptyPasswords" and "PermitUserEnvironment" are not set to "no", are commented out, are missing, or conflicting results are returned, this is a finding.
Fix: F-79627r1147909_fix
Configure the SSH server to not allow unattended or automatic login to the system. Add or modify the following lines in the "/etc/ssh/sshd_config" file: PermitEmptyPasswords no PermitUserEnvironment no Restart the SSH daemon for the changes to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- SC-10
- Severity
- M
- CCI
- CCI-001133
- Version
- RIIM-OS-255030
- Vuln IDs
-
- V-275621
- Rule IDs
-
- SV-275621r1147913_rule
Checks: C-79723r1147911_chk
Verify the SSH server automatically terminates a user session after the SSH client has been unresponsive for 10 minutes by using the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH 'clientaliveinterval' /etc/ssh/sshd_config:ClientAliveInterval 600 If "ClientAliveInterval" does not exist, is not set to a value of "600" or less, if conflicting results are returned, is commented out, or is missing, this is a finding.
Fix: F-79628r1147912_fix
Configure the SSH server to terminate a user session automatically after the SSH client has been unresponsive for 10 minutes. Note: This setting must be applied in conjunction with RIIM-OS-255040 to function correctly. Add or modify the following line in the "/etc/ssh/sshd_config" file: ClientAliveInterval 600 Restart the SSH daemon for the changes to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RIIM-OS-255040
- Vuln IDs
-
- V-275622
- Rule IDs
-
- SV-275622r1147916_rule
Checks: C-79724r1147914_chk
Verify X11 forwarding is disabled by using the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH 'x11forwarding' /etc/ssh/sshd_config:X11Forwarding no If "X11Forwarding" is set to "yes" and is not documented with the information system security officer as an operational requirement, is commented out, is missing, or conflicting results are returned, this is a finding.
Fix: F-79629r1147915_fix
Configure the SSH server to disable X11 forwarding. Add or modify the following line in the "/etc/ssh/sshd_config" file: X11Forwarding no Restart the SSH daemon for the changes to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RIIM-OS-255045
- Vuln IDs
-
- V-275623
- Rule IDs
-
- SV-275623r1147919_rule
Checks: C-79725r1147917_chk
Verify the SSH server prevents remote hosts from connecting to the proxy display by using the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH 'x11uselocalhost' /etc/ssh/sshd_config:X11UseLocalhost yes If "X11UseLocalhost" is set to "no", is commented out, is missing, or conflicting results are returned, this is a finding.
Fix: F-79630r1147918_fix
Configure the SSH server to prevent remote hosts from connecting to the proxy display. Add or modify the following line in the "/etc/ssh/sshd_config" file: X11UseLocalhost yes Restart the SSH daemon for the changes to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000068
- Version
- RIIM-OS-255050
- Vuln IDs
-
- V-275624
- Rule IDs
-
- SV-275624r1147922_rule
Checks: C-79726r1147920_chk
Verify the SSH server is configured to only implement FIPS-approved ciphers with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH 'ciphers' /etc/ssh/sshd_config:Ciphers aes256-ctr,aes256-gcm@openssh.com,aes192-ctr,aes128-ctr,aes128-gcm@openssh.com If "Ciphers" does not contain only the ciphers "aes256-ctr,aes256-gcm@openssh.com,aes192-ctr,aes128-ctr,aes128-gcm@openssh.com" in exact order, is commented out, is missing, or conflicting results are returned, this is a finding.
Fix: F-79631r1147921_fix
Configure the SSH server to only implement FIPS-approved ciphers. Add or modify the following line in the "/etc/ssh/sshd_config" file: Ciphers aes256-ctr,aes256-gcm@openssh.com,aes192-ctr,aes128-ctr,aes128-gcm@openssh.com Restart the SSH server for the changes to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- AC-17
- Severity
- H
- CCI
- CCI-001453
- Version
- RIIM-OS-255055
- Vuln IDs
-
- V-275625
- Rule IDs
-
- SV-275625r1147925_rule
Checks: C-79727r1147923_chk
Verify the SSH server is configured to only use MACs that employ FIPS 140-2/140-3-approved ciphers by using the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH 'macs' /etc/ssh/sshd_config:MACs hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com If "MACs" does not contain only the hashes "hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com" in exact order, is commented out, is missing, or conflicting results are returned, this is a finding.
Fix: F-79632r1147924_fix
Configure the SSH server to only use MACs that employ FIPS 140-2/140-3-approved hashes. Add or modify the following line in the "/etc/ssh/sshd_config" file: MACs hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com Restart the SSH server for the changes to take effect: $ sudo systemctl reload sshd.service
- RMF Control
- AC-17
- Severity
- H
- CCI
- CCI-000068
- Version
- RIIM-OS-255060
- Vuln IDs
-
- V-275626
- Rule IDs
-
- SV-275626r1147928_rule
Checks: C-79728r1147926_chk
Verify that the SSH server is configured to use only FIPS-validated key exchange algorithms by using the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH 'kexalgorithms' /etc/ssh/sshd_config:KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 If "KexAlgorithms" does not contain only the algorithms "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" in exact order, is commented out, is missing, or conflicting results are returned, this is a finding.
Fix: F-79633r1147927_fix
Configure the SSH server to use only FIPS-validated key exchange algorithms. Add or modify the following line in the "/etc/ssh/sshd_config" file: KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 Restart the SSH server for changes to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- MA-4
- Severity
- H
- CCI
- CCI-000877
- Version
- RIIM-OS-255065
- Vuln IDs
-
- V-275627
- Rule IDs
-
- SV-275627r1147931_rule
Checks: C-79729r1147929_chk
Verify Ubuntu OS is configured to use strong authenticators in the establishment of nonlocal maintenance and diagnostic maintenance by using the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH 'usepam' /etc/ssh/sshd_config:UsePAM yes If "UsePAM" is not set to "yes", is commented out, is missing, or conflicting results are returned, this is a finding.
Fix: F-79634r1147930_fix
Configure Ubuntu OS to use strong authentication when establishing nonlocal maintenance and diagnostic sessions. Add or modify the following line to /etc/ssh/sshd_config: UsePAM yes Restart the SSH server for changes to take effect: $ sudo systemctl restart sshd.service
- RMF Control
- AC-11
- Severity
- M
- CCI
- CCI-000056
- Version
- RIIM-OS-271020
- Vuln IDs
-
- V-275628
- Rule IDs
-
- SV-275628r1147934_rule
Checks: C-79730r1147932_chk
Verify Ubuntu OS has a graphical user interface session lock enabled by using the following command: Note: If no graphical user interface is installed, this requirement is not applicable. $ sudo gsettings get org.gnome.desktop.screensaver lock-enabled true If "lock-enabled" is not set to "true", is commented out, or is missing, this is a finding.
Fix: F-79635r1147933_fix
Configure Ubuntu OS to allow a user to lock the current graphical user interface session. Create or edit a file named /etc/dconf/db/local.d/00-screensaver with the following contents: [org/gnome/desktop/screensaver] lock-enabled=true
- RMF Control
- AC-11
- Severity
- M
- CCI
- CCI-000057
- Version
- RIIM-OS-271025
- Vuln IDs
-
- V-275629
- Rule IDs
-
- SV-275629r1147937_rule
Checks: C-79731r1147935_chk
Verify Ubuntu OS has a graphical user interface session lock configured to activate after 15 minutes of inactivity by using the following commands: Note: If no graphical user interface is installed, this requirement is not applicable. Get the following settings to verify the graphical user interface session is configured to lock the graphical user session after 15 minutes of inactivity: $ gsettings get org.gnome.desktop.screensaver lock-enabled true $ gsettings get org.gnome.desktop.screensaver lock-delay uint32 0 $ gsettings get org.gnome.desktop.session idle-delay uint32 900 If "lock-enabled" is not set to "true", is commented out, or is missing, this is a finding. If "lock-delay" is set to a value greater than "0", or if "idle-delay" is set to a value greater than "900", is commented out, or is missing, this is a finding.
Fix: F-79636r1147936_fix
Configure Ubuntu OS to lock the current graphical user interface session after 15 minutes of inactivity. Create or edit a file named /etc/dconf/db/local.d/00-screensaver with the following contents: [org/gnome/desktop/screensaver] lock-enabled=true lock-delay=0 [org/gnome/desktop/session] idle-delay=600
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RIIM-OS-271030
- Vuln IDs
-
- V-275630
- Rule IDs
-
- SV-275630r1147940_rule
Checks: C-79732r1147938_chk
Verify Ubuntu OS is not configured to reboot the system when Ctrl-Alt-Delete is pressed when using a graphical user interface by using the following command: Note: If no graphical user interface is installed, this requirement is not applicable. $ gsettings get org.gnome.settings-daemon.plugins.media-keys logout @as [] If the "logout" key is bound to an action, is commented out, or is missing, this is a finding.
Fix: F-79637r1147939_fix
Configure Ubuntu OS to disable the Ctrl-Alt-Delete sequence when using a graphical user interface. Create or edit a file named /etc/dconf/db/local.d/00-screensaver with the following contents: [org/gnome/settings-daemon/plugins/media-keys] logout="" Update the dconf settings: $ sudo dconf update
- RMF Control
- IA-3
- Severity
- M
- CCI
- CCI-001958
- Version
- RIIM-OS-291010
- Vuln IDs
-
- V-275631
- Rule IDs
-
- SV-275631r1147943_rule
Checks: C-79733r1147941_chk
Verify Ubuntu OS disables ability to load the USB storage kernel module by using the following command: $ grep usb-storage /etc/modprobe.d/* | grep "/bin/false" /etc/modprobe.d/stig.conf:install usb-storage /bin/false If the command does not return any output, or the line is commented out, this is a finding. Verify Ubuntu OS disables the ability to use USB mass storage device. $ grep usb-storage /etc/modprobe.d/* | grep -i "blacklist" /etc/modprobe.d/stig.conf:blacklist usb-storage If the command does not return any output, or the line is commented out, this is a finding.
Fix: F-79638r1147942_fix
Configure Ubuntu OS to disable using the USB storage kernel module. Create and/or append a custom file under "/etc/modprobe.d/" to contain the following: $ sudo su -c "echo install usb-storage /bin/false >> /etc/modprobe.d/stig.conf" Configure Ubuntu OS to disable the ability to use USB mass storage devices. $ sudo su -c "echo blacklist usb-storage >> /etc/modprobe.d/stig.conf"
- RMF Control
- Severity
- M
- CCI
- CCI-004045
- Version
- RIIM-OS-411010
- Vuln IDs
-
- V-275633
- Rule IDs
-
- SV-275633r1147949_rule
Checks: C-79735r1147947_chk
Verify Ubuntu OS prevents direct logins to the root account by using the following command: $ sudo passwd -S root root L 08/09/2022 0 99999 7 -1 If the output does not contain "L" in the second field to indicate the account is locked, this is a finding.
Fix: F-79640r1147948_fix
Configure Ubuntu OS to prevent direct logins to the root account by using the following command: $ sudo passwd -l root
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- RIIM-OS-411015
- Vuln IDs
-
- V-275634
- Rule IDs
-
- SV-275634r1147952_rule
Checks: C-79736r1147950_chk
Verify Ubuntu OS contains no duplicate User IDs (UIDs) for interactive users by using the following command: $ awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd If output is produced and the accounts listed are interactive user accounts, this is a finding.
Fix: F-79641r1147951_fix
Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- RIIM-OS-412010
- Vuln IDs
-
- V-275640
- Rule IDs
-
- SV-275640r1147970_rule
Checks: C-79742r1147968_chk
Verify Ubuntu OS enforces a delay of at least four seconds between console logon prompts following a failed logon attempt with the following command: $ grep -i fail_delay /etc/login.defs FAIL_DELAY 4 If the value of "FAIL_DELAY" is not set to "4" or greater, or the line is commented out, this is a finding.
Fix: F-79647r1147969_fix
Configure the Ubuntu OS to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt. Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to 4 or greater: FAIL_DELAY 4
- RMF Control
- AC-11
- Severity
- M
- CCI
- CCI-000057
- Version
- RIIM-OS-412025
- Vuln IDs
-
- V-275642
- Rule IDs
-
- SV-275642r1147976_rule
Checks: C-79744r1147974_chk
Verify Ubuntu OS has the "vlock" package installed by using the following command: $ dpkg -l | grep vlock ii vlock 2.2.2-10 amd64 Virtual Console locking program If "vlock" is not installed, this is a finding.
Fix: F-79649r1147975_fix
Install the "vlock" package by using the following command: $ sudo apt-get install vlock
- RMF Control
- AC-12
- Severity
- M
- CCI
- CCI-002361
- Version
- RIIM-OS-412030
- Vuln IDs
-
- V-275643
- Rule IDs
-
- SV-275643r1147979_rule
Checks: C-79745r1147977_chk
Verify Ubuntu OS is configured to automatically exit interactive command shell user sessions after five minutes of inactivity or less by using the following command: $ sudo grep -E "\bTMOUT=[0-9]+" /etc/bash.bashrc /etc/profile.d/* /etc/profile.d/99-terminal_tmout.sh:TMOUT=300 If "TMOUT" is not set to "300" or less, is set to "0", is commented out, or missing, this is a finding.
Fix: F-79650r1147978_fix
Configure Ubuntu OS to exit interactive command shell user sessions after five minutes of inactivity. Create and/or append a custom file under "/etc/profile.d/" by using the following command: $ sudo su -c "echo TMOUT=300 >> /etc/profile.d/99-terminal_tmout.sh" This will set a timeout value of five minutes for all future sessions. To set the timeout for the current sessions, execute the following command over the terminal session: $ export TMOUT=300
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-001764
- Version
- RIIM-OS-431010
- Vuln IDs
-
- V-275645
- Rule IDs
-
- SV-275645r1147985_rule
Checks: C-79747r1147983_chk
Verify Ubuntu OS has the "apparmor" package installed by using the following command: $ dpkg -l | grep apparmor ii apparmor 3.0.4-2ubuntu2.3 amd64 user-space parser utility for AppArmor If the "apparmor" package is not installed, this is a finding.
Fix: F-79652r1147984_fix
Install the "appArmor" package by using the following command: $ sudo apt-get install apparmor
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-001764
- Version
- RIIM-OS-431015
- Vuln IDs
-
- V-275646
- Rule IDs
-
- SV-275646r1147988_rule
Checks: C-79748r1147986_chk
Verify Ubuntu OS AppArmor is active by using the following commands: $ systemctl is-enabled apparmor.service enabled $ systemctl is-active apparmor.service active If "apparmor.service" is not enabled and active, this is a finding. Check if AppArmor profiles are loaded and enforced by using the following command: $ sudo apparmor_status | grep -i profile 32 profiles are loaded. 32 profiles are in enforce mode. 0 profiles are in complain mode. 0 profiles are in kill mode. 0 profiles are in unconfined mode. 2 processes have profiles defined. 0 processes are unconfined but have a profile defined. If no profiles are loaded and enforced, this is a finding.
Fix: F-79653r1147987_fix
Enable and start "apparmor.service" by using the following command: $ sudo systemctl enable apparmor.service --now Note: AppArmor must have properly configured profiles for applications and home directories. All configurations will be based on the actual system setup and organization and normally are on a per role basis. See the AppArmor documentation for more information on configuring profiles.
- RMF Control
- IA-11
- Severity
- M
- CCI
- CCI-002038
- Version
- RIIM-OS-432010
- Vuln IDs
-
- V-275647
- Rule IDs
-
- SV-275647r1147991_rule
Checks: C-79749r1147989_chk
Verify the "/etc/sudoers" file has no occurrences of "NOPASSWD" or "!authenticate" by using the following command: $ sudo grep -Ei '(nopasswd|!authenticate)' /etc/sudoers /etc/sudoers.d/* If any occurrences of "NOPASSWD" or "!authenticate" return from the command, this is a finding.
Fix: F-79654r1147990_fix
Remove any occurrence of "NOPASSWD" or "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.
- RMF Control
- SC-3
- Severity
- H
- CCI
- CCI-001084
- Version
- RIIM-OS-432015
- Vuln IDs
-
- V-275648
- Rule IDs
-
- SV-275648r1147994_rule
Checks: C-79750r1147992_chk
From the NetIM shell, verify the sudo group has only members who require access to security functions by using the following command: [netimsh] :~$ shell cat /etc/group |more For the entries with sudo:x:27:<username>, verify the only username on the list is NetIMAdmin. If the sudo group contains users not needing access to security functions, this is a finding.
Fix: F-79655r1147993_fix
From the bash shell, configure the sudo group with only members requiring access to security functions. To remove a user from the sudo group, run: $ sudo gpasswd -d <username> sudo
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- RIIM-OS-611010
- Vuln IDs
-
- V-275649
- Rule IDs
-
- SV-275649r1147997_rule
Checks: C-79751r1147995_chk
Verify Ubuntu OS enforces password complexity by requiring at least one uppercase character be used by using the following command: $ grep -i ucredit /etc/security/pwquality.conf ucredit = -1 If "ucredit" is greater than "-1", is commented out, or is missing, this is a finding.
Fix: F-79656r1147996_fix
Configure Ubuntu OS and NetIMAdmin account to enforce password complexity by requiring that at least one uppercase character be used. Add or modify the following line in the "/etc/security/pwquality.conf" file: ucredit = -1
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- RIIM-OS-611015
- Vuln IDs
-
- V-275650
- Rule IDs
-
- SV-275650r1148000_rule
Checks: C-79752r1147998_chk
Verify Ubuntu OS enforces password complexity by requiring that at least one lowercase character be used by using the following command: $ grep -i lcredit /etc/security/pwquality.conf lcredit = -1 If "lcredit" is greater than "-1", is commented out, or is missing, this is a finding.
Fix: F-79657r1147999_fix
Configure Ubuntu OS to enforce password complexity by requiring that at least one lowercase character be used. Add or modify the following line in the "/etc/security/pwquality.conf" file: lcredit = -1
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- RIIM-OS-611020
- Vuln IDs
-
- V-275651
- Rule IDs
-
- SV-275651r1148003_rule
Checks: C-79753r1148001_chk
Verify with the following command that Ubuntu OS enforces password complexity by requiring at least one numeric character be used: $ grep -i dcredit /etc/security/pwquality.conf dcredit = -1 If "dcredit" is greater than "-1", is commented out, or is missing, this is a finding.
Fix: F-79658r1148002_fix
Configure Ubuntu OS to enforce password complexity by requiring at least one numeric character be used. Add or modify the following line in the "/etc/security/pwquality.conf" file: dcredit = -1
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- RIIM-OS-611025
- Vuln IDs
-
- V-275652
- Rule IDs
-
- SV-275652r1148006_rule
Checks: C-79754r1148004_chk
Verify with the following command that Ubuntu OS enforces password complexity by requiring at least one special character be used: $ grep -i ocredit /etc/security/pwquality.conf ocredit = -1 If "ocredit" is greater than "-1", is commented out, or is missing, this is a finding.
Fix: F-79659r1148005_fix
Configure Ubuntu OS to enforce password complexity by requiring at least one special character be used. Add or modify the following line in the "/etc/security/pwquality.conf" file: ocredit = -1
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RIIM-OS-611030
- Vuln IDs
-
- V-275653
- Rule IDs
-
- SV-275653r1148009_rule
Checks: C-79755r1148007_chk
Verify Ubuntu OS prevents the use of dictionary words for passwords by using the following command: $ grep -i dictcheck /etc/security/pwquality.conf dictcheck = 1 If "dictcheck" is not set to "1", is commented out, or is missing, this is a finding.
Fix: F-79660r1148008_fix
Configure Ubuntu OS to prevent the use of dictionary words for passwords. Add or modify the following line in the "/etc/security/pwquality.conf" file: dictcheck = 1
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- RIIM-OS-611035
- Vuln IDs
-
- V-275654
- Rule IDs
-
- SV-275654r1148012_rule
Checks: C-79756r1148010_chk
Verify with the following command that the pwquality configuration file enforces a minimum 15-character password length: $ grep -i minlen /etc/security/pwquality.conf minlen = 15 If "minlen" is not "15" or higher, is commented out, or is missing, this is a finding.
Fix: F-79661r1148011_fix
Configure Ubuntu OS to enforce a minimum 15-character password length. Add or modify the following line in the "/etc/security/pwquality.conf" file: minlen = 15
- RMF Control
- Severity
- M
- CCI
- CCI-004066
- Version
- RIIM-OS-611040
- Vuln IDs
-
- V-275655
- Rule IDs
-
- SV-275655r1148015_rule
Checks: C-79757r1148013_chk
Verify Ubuntu OS requires the change of at least eight characters when passwords are changed by using the following command: $ grep -i difok /etc/security/pwquality.conf difok = 8 If "difok" is less than "8", is commented out, or is missing, this is a finding.
Fix: F-79662r1148014_fix
Configure Ubuntu OS to require the change of at least eight characters when passwords are changed. Add or modify the following line in the "/etc/security/pwquality.conf" file: difok = 8
- RMF Control
- Severity
- M
- CCI
- CCI-004061
- Version
- RIIM-OS-611045
- Vuln IDs
-
- V-275656
- Rule IDs
-
- SV-275656r1148018_rule
Checks: C-79758r1148016_chk
Verify Ubuntu OS enforces password complexity rules by using the following command: $ grep -i enforcing /etc/security/pwquality.conf enforcing = 1 If "enforcing" is not "1", is commented out, or is missing, this is a finding. Check for the use of "pwquality" by using the following command: $ cat /etc/pam.d/common-password | grep requisite | grep pam_pwquality password requisite pam_pwquality.so retry=3 If "retry" is set to "0" or is greater than "3", or is missing, this is a finding.
Fix: F-79663r1148017_fix
Configure Ubuntu OS to enforce password complexity rules. Add or modify the following line in the "/etc/security/pwquality.conf" file: enforcing = 1 Add or modify the following line in the "/etc/pam.d/common-password" file: password requisite pam_pwquality.so retry=3 Note: The value of "retry" should be between "1" and "3".
- RMF Control
- Severity
- H
- CCI
- CCI-004062
- Version
- RIIM-OS-611055
- Vuln IDs
-
- V-275657
- Rule IDs
-
- SV-275657r1148272_rule
Checks: C-79759r1148019_chk
Verify the Ubuntu operating stores only encrypted representations of passwords with the following command: $ grep pam_unix.so /etc/pam.d/common-password password [success=1 default=ignore] pam_unix.so obscure sha512 shadow remember=5 rounds=100000 If "sha512" is missing from the "pam_unix.so" line, this is a finding.
Fix: F-79664r1148020_fix
Configure Ubuntu OS to store encrypted representations of passwords. Add or modify the following line in the "/etc/pam.d/common-password" file: password [success=1 default=ignore] pam_unix.so obscure sha512 shadow remember=5 rounds=100000
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RIIM-OS-611060
- Vuln IDs
-
- V-275658
- Rule IDs
-
- SV-275658r1148024_rule
Checks: C-79760r1148022_chk
Verify null passwords cannot be used. Run the following command: $ grep nullok /etc/pam.d/common-auth /etc/pam.d/common-password If this produces any output, this is a finding.
Fix: F-79665r1148023_fix
Remove any instances of the "nullok" option in "/etc/pam.d/common-password" to prevent logons with empty passwords. Remove any instances of the "nullok" option in "/etc/pam.d/common-auth" and "/etc/pam.d/common-password".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RIIM-OS-611065
- Vuln IDs
-
- V-275659
- Rule IDs
-
- SV-275659r1148027_rule
Checks: C-79761r1148025_chk
Verify all accounts on the system have a password by using the following command: $ sudo awk -F: '!$2 {print $1}' /etc/shadow If the command returns any results, this is a finding.
Fix: F-79666r1148026_fix
Configure all accounts on the system to have a password or lock the account by using the following commands: Set the account password: $ sudo passwd <username> Or lock the account: $ sudo passwd -l <username>
- RMF Control
- IA-7
- Severity
- M
- CCI
- CCI-000803
- Version
- RIIM-OS-611070
- Vuln IDs
-
- V-275660
- Rule IDs
-
- SV-275660r1148030_rule
Checks: C-79762r1148028_chk
Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS 140-2/140-3 approved cryptographic hashing algorithm by using the following command: $ grep -i '^\s*encrypt_method' /etc/login.defs ENCRYPT_METHOD SHA512 If "ENCRYPT_METHOD" does not equal SHA512 or greater, is commented out, or is missing, this is a finding.
Fix: F-79667r1148029_fix
Configure Ubuntu OS to encrypt all stored passwords. Add or modify the following line in the "/etc/login.defs" file: ENCRYPT_METHOD SHA512
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-002007
- Version
- RIIM-OS-631015
- Vuln IDs
-
- V-275668
- Rule IDs
-
- SV-275668r1148054_rule
Checks: C-79770r1148052_chk
Verify PAM prohibits the use of cached authentications after one day by using the following command: Note: If smart card authentication is not being used on the system, this requirement is not applicable. $ sudo grep -i '^\s*offline_credentials_expiration' /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf /etc/sssd/sssd.conf:offline_credentials_expiration = 1 If "offline_credentials_expiration" is not set to "1", is commented out, is missing, or conflicting results are returned, this is a finding.
Fix: F-79675r1148053_fix
Configure PAM to prohibit the use of cached authentications after one day. Add or modify the following line in the "/etc/sssd/sssd.conf" file, just below the line "[pam]": offline_credentials_expiration = 1 Note: It is valid for this configuration to be in a file with a name that ends with ".conf" and does not begin with a "." in the "/etc/sssd/conf.d/" directory instead of the "/etc/sssd/sssd.conf" file.
- RMF Control
- SI-6
- Severity
- M
- CCI
- CCI-002696
- Version
- RIIM-OS-651010
- Vuln IDs
-
- V-275669
- Rule IDs
-
- SV-275669r1148057_rule
Checks: C-79771r1148055_chk
Verify that Advanced Intrusion Detection Environment (AIDE) is installed by using the following command: $ dpkg -l | grep aide ii aide 0.17.4-1 amd64 Advanced Intrusion Detection Environment - dynamic binary If AIDE is not installed, ask the system administrator how file integrity checks are performed on the system. If there is no application installed to perform integrity checks, this is a finding.
Fix: F-79676r1148056_fix
Install the "aide" package: $ sudo apt install aide
- RMF Control
- SI-6
- Severity
- M
- CCI
- CCI-002696
- Version
- RIIM-OS-651015
- Vuln IDs
-
- V-275670
- Rule IDs
-
- SV-275670r1148060_rule
Checks: C-79772r1148058_chk
Verify that Advanced Intrusion Detection Environment (AIDE) is configured and operating correctly by using the following command (this will take a few minutes): Note: If AIDE is not installed, this requirement is not applicable. $ sudo aide -c /etc/aide/aide.conf --check Example output: Start timestamp: 2024-04-01 04:20:00 +1300 (AIDE 0.17.4) AIDE found differences between database and filesystem!! Ignored e2fs attributes: EIh ... If AIDE is being used to perform file integrity checks but the command fails, this is a finding.
Fix: F-79677r1148059_fix
Initialize AIDE (this will take a few minutes): $ sudo aideinit Running aide --init... Example output: Start timestamp: 2024-04-01 04:20:00 +1300 (AIDE 0.17.4) AIDE initialized database at /var/lib/aide/aide.db.new Ignored e2fs attributes: EIh Number of entries: 146185 --------------------------------------------------- The attributes of the (uncompressed) database(s): --------------------------------------------------- /var/lib/aide/aide.db.new SHA256 : UrYbC/KBOJcs8zKcSlKoifnnoPK66DEC Aw6odu/BpgY= SHA512 : ezENbbuh937SPWvtsdjRzy3i47XjLg7j L3UGmr0EcgY6u8rczxgbn2RuwJfrIpef 0c1qMNobzrLXyDnnqEqAqw== RMD160 : yBq2xio+g5ne4kvZzzMZ2v+EO9w= TIGER : GkJ/xkzJGu/aSQqk9A5LN271IOAQC3d0 CRC32 : g/beXA== HAVAL : zZm220YZiGna2edJ6Gi0rPv16AlpqeHB y/XLB3hIPEY= WHIRLPOOL : k6veoXavJ/BH9L125pCYAfTB8w5ZJkdC DvVmYS0+cgmg7M0y/S2v42FNCEJ993mc 3kZMXJR/VVmwKg/7ntGixQ== GOST : psjiyix6mJlNsE984D0NwbfgBmB0ETGl /R4PNvm/wKg= End timestamp: 2024-04-01 04:29:16 +1300 (run time: 9m 16s)
- RMF Control
- CM-3
- Severity
- M
- CCI
- CCI-001744
- Version
- RIIM-OS-651020
- Vuln IDs
-
- V-275671
- Rule IDs
-
- SV-275671r1148063_rule
Checks: C-79773r1148061_chk
Verify that Advanced Intrusion Detection Environment (AIDE) notifies the system administrator when anomalies in the operation of any security functions are discovered by using the following command: $ grep -i '^\s*silentreports' /etc/default/aide SILENTREPORTS=no If "SILENTREPORTS" is set to "yes", is commented out, or is missing, this is a finding.
Fix: F-79678r1148062_fix
Configure AIDE to notify designated personnel if baseline configurations are changed in an unauthorized manner. The file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered. Add or modify the following line in the "/etc/default/aide" file: SILENTREPORTS=no
- RMF Control
- SI-6
- Severity
- M
- CCI
- CCI-002699
- Version
- RIIM-OS-651025
- Vuln IDs
-
- V-275672
- Rule IDs
-
- SV-275672r1148066_rule
Checks: C-79774r1148064_chk
Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged. Download the original aide-common package in the /tmp directory: $ cd /tmp; apt download aide-common Fetch the SHA1 of the original script file: $ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO ./usr/share/aide/config/cron.daily/aide | sha1sum b71bb2cafaedf15ec3ac2f566f209d3260a37af0 - Compare with the SHA1 of the file in the daily or monthly cron directory: $ sha1sum /etc/cron.{daily,monthly}/aide 2>/dev/null b71bb2cafaedf15ec3ac2f566f209d3260a37af0 /etc/cron.daily/aide If there is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the daily or monthly cron directory does not match the SHA1 of the original, this is a finding.
Fix: F-79679r1148065_fix
The cron file for AIDE is fairly complex as it creates the report. This file is installed with the "aide-common" package, and the default can be restored by copying it from the package: Extract the aide script from the "aide-common" package to its original place: $ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/config/cron.daily/aide -C / Copy it to the cron.daily directory: $ sudo cp -f /usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide
- RMF Control
- AU-9
- Severity
- H
- CCI
- CCI-001496
- Version
- RIIM-OS-651030
- Vuln IDs
-
- V-275673
- Rule IDs
-
- SV-275673r1148069_rule
Checks: C-79775r1148067_chk
Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools by using the following command: $ grep -E '(\/sbin\/(audit|au))' /etc/aide/aide.conf /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 If any of the lines do not appear as shown, are commented out, or are missing, this is a finding.
Fix: F-79680r1148068_fix
Configure AIDE to protect the integrity of audit tools: Add or modify the following lines in the "/etc/aide/aide.conf" file: # Audit Tools /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
- RMF Control
- AU-4
- Severity
- L
- CCI
- CCI-001851
- Version
- RIIM-OS-651035
- Vuln IDs
-
- V-275674
- Rule IDs
-
- SV-275674r1148072_rule
Checks: C-79776r1148070_chk
Verify there is a script that off-loads audit data and the script runs weekly by using the following command: Note: If the system is not connected to a network, this requirement is not applicable. $ ls /etc/cron.weekly <audit_offload_script_name> Check if the script inside the file off-loads audit logs to external media. If the script file does not exist or does not off-load audit logs, this is a finding.
Fix: F-79681r1148071_fix
Create a script that off-loads audit logs to external media and runs weekly. The script must be located in the "/etc/cron.weekly" directory.
- RMF Control
- SC-24
- Severity
- M
- CCI
- CCI-001665
- Version
- RIIM-OS-652010
- Vuln IDs
-
- V-275675
- Rule IDs
-
- SV-275675r1148075_rule
Checks: C-79777r1148073_chk
Verify the log service is installed properly by using the following command: $ dpkg -l | grep rsyslog ii rsyslog 8.2112.0-2ubuntu2.2 amd64 reliable system and kernel logging daemon If the "rsyslog" package is not installed, this is a finding. Check that the log service is enabled and active by using the following commands: $ systemctl is-enabled rsyslog.service enabled $ systemctl is-active rsyslog.service active If "rsyslog.service" is not enabled and active, this is a finding.
Fix: F-79682r1148074_fix
Install the log service by using the following command: $ sudo apt-get install rsyslog Enable and activate the log service by using the following command: $ sudo systemctl enable rsyslog.service --now
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000067
- Version
- RIIM-OS-652015
- Vuln IDs
-
- V-275676
- Rule IDs
-
- SV-275676r1148078_rule
Checks: C-79778r1148076_chk
Verify that Ubuntu OS monitors all remote access methods by using the following command: $ grep -Er '^(auth\.\*,authpriv\.\*|daemon\.\*)' /etc/rsyslog.* /etc/rsyslog.d/50-default.conf:auth.*,authpriv.* /var/log/secure /etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages If "auth.*", "authpriv.*", or "daemon.*" are not configured to be logged in at least one of the config files, this is a finding.
Fix: F-79683r1148077_fix
Configure Ubuntu OS to monitor all remote access methods. Add or modify the following line in the "/etc/rsyslog.d/50-default.conf" file: auth.*,authpriv.* /var/log/secure daemon.* /var/log/messages Restart "rsyslog.service" for the changes to take effect by using the following command: $ sudo systemctl restart rsyslog.service
- RMF Control
- AU-3
- Severity
- M
- CCI
- CCI-000130
- Version
- RIIM-OS-653010
- Vuln IDs
-
- V-275677
- Rule IDs
-
- SV-275677r1148081_rule
Checks: C-79779r1148079_chk
Verify the "auditd" package is installed by using the following command: $ dpkg -l | grep auditd ii libauditd 1:3.0.7-1build1 amd64 User space tools for security auditing If the "auditd" package is not installed, this is a finding.
Fix: F-79684r1148080_fix
Install the "auditd" package by using the following command: $ sudo apt-get install auditd
- RMF Control
- AU-3
- Severity
- M
- CCI
- CCI-000130
- Version
- RIIM-OS-653015
- Vuln IDs
-
- V-275678
- Rule IDs
-
- SV-275678r1148084_rule
Checks: C-79780r1148082_chk
Verify the "auditd.service" is enabled and active by using the following commands: $ systemctl is-enabled auditd.service enabled $ systemctl is-active auditd.service active If the "auditd.service" is not enabled and active, this is a finding.
Fix: F-79685r1148083_fix
Enable and start the "auditd.service" by using the following command: $ sudo systemctl enable auditd.service --now
- RMF Control
- AU-4
- Severity
- M
- CCI
- CCI-001851
- Version
- RIIM-OS-653020
- Vuln IDs
-
- V-275679
- Rule IDs
-
- SV-275679r1148087_rule
Checks: C-79781r1148085_chk
Verify the audit event multiplexor is configured to off-load audit records to a different system from the system being audited. Check if the "audispd-plugins" package is installed: $ dpkg -l | grep audispd-plugins ii audispd-plugins 1:3.0.7-1build1 amd64 Plugins for the audit event dispatcher If the "audispd-plugins" package is not installed, this is a finding. Check that the records are being off-loaded to a remote server by using the following command: $ sudo grep -i active /etc/audit/plugins.d/au-remote.conf active = yes If "active" is not set to "yes", or the line is commented out, or is missing, this is a finding. Check that audisp-remote plugin is configured to send audit logs to a different system: $ sudo grep -i remote_server /etc/audit/audisp-remote.conf remote_server = 240.9.19.81 If the "remote_server" parameter is not set, is set with a local IP address, or is set with an invalid IP address, this is a finding.
Fix: F-79686r1148086_fix
Configure the audit event multiplexor to off-load audit records to a different system from the system being audited. Install the "audisp-plugins" package by using the following command: $ sudo apt-get install audispd-plugins Set the audisp-remote plugin as active by editing the "/etc/audit/plugins.d/au-remote.conf" file: $ sudo sed -i -E 's/active\s*=\s*no/active = yes/' /etc/audit/plugins.d/au-remote.conf Set the IP address of the remote system by editing the "/etc/audit/audisp-remote.conf" file: $ sudo sed -i -E 's/(remote_server\s*=).*/\1 <remote_server_ip_address>/' /etc/audit/audisp-remote.conf Restart the "auditd.service" for the changes to take effect: $ sudo systemctl restart auditd.service
- RMF Control
- AU-5
- Severity
- M
- CCI
- CCI-000139
- Version
- RIIM-OS-653025
- Vuln IDs
-
- V-275680
- Rule IDs
-
- SV-275680r1148090_rule
Checks: C-79782r1148088_chk
Verify that the SA and ISSO are notified in the event of an audit processing failure by using the following command: $ sudo grep -i action_mail_acct /etc/audit/auditd.conf action_mail_acct = <administrator_email_account> If "action_mail_acct" is not set to the email address of the SA and/or ISSO, is commented out, or is missing, this is a finding.
Fix: F-79687r1148089_fix
Configure "auditd" service to notify the SA and ISSO in the event of an audit processing failure. Add or modify the following line in the "/etc/audit/auditd.conf " file: action_mail_acct = <administrator_email_account> Note: Change "administrator_email_account" to the email address of the SA and/or ISSO. Restart the "auditd" service for the changes take effect: $ sudo systemctl restart auditd.service Note: An email package must be installed on the system for email notifications to be sent.
- RMF Control
- AU-5
- Severity
- L
- CCI
- CCI-001855
- Version
- RIIM-OS-653040
- Vuln IDs
-
- V-275682
- Rule IDs
-
- SV-275682r1148096_rule
Checks: C-79784r1148094_chk
Verify Ubuntu OS is configured to notify the SA and ISSO when the audit record storage volume reaches 25 percent remaining of the allocated capacity by using the following command: $ sudo grep -i space_left /etc/audit/auditd.conf space_left = 25% space_left_action = email If "space_left" is set to a value less than "25%", is commented out, or is missing, this is a finding. If "space_left_action" is not set to "email", is commented out, or is missing, this is a finding. Note: If the "space_left_action" is set to "exec", the system executes a designated script. If this script informs the SA of the event, this is not a finding.
Fix: F-79689r1148095_fix
Configure Ubuntu OS to notify the SA and ISSO when the audit record storage volume reaches 25 percent remaining of the allocated capacity. Add or modify the following lines in the "/etc/audit/auditd.conf " file: space_left = 25% space_left_action = email Restart the "auditd" service for the changes to take effect: $ sudo systemctl restart auditd.service Note: If the "space_left_action" parameter is set to "exec", ensure the command being executed notifies the SA and ISSO.
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000162
- Version
- RIIM-OS-653045
- Vuln IDs
-
- V-275683
- Rule IDs
-
- SV-275683r1148099_rule
Checks: C-79785r1148097_chk
Verify that the audit log files have a mode of "600" or less permissive. Determine where the audit logs are stored by using the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the path of the directory containing the audit logs, determine if the audit log files have a mode of "600" or less by using the following command: $ sudo stat -c "%n %a" /var/log/audit/* /var/log/audit/audit.log 600 If the audit log files have a mode more permissive than "600", this is a finding.
Fix: F-79690r1148098_fix
Configure the audit log files to have a mode of "600" or less permissive. Using the path of the directory containing the audit logs, configure the audit log files to have a mode of "600" or less permissive by using the following command: $ sudo chmod 600 /var/log/audit/*
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000162
- Version
- RIIM-OS-653050
- Vuln IDs
-
- V-275684
- Rule IDs
-
- SV-275684r1148102_rule
Checks: C-79786r1148100_chk
Verify the audit log files are owned by "root" account. Determine where the audit logs are stored by using the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the path of the directory containing the audit logs, determine if the audit log files are owned by the "root" user by using the following command: $ sudo stat -c "%n %U" /var/log/audit/* /var/log/audit/audit.log root If the audit log files are owned by a user other than "root", this is a finding.
Fix: F-79691r1148101_fix
Configure the audit log directory and its underlying files to be owned by "root" user. Using the path of the directory containing the audit logs, configure the audit log files to be owned by "root" user by using the following command: $ sudo chown root /var/log/audit/*
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000162
- Version
- RIIM-OS-653055
- Vuln IDs
-
- V-275685
- Rule IDs
-
- SV-275685r1148105_rule
Checks: C-79787r1148103_chk
Verify the group owner of newly created audit logs is "root" by using the following command: $ sudo grep -iw log_group /etc/audit/auditd.conf log_group = root If "log_group" is not set to "root", this is a finding.
Fix: F-79692r1148104_fix
Configure the group owner of newly created audit logs to be "root". Add or modify the following lines in the "/etc/audit/auditd.conf " file: log_group = root Reload the configuration file of the audit service to update the group ownership of existing files: $ sudo systemctl kill auditd -s SIGHUP
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000164
- Version
- RIIM-OS-653060
- Vuln IDs
-
- V-275686
- Rule IDs
-
- SV-275686r1148108_rule
Checks: C-79788r1148106_chk
Verify the audit log directory has a mode of "750" or less permissive. Determine where the audit logs are stored by using the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the path of the directory containing the audit logs, determine if the directory has a mode of "750" or less by using the following command: $ sudo stat -c "%n %a" /var/log/audit /var/log/audit 750 If the audit log directory has a mode more permissive than "750", this is a finding.
Fix: F-79693r1148107_fix
Configure the audit log directory to have a mode of "750" or less permissive. Using the path of the directory containing the audit logs, configure the audit log directory to have a mode of "750" or less permissive by using the following command: $ sudo chmod -R g-w,o-rwx /var/log/audit
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000171
- Version
- RIIM-OS-653070
- Vuln IDs
-
- V-275687
- Rule IDs
-
- SV-275687r1148111_rule
Checks: C-79789r1148109_chk
Verify "/etc/audit/audit.rules", "/etc/audit/auditd.conf", and "/etc/audit/rules.d/*" files are owned by root account by using the following command: $ sudo ls -al /etc/audit/audit.rules /etc/audit/auditd.conf /etc/audit/rules.d/* | awk '{print $3, $9}' root /etc/audit/audit.rules root /etc/audit/auditd.conf root /etc/audit/rules.d/audit.rules If "/etc/audit/audit.rules", "/etc/audit/auditd.conf", or "/etc/audit/rules.d/*" files are owned by a user other than "root", this is a finding.
Fix: F-79694r1148110_fix
Configure "/etc/audit/audit.rules", "/etc/audit/rules.d/*", and "/etc/audit/auditd.conf" files to be owned by root by using the following command: $ sudo chown -R root /etc/audit/audit.rules /etc/audit/auditd.conf /etc/audit/rules.d/*
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000171
- Version
- RIIM-OS-653075
- Vuln IDs
-
- V-275688
- Rule IDs
-
- SV-275688r1148114_rule
Checks: C-79790r1148112_chk
Verify "/etc/audit/audit.rules", "/etc/audit/auditd.conf", and "/etc/audit/rules.d/*" files are owned by root group by using the following command: $ sudo ls -al /etc/audit/audit.rules /etc/audit/auditd.conf /etc/audit/rules.d/* | awk '{print $4, $9}' root /etc/audit/audit.rules root /etc/audit/auditd.conf root /etc/audit/rules.d/audit.rules If "/etc/audit/audit.rules", "/etc/audit/auditd.conf", or "/etc/audit/rules.d/*" files are owned by a group other than "root", this is a finding.
Fix: F-79695r1148113_fix
Configure "/etc/audit/audit.rules", "/etc/audit/rules.d/*", and "/etc/audit/auditd.conf" files to be owned by root group by using the following command: $ sudo chown -R :root /etc/audit/audit.rules /etc/audit/auditd.conf /etc/audit/rules.d/*
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654010
- Vuln IDs
-
- V-275689
- Rule IDs
-
- SV-275689r1148117_rule
Checks: C-79791r1148115_chk
Verify Ubuntu OS generates an audit record upon successful/unsuccessful attempts to use the "apparmor_parser" command by using the following command: $ sudo auditctl -l | grep apparmor_parser -a always,exit -S all -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79696r1148116_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "apparmor_parser" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654015
- Vuln IDs
-
- V-275690
- Rule IDs
-
- SV-275690r1148120_rule
Checks: C-79792r1148118_chk
Verify Ubuntu OS generates an audit record upon successful/unsuccessful attempts to use the "chacl" command by using the following command: $ sudo auditctl -l | grep chacl -a always,exit -S all -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79697r1148119_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chacl" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654020
- Vuln IDs
-
- V-275691
- Rule IDs
-
- SV-275691r1148123_rule
Checks: C-79793r1148121_chk
Verify an audit event is generated for any successful/unsuccessful use of the "chage" command by using the following command: $ sudo auditctl -l | grep -w chage -a always,exit -S all -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-chage If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79698r1148122_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "chage" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654025
- Vuln IDs
-
- V-275692
- Rule IDs
-
- SV-275692r1148126_rule
Checks: C-79794r1148124_chk
Verify Ubuntu OS generates an audit record upon successful/unsuccessful attempts to use the "chcon" command by using the following command: $ sudo auditctl -l | grep chcon -a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79699r1148125_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chcon" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654030
- Vuln IDs
-
- V-275693
- Rule IDs
-
- SV-275693r1148129_rule
Checks: C-79795r1148127_chk
Verify Ubuntu OS generates audit records upon successful/unsuccessful attempts to use the "chfn" command by using the following command: $ sudo auditctl -l | grep /usr/bin/chfn -a always,exit -S all -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-chfn If the command does not return lines that match the example or the lines are commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79700r1148128_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "chfn" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chfn To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654035
- Vuln IDs
-
- V-275694
- Rule IDs
-
- SV-275694r1148132_rule
Checks: C-79796r1148130_chk
Verify Ubuntu OS generates an audit record upon successful/unsuccessful attempts to use the "chsh" command by using the following command: $ sudo auditctl -l | grep chsh -a always,exit -S all -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -F key=priv_cmd If the command does not return a line that matches the example or the line is commented out, this is a finding. Notes: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.
Fix: F-79701r1148131_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chsh" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654040
- Vuln IDs
-
- V-275695
- Rule IDs
-
- SV-275695r1148135_rule
Checks: C-79797r1148133_chk
Verify an audit event is generated for any successful/unsuccessful use of the "crontab" command by using the following command: $ sudo auditctl -l | grep -w crontab -a always,exit -S all -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-crontab If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79702r1148134_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "crontab" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654045
- Vuln IDs
-
- V-275696
- Rule IDs
-
- SV-275696r1148138_rule
Checks: C-79798r1148136_chk
Verify Ubuntu OS is configured to audit the execution of the partition management program "fdisk" by using the following command: $ sudo auditctl -l | grep fdisk -w /usr/sbin/fdisk -p x -k fdisk If the command does not return a line, or the line is commented out, this is a finding. Note: The "-k" value is arbitrary and can be different from the example output above.
Fix: F-79703r1148137_fix
Configure Ubuntu OS to audit the execution of the partition management program "fdisk". Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -w /usr/sbin/fdisk -p x -k fdisk To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654050
- Vuln IDs
-
- V-275697
- Rule IDs
-
- SV-275697r1148141_rule
Checks: C-79799r1148139_chk
Verify an audit event is generated for any successful/unsuccessful use of the "gpasswd" command by using the following command: $ sudo auditctl -l | grep -w gpasswd -a always,exit -S all -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-gpasswd If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79704r1148140_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "gpasswd" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654055
- Vuln IDs
-
- V-275698
- Rule IDs
-
- SV-275698r1148144_rule
Checks: C-79800r1148142_chk
Verify Ubuntu OS is configured to audit the execution of the module management program "kmod" by using the following command: $ sudo auditctl -l | grep kmod -w /bin/kmod -p x -k module If the command does not return a line, or the line is commented out, this is a finding. Note: The "-k" value is arbitrary and can be different from the example output above.
Fix: F-79705r1148143_fix
Configure Ubuntu OS to audit the execution of the module management program "kmod". Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -w /bin/kmod -p x -k modules To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654060
- Vuln IDs
-
- V-275699
- Rule IDs
-
- SV-275699r1148147_rule
Checks: C-79801r1148145_chk
Verify Ubuntu OS is configured to audit the execution of the module management program "modprobe" with the following command: $ sudo auditctl -l | grep /sbin/modprobe -w /sbin/modprobe -p x -k modules If the command does not return a line, or the line is commented out, this is a finding. Note: The "-k" value is arbitrary and can be different from the example output above.
Fix: F-79706r1148146_fix
Configure Ubuntu OS to audit the execution of the module management program "modprobe". Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -w /sbin/modprobe -p x -k modules To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654065
- Vuln IDs
-
- V-275700
- Rule IDs
-
- SV-275700r1148150_rule
Checks: C-79802r1148148_chk
Verify Ubuntu OS generates audit records upon successful/unsuccessful attempts to use the "mount" command by using the following command: $ sudo auditctl -l | grep /usr/bin/mount -a always,exit -S all -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-mount If the command does not return lines that match the example or the lines are commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79707r1148149_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "mount" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654070
- Vuln IDs
-
- V-275701
- Rule IDs
-
- SV-275701r1148153_rule
Checks: C-79803r1148151_chk
Verify Ubuntu OS generates an audit record upon successful/unsuccessful attempts to use the "newgrp" command by using the following command: $ sudo auditctl -l | grep newgrp -a always,exit -S all -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 -F key=priv_cmd If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79708r1148152_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "newgrp" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654075
- Vuln IDs
-
- V-275702
- Rule IDs
-
- SV-275702r1148156_rule
Checks: C-79804r1148154_chk
Verify an audit event is generated for any successful/unsuccessful use of the "pam_timestamp_check" command by using the following command: $ sudo auditctl -l | grep -w pam_timestamp_check -a always,exit -S all -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-pam_timestamp_check If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79709r1148155_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "pam_timestamp_check" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654080
- Vuln IDs
-
- V-275703
- Rule IDs
-
- SV-275703r1148159_rule
Checks: C-79805r1148157_chk
Verify an audit event is generated for any successful/unsuccessful use of the "passwd" command by using the following command: $ sudo auditctl -l | grep -w passwd -a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-passwd If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.
Fix: F-79710r1148158_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "passwd" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654085
- Vuln IDs
-
- V-275704
- Rule IDs
-
- SV-275704r1148162_rule
Checks: C-79806r1148160_chk
Verify Ubuntu OS generates an audit record upon successful/unsuccessful attempts to use the "setfacl" command by using the following command: $ sudo auditctl -l | grep setfacl -a always,exit -S all -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79711r1148161_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "setfacl" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654090
- Vuln IDs
-
- V-275705
- Rule IDs
-
- SV-275705r1148165_rule
Checks: C-79807r1148163_chk
Verify Ubuntu OS generates an audit record upon successful/unsuccessful attempts to use the "ssh-agent" command by using the following command: $ sudo auditctl -l | grep /usr/bin/ssh-agent -a always,exit -S all -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-ssh If the command does not return lines that match the example or the lines are commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79712r1148164_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-agent" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654095
- Vuln IDs
-
- V-275706
- Rule IDs
-
- SV-275706r1148168_rule
Checks: C-79808r1148166_chk
Verify Ubuntu OS generates an audit record upon successful/unsuccessful attempts to use the "ssh-keysign" command by using the following command: $ sudo auditctl -l | grep ssh-keysign -a always,exit -S all -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-ssh If the command does not return lines that match the example or the lines are commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79713r1148167_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-keysign" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654100
- Vuln IDs
-
- V-275707
- Rule IDs
-
- SV-275707r1148171_rule
Checks: C-79809r1148169_chk
Verify Ubuntu OS generates audit records upon successful/unsuccessful attempts to use the "su" command by using the following command: $ sudo auditctl -l | grep /bin/su -a always,exit -S all -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-priv_change If the command does not return lines that match the example or the lines are commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79714r1148170_fix
Configure Ubuntu OS to generate audit records when successful/unsuccessful attempts to use the "su" command occur. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654105
- Vuln IDs
-
- V-275708
- Rule IDs
-
- SV-275708r1148174_rule
Checks: C-79810r1148172_chk
Verify an audit event is generated for any successful/unsuccessful use of the "sudo" command by using the following command: $ sudo auditctl -l | grep /usr/bin/sudo -a always,exit -S all -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -F key=priv_cmd If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79715r1148173_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "sudo" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654110
- Vuln IDs
-
- V-275709
- Rule IDs
-
- SV-275709r1148177_rule
Checks: C-79811r1148175_chk
Verify Ubuntu OS generates an audit record upon successful/unsuccessful attempts to use the "sudoedit" command by using the following command: $ sudo auditctl -l | grep /usr/bin/sudoedit -a always,exit -S all -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -F key=priv_cmd If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79716r1148176_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "sudoedit" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules": -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654115
- Vuln IDs
-
- V-275710
- Rule IDs
-
- SV-275710r1148180_rule
Checks: C-79812r1148178_chk
Verify Ubuntu OS generates audit records upon successful/unsuccessful attempts to use the "umount" command by using the following command: $ sudo auditctl -l | grep /usr/bin/umount -a always,exit -S all -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-umount If the command does not return lines that match the example or the lines are commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79717r1148179_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "umount" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654120
- Vuln IDs
-
- V-275711
- Rule IDs
-
- SV-275711r1148183_rule
Checks: C-79813r1148181_chk
Verify an audit event is generated for any successful/unsuccessful use of the "unix_update" command by using the following command: $ sudo auditctl -l | grep -w unix_update -a always,exit -S all -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-unix-update If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79718r1148182_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "unix_update" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654125
- Vuln IDs
-
- V-275712
- Rule IDs
-
- SV-275712r1148186_rule
Checks: C-79814r1148184_chk
Verify an audit event is generated for any successful/unsuccessful use of the "usermod" command by using the following command: $ sudo auditctl -l | grep -w usermod -a always,exit -S all -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-usermod If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79719r1148185_fix
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "usermod" command. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- RIIM-OS-654130
- Vuln IDs
-
- V-275713
- Rule IDs
-
- SV-275713r1148189_rule
Checks: C-79815r1148187_chk
Verify Ubuntu OS generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" by using the following command: $ sudo auditctl -l | grep group -w /etc/group -p wa -k usergroup_modification If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "-k" value is arbitrary and can be different from the example output above.
Fix: F-79720r1148188_fix
Configure Ubuntu OS to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". Add or modify the following line to "/etc/audit/rules.d/stig.rules": -w /etc/group -p wa -k usergroup_modification To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- RIIM-OS-654135
- Vuln IDs
-
- V-275714
- Rule IDs
-
- SV-275714r1148192_rule
Checks: C-79816r1148190_chk
Verify Ubuntu OS generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" by using the following command: $ sudo auditctl -l | grep gshadow -w /etc/gshadow -p wa -k usergroup_modification If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "-k" value is arbitrary and can be different from the example output above.
Fix: F-79721r1148191_fix
Configure Ubuntu OS to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". Add or modify the following line to "/etc/audit/rules.d/stig.rules": -w /etc/gshadow -p wa -k usergroup_modification To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- RIIM-OS-654140
- Vuln IDs
-
- V-275715
- Rule IDs
-
- SV-275715r1148195_rule
Checks: C-79817r1148193_chk
Verify Ubuntu OS generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" by using the following command: $ sudo auditctl -l | grep opasswd -w /etc/security/opasswd -p wa -k usergroup_modification If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "-k" value is arbitrary and can be different from the example output above.
Fix: F-79722r1148194_fix
Configure Ubuntu OS to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd". Add or modify the following line to "/etc/audit/rules.d/stig.rules": -w /etc/security/opasswd -p wa -k usergroup_modification To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- RIIM-OS-654145
- Vuln IDs
-
- V-275716
- Rule IDs
-
- SV-275716r1148198_rule
Checks: C-79818r1148196_chk
Verify Ubuntu OS generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" by using the following command: $ sudo auditctl -l | grep passwd -w /etc/passwd -p wa -k usergroup_modification If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "-k" value is arbitrary and can be different from the example output above.
Fix: F-79723r1148197_fix
Configure Ubuntu OS to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". Add or modify the following line to "/etc/audit/rules.d/stig.rules": -w /etc/passwd -p wa -k usergroup_modification To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- RIIM-OS-654150
- Vuln IDs
-
- V-275717
- Rule IDs
-
- SV-275717r1148201_rule
Checks: C-79819r1148199_chk
Verify Ubuntu OS generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow" by using the following command: $ sudo auditctl -l | grep shadow -w /etc/shadow -p wa -k usergroup_modification If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "-k" value is arbitrary and can be different from the example output above.
Fix: F-79724r1148200_fix
Configure Ubuntu OS to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". Add or modify the following line to "/etc/audit/rules.d/stig.rules": -w /etc/shadow -p wa -k usergroup_modification To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654155
- Vuln IDs
-
- V-275718
- Rule IDs
-
- SV-275718r1148292_rule
Checks: C-79820r1148291_chk
Verify Ubuntu OS generates an audit record upon successful/unsuccessful attempts to use the "chmod", "fchmod", and "fchmodat" system calls by using the following command: $ sudo auditctl -l | grep chmod -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_chng -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_chng If the command does not return audit rules for the "chmod", "fchmod", and "fchmodat" syscalls or the lines are commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79725r1148203_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chmod", "fchmod", and "fchmodat" system calls. Add or modify the following lines in the "/etc/audit/rules.d/stig.rules": -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_chng -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_chng To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654160
- Vuln IDs
-
- V-275719
- Rule IDs
-
- SV-275719r1148207_rule
Checks: C-79821r1148205_chk
Verify Ubuntu OS generates an audit record upon successful/unsuccessful attempts to use the "chown", "fchown", "fchownat", and "lchown" system calls by using the following command: $ sudo auditctl -l | grep chown -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -F key=perm_chng -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -F key=perm_chng If the command does not return audit rules for the "chown", "fchown", "fchownat", and "lchown" syscalls or the lines are commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79726r1148206_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chown", "fchown", "fchownat", and "lchown" system calls. Add or modify the following lines in the "/etc/audit/rules.d/stig.rules": -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_chng -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_chng To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654165
- Vuln IDs
-
- V-275720
- Rule IDs
-
- SV-275720r1148270_rule
Checks: C-79822r1148208_chk
Verify Ubuntu OS generates an audit record upon unsuccessful attempts to use the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls by using the following command: $ sudo auditctl -l | grep 'open\|truncate\|creat' -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=perm_access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=perm_access If the command does not return audit rules for the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" syscalls or the lines are commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79727r1148209_fix
Configure the audit system to generate an audit event for any unsuccessful use of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls. Add or modify the following lines in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654170
- Vuln IDs
-
- V-275721
- Rule IDs
-
- SV-275721r1148213_rule
Checks: C-79823r1148211_chk
Verify Ubuntu OS generates an audit record for any successful/unsuccessful attempts to use the "delete_module" syscall by using the following command: $ sudo auditctl -l | grep -w delete_module -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1 -F key=module_chng -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -F key=module_chng If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79728r1148212_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "delete_module" syscall. Add or modify the following lines in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654175
- Vuln IDs
-
- V-275722
- Rule IDs
-
- SV-275722r1148216_rule
Checks: C-79824r1148214_chk
Verify Ubuntu OS generates an audit record for any successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls by using the following command: $ sudo auditctl -l | grep init_module -a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=-1 -F key=module_chng -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=-1 -F key=module_chng If the command does not return audit rules for the "init_module" and "finit_module" syscalls or the lines are commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79729r1148215_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "init_module" and "finit_module" syscalls. Add or modify the following lines in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654180
- Vuln IDs
-
- V-275723
- Rule IDs
-
- SV-275723r1148219_rule
Checks: C-79825r1148217_chk
Verify Ubuntu OS generates an audit record upon successful/unsuccessful attempts to use the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls by using the following command: $ sudo auditctl -l | grep xattr -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod If the command does not return audit rules for the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr" and "lremovexattr" syscalls or the lines are commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79730r1148218_fix
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls. Add or modify the following lines in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654185
- Vuln IDs
-
- V-275724
- Rule IDs
-
- SV-275724r1148222_rule
Checks: C-79826r1148220_chk
Verify Ubuntu OS generates audit records for any successful/unsuccessful use of "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls by using the following command: $ sudo auditctl -l | grep 'unlink\|rename\|rmdir' -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=delete If the command does not return audit rules for the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls or the lines are commented out, this is a finding. Note: The "key" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.
Fix: F-79731r1148221_fix
Configure the audit system to generate audit events for any successful/unsuccessful use of "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls. Add or modify the following lines in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RIIM-OS-654190
- Vuln IDs
-
- V-275725
- Rule IDs
-
- SV-275725r1148225_rule
Checks: C-79827r1148223_chk
Verify Ubuntu OS generates audit records for all events that affect "/var/log/journal" by using the following command: $ sudo auditctl -l | grep journal -w /var/log/journal -p wa -k systemd_journal If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "-k" value is arbitrary and can be different from the example output above.
Fix: F-79732r1148224_fix
Configure Ubuntu OS to generate audit records for events that affect "/var/log/journal". Add or modify the following line to "/etc/audit/rules.d/stig.rules": -w /var/log/journal -p wa -k systemd_journal To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654195
- Vuln IDs
-
- V-275726
- Rule IDs
-
- SV-275726r1148228_rule
Checks: C-79828r1148226_chk
Verify Ubuntu OS generates audit records showing start and stop times for user access to the system via the "/var/log/btmp" file by using the following command: $ sudo auditctl -l | grep '/var/log/btmp' -w /var/log/btmp -p wa -k logins If the command does not return a line matching the example or the line is commented out, this is a finding. Note: The "-k" value is arbitrary and can be different from the example output above.
Fix: F-79733r1148227_fix
Configure the audit system to generate audit events showing start and stop times for user access via the "/var/log/btmp file". Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -w /var/log/btmp -p wa -k logins To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654200
- Vuln IDs
-
- V-275727
- Rule IDs
-
- SV-275727r1148231_rule
Checks: C-79829r1148229_chk
Verify Ubuntu OS generates audit records showing start and stop times for user access to the system via the "/var/log/wtmp" file by using the following command: $ sudo auditctl -l | grep '/var/log/wtmp' -w /var/log/wtmp -p wa -k logins If the command does not return a line matching the example or the line is commented out, this is a finding. Note: The "-k" value is arbitrary and can be different from the example output above.
Fix: F-79734r1148230_fix
Configure the audit system to generate audit events showing start and stop times for user access via the "/var/log/wtmp" file. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -w /var/log/wtmp -p wa -k logins To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654205
- Vuln IDs
-
- V-275728
- Rule IDs
-
- SV-275728r1148234_rule
Checks: C-79830r1148232_chk
Verify Ubuntu OS generates audit records showing start and stop times for user access to the system via the "/var/run/utmp" file by using the following command: $ sudo auditctl -l | grep '/var/run/utmp' -w /var/run/utmp -p wa -k logins If the command does not return a line matching the example or the line is commented out, this is a finding. Note: The "-k" value is arbitrary and can be different from the example output above.
Fix: F-79735r1148233_fix
Configure the audit system to generate audit events showing start and stop times for user access via the "/var/run/utmp" file. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -w /var/run/utmp -p wa -k logins To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654210
- Vuln IDs
-
- V-275729
- Rule IDs
-
- SV-275729r1148237_rule
Checks: C-79831r1148235_chk
Verify Ubuntu OS generates an audit record upon successful/unsuccessful modifications to the "faillog" file by using the following command: $ sudo auditctl -l | grep faillog -w /var/log/faillog -p wa -k logins If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "-k" value is arbitrary and can be different from the example output above.
Fix: F-79736r1148236_fix
Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "faillog" file. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -w /var/log/faillog -p wa -k logins To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654215
- Vuln IDs
-
- V-275730
- Rule IDs
-
- SV-275730r1148240_rule
Checks: C-79832r1148238_chk
Verify Ubuntu OS generates an audit record when successful/unsuccessful modifications to the "lastlog" file occur by using the following command: $ sudo auditctl -l | grep lastlog -w /var/log/lastlog -p wa -k logins If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "-k" value is arbitrary and can be different from the example output above.
Fix: F-79737r1148239_fix
Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "lastlog" file. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -w /var/log/lastlog -p wa -k logins To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654220
- Vuln IDs
-
- V-275731
- Rule IDs
-
- SV-275731r1148243_rule
Checks: C-79833r1148241_chk
Verify Ubuntu OS generates audit records for all modifications that affect "/etc/sudoers" by using the following command: $ sudo auditctl -l | grep sudoers -w /etc/sudoers -p wa -k privilege_modification If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "-k" value is arbitrary and can be different from the example output above.
Fix: F-79738r1148242_fix
Configure Ubuntu OS to generate audit records for all modifications that affect "/etc/sudoers". Add or modify the following line to "/etc/audit/rules.d/stig.rules": -w /etc/sudoers -p wa -k privilege_modification To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654225
- Vuln IDs
-
- V-275732
- Rule IDs
-
- SV-275732r1148294_rule
Checks: C-79834r1148244_chk
Verify Ubuntu OS generates audit records for all modifications that affect "/etc/sudoers.d" directory by using the following command: $ sudo auditctl -l | grep sudoers.d -w /etc/sudoers.d -p wa -k privilege_modification If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "-k" value is arbitrary and can be different from the example output above.
Fix: F-79739r1148293_fix
Configure Ubuntu OS to generate audit records for all modifications that affect "/etc/sudoers.d" directory. Add or modify the following line to "/etc/audit/rules.d/stig.rules": -w /etc/sudoers.d -p wa -k privilege_modification To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002233
- Version
- RIIM-OS-654230
- Vuln IDs
-
- V-275733
- Rule IDs
-
- SV-275733r1148249_rule
Checks: C-79835r1148247_chk
Verify Ubuntu OS audits the execution of privilege functions by auditing the "execve" system call by using the following command: $ sudo auditctl -l | grep execve -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv If the command does not return lines that match the example or the lines are commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix: F-79740r1148248_fix
Configure Ubuntu OS to audit the execution of all privileged functions. Add or modify the following lines in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RIIM-OS-654235
- Vuln IDs
-
- V-275734
- Rule IDs
-
- SV-275734r1148252_rule
Checks: C-79836r1148250_chk
Verify Ubuntu OS audits activities performed during nonlocal maintenance and diagnostic sessions by using the following command: $ sudo auditctl -l | grep sudo.log -w /var/log/sudo.log -p wa -k maintenance If the command does not return lines that match the example or the lines are commented out, this is a finding. Note: The "-k" value is arbitrary and can be different from the example output above.
Fix: F-79741r1148251_fix
Configure Ubuntu OS to audit activities performed during nonlocal maintenance and diagnostic sessions. Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file: -w /var/log/sudo.log -p wa -k maintenance To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
- RMF Control
- SC-13
- Severity
- H
- CCI
- CCI-002450
- Version
- RIIM-OS-671010
- Vuln IDs
-
- V-275735
- Rule IDs
-
- SV-275735r1148255_rule
Checks: C-79837r1148253_chk
Verify the system is configured to run in FIPS mode by using the following command: $ grep -i 1 /proc/sys/crypto/fips_enabled 1 If a value of "1" is not returned, this is a finding.
Fix: F-79742r1148254_fix
Configure Ubuntu OS to run in FIPS mode. Add "fips=1" to the kernel parameter during Ubuntu OS install. Enabling a FIPS mode on a pre-existing system involves a number of modifications to Ubuntu OS. Refer to the Ubuntu Pro security certification documentation for instructions. A subscription to the Ubuntu Pro plan is required to obtain the FIPS Kernel cryptographic modules and enable FIPS. Note: Ubuntu Pro security certification instructions can be found at: https://ubuntu.com/security/certifications/docs/fips-enablement.