UCF STIG Viewer Logo

Canonical Ubuntu 16.04 Security Technical Implementation Guide


Overview

Date Finding Count (226)
2019-12-23 CAT I (High): 22 CAT II (Med): 196 CAT III (Low): 8
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-78005 High The system must use a DoD-approved virus scan program.
V-75833 High The Ubuntu operating system must be configured so that the SSH daemon does not allow authentication using an empty password.
V-75823 High The Ubuntu operating system must enforce SSHv2 for network access to all accounts.
V-75797 High The telnetd package must not be installed.
V-75799 High The Network Information Service (NIS) package must not be installed.
V-75389 High The Ubuntu operating system must be a vendor supported release.
V-75897 High The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for operational support.
V-75801 High The rsh-server package must not be installed.
V-75495 High Unattended or automatic login via the Graphical User Interface must not be allowed.
V-75499 High There must be no .shosts files on the Ubuntu operating system.
V-75479 High The Ubuntu operating system must not be configured to allow blank or null passwords.
V-80957 High The x86 Ctrl-Alt-Delete key sequence in the Ubuntu operating system must be disabled if a Graphical User Interface is installed.
V-75549 High The root account must be the only account having unrestricted access to the system.
V-75895 High A File Transfer Protocol (FTP) server package must not be installed unless needed.
V-75857 High All networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
V-75853 High Remote X connections for interactive users must be encrypted.
V-75503 High The Ubuntu operating system must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-75501 High There must be no shosts.equiv files on the Ubuntu operating system.
V-75507 High Ubuntu operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
V-75505 High Ubuntu operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.
V-75509 High All persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
V-75541 High The x86 Ctrl-Alt-Delete key sequence must be disabled.
V-75531 Medium Automatic mounting of Universal Serial Bus (USB) mass storage driver must be disabled.
V-75749 Medium Successful/unsuccessful uses of the creat command must generate an audit record.
V-75821 Medium The Ubuntu operating system must implement address space layout randomization to protect its memory from unauthorized code execution.
V-75849 Medium The SSH daemon must use privilege separation.
V-75527 Medium Advance package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
V-75687 Medium The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
V-75843 Medium The SSH public host key files must have mode 0644 or less permissive.
V-75535 Medium Pam_Apparmor must be configured to allow system administrators to pass information to any other Ubuntu operating system administrator or user, change security attributes, and to confine all non-privileged users from executing functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
V-75847 Medium The SSH daemon must perform strict mode checking of home directory configuration files.
V-75845 Medium The SSH private host key files must have mode 0600 or less permissive.
V-75511 Medium All public directories must be owned by root to prevent unauthorized and unintended information transferred via shared system resources.
V-75513 Medium All world-writable directories must be group-owned by root, sys, bin, or an application group.
V-75515 Medium A file integrity tool must be installed to verify correct operation of all security functions in the Ubuntu operating system.
V-75517 Medium The file integrity tool must perform verification of the correct operation of security functions: upon system start-up and/or restart; upon command by a user with privileged access; and/or every 30 days.
V-98989 Medium The Ubuntu operating system must not allow users to override SSH environment variables.
V-75459 Medium The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
V-75609 Medium Library files must be group-owned by root.
V-75725 Medium The audit system must be configured to audit any usage of the lremovexattr system call.
V-75723 Medium The audit system must be configured to audit any usage of the removexattr system call.
V-75721 Medium The audit system must be configured to audit any usage of the fsetxattr system call.
V-75451 Medium The Ubuntu operating system must enforce password complexity by requiring that at least one lower-case character be used.
V-75601 Medium The /var/log/syslog file must be owned by syslog.
V-75453 Medium The Ubuntu operating system must enforce password complexity by requiring that at least one numeric character be used.
V-75603 Medium The /var/log/syslog file must have mode 0640 or less permissive.
V-75455 Medium All passwords must contain at least one special character.
V-75605 Medium Library files must have mode 0755 or less permissive.
V-75457 Medium The Ubuntu operating system must require the change of at least 8 characters when passwords are changed.
V-75607 Medium Library files must be owned by root.
V-78007 Medium The system must update the DoD-approved virus scan program every seven days or more frequently.
V-90365 Medium The audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.
V-75631 Medium The remote audit system must take appropriate action when audit storage is full.
V-75635 Medium Audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access.
V-75637 Medium Audit log directories must have a mode of 0750 or less permissive to prevent unauthorized read access.
V-75445 Medium The Ubuntu operating system must prevent direct login into the root account.
V-75529 Medium Advance package Tool (APT) must remove all software components after updated versions have been installed.
V-75633 Medium Off-loading audit records to another system must be authenticated.
V-75441 Medium Ubuntu operating system sessions must be automatically logged out after 15 minutes of inactivity.
V-75525 Medium The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools.
V-75835 Medium The system must display the date and time of the last successful account logon upon an SSH logon.
V-75831 Medium The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-75449 Medium The Ubuntu operating system must enforce password complexity by requiring that at least one upper-case character be used.
V-75735 Medium Successful/unsuccessful uses of the lchown command must generate an audit record.
V-75737 Medium Successful/unsuccessful uses of the chmod command must generate an audit record.
V-75731 Medium Successful/unsuccessful uses of the fchown command must generate an audit record.
V-75733 Medium Successful/unsuccessful uses of the fchownat command must generate an audit record.
V-75739 Medium Successful/unsuccessful uses of the fchmod command must generate an audit record.
V-75841 Medium The SSH daemon must not allow authentication using known hosts authentication.
V-75639 Medium Audit logs must be owned by root to prevent unauthorized read access.
V-75523 Medium The file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered.
V-75789 Medium Successful/unsuccessful uses of the pam_timestamp_check command must generate an audit record.
V-75623 Medium The Ubuntu operating system must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
V-75621 Medium The Ubuntu operating system must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
V-75437 Medium The Ubuntu operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.
V-75627 Medium The System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full.
V-75435 Medium The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.
V-75625 Medium The System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.
V-75781 Medium Successful/unsuccessful uses of the gpasswd command must generate an audit record.
V-75533 Medium File system automounter must be disabled unless required.
V-75439 Medium All users must be able to directly initiate a session lock for all connection types.
V-75629 Medium The audit system must take appropriate action when the audit storage volume is full.
V-75785 Medium Successful/unsuccessful uses of the usermod command must generate an audit record.
V-75537 Medium The Apparmor module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.
V-75787 Medium Successful/unsuccessful uses of the crontab command must generate an audit record.
V-75553 Medium Pluggable Authentication Module (PAM) must prohibit the use of cached authentications after one day.
V-75707 Medium Successful/unsuccessful uses of the ssh-keysign command must generate an audit record.
V-99009 Medium The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.
V-75469 Medium Emergency administrator accounts must never be automatically removed or disabled.
V-75487 Medium The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts.
V-75795 Medium Successful/unsuccessful uses of the delete_module command must generate an audit record.
V-75793 Medium Successful/unsuccessful uses of the finit_module command must generate an audit record.
V-75791 Medium Successful/unsuccessful uses of the init_module command must generate an audit record.
V-75819 Medium The Ubuntu operating system must implement non-executable data to protect its memory from unauthorized code execution.
V-75489 Medium The Ubuntu operating system must require users to re-authenticate for privilege escalation and changing roles.
V-75649 Medium The audit log files must be owned by root.
V-75811 Medium A sticky bit must be set on all public directories to prevent unauthorized and unintended information transferred via shared system resources.
V-75813 Medium The Ubuntu operating system must compare internal information system clocks at least every 24 hours with a server which is synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
V-75815 Medium The Ubuntu operating system must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
V-75817 Medium The Ubuntu operating system must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-75657 Medium Audit tools must be group-owned by root.
V-75655 Medium Audit tools must be owned by root.
V-75653 Medium Audit tools must have a mode of 0755 or less permissive.
V-75719 Medium The audit system must be configured to audit any usage of the lsetxattr system call.
V-75547 Medium Duplicate User IDs (UIDs) must not exist for interactive users.
V-75717 Medium The audit system must be configured to audit any usage of the setxattr system call.
V-75545 Medium The Ubuntu operating system must not have unnecessary accounts.
V-75715 Medium The audit system must be configured to audit any usage of the kmod command.
V-75543 Medium Default permissions must be defined in such a way that all authenticated users can only read and modify their own files.
V-75659 Medium The audit event multiplexor must be configured to off-load audit logs onto a different system or storage media from the system being audited.
V-75807 Medium An application firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
V-75805 Medium An application firewall must be enabled on the system.
V-75803 Medium An application firewall must be installed.
V-75699 Medium Successful/unsuccessful uses of the ssh-agent command must generate an audit record.
V-75809 Medium The Ubuntu operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
V-75727 Medium The audit system must be configured to audit any usage of the fremovexattr system call.
V-75393 Medium The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
V-75391 Medium Ubuntu vendor packaged system security patches and updates must be installed and up to date.
V-75645 Medium Audit log directory must be group-owned by root to prevent unauthorized read access.
V-75769 Medium Successful/unsuccessful uses of the chacl command must generate an audit record.
V-75647 Medium The Ubuntu operating system must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
V-75491 Medium Temporary user accounts must be provisioned with an expiration time of 72 hours or less.
V-75641 Medium Audit logs must be group-owned by root to prevent unauthorized read access.
V-75493 Medium The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
V-75643 Medium Audit log directory must be owned by root to prevent unauthorized read access.
V-75555 Medium All files and directories must have a valid owner.
V-75761 Medium Successful/unsuccessful uses of the newgrp command must generate an audit record.
V-75557 Medium All files and directories must have a valid group owner.
V-75883 Medium The Ubuntu operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.
V-75765 Medium Successful/unsuccessful uses of the apparmor_parser command must generate an audit record.
V-75881 Medium The Ubuntu operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
V-80959 Medium The auditd service must be running in the Ubuntu operating system.
V-75587 Medium A separate file system must be used for user home directories (such as /home or an equivalent).
V-75889 Medium Network interfaces must not be in promiscuous mode.
V-75873 Medium The Ubuntu operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
V-75877 Medium The Ubuntu operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
V-75875 Medium The Ubuntu operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
V-75887 Medium The Ubuntu operating system must not be performing packet forwarding unless the system is a router.
V-75879 Medium The Ubuntu operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
V-75697 Medium Successful/unsuccessful uses of the umount command must generate an audit record.
V-75483 Medium The passwd command must be configured to prevent the use of dictionary words as passwords.
V-75885 Medium The Ubuntu operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
V-75767 Medium Successful/unsuccessful uses of the setfacl command must generate an audit record.
V-75755 Medium Successful/unsuccessful uses of the sudo command must generate an audit record.
V-75551 Medium User accounts with temporary passwords, must require an immediate change to a permanent password after login.
V-75569 Medium All local initialization files must have mode 0740 or less permissive.
V-75779 Medium Successful/unsuccessful uses of the unix_update command must generate an audit record.
V-75481 Medium The Ubuntu operating system must prevent the use of dictionary words for passwords.
V-75729 Medium Successful/unsuccessful uses of the chown command must generate an audit record.
V-75485 Medium Account identifiers (individuals, groups, roles, and devices) must disabled after 35 days of inactivity.
V-75561 Medium All local interactive user accounts, upon creation, must be assigned a home directory.
V-75771 Medium Successful/unsuccessful modifications to the tallylog file must generate an audit record.
V-75563 Medium All local interactive user home directories defined in the /etc/passwd file must exist.
V-75773 Medium Successful/unsuccessful modifications to the faillog file must generate an audit record.
V-75565 Medium All local interactive user home directories must have mode 0750 or less permissive.
V-75775 Medium Successful/unsuccessful modifications to the lastlog file must generate an audit record.
V-75567 Medium All local interactive user home directories must be group-owned by the home directory owners primary group.
V-75777 Medium Successful/unsuccessful uses of the passwd command must generate an audit record.
V-80969 Medium Successful/unsuccessful uses of the chcon command must generate an audit record.
V-75559 Medium All local interactive users must have a home directory assigned in the /etc/passwd file.
V-80961 Medium The Ubuntu operating system must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
V-75581 Medium File systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
V-80965 Medium The audit records must be off-loaded onto a different system or storage media from the system being audited.
V-75585 Medium Kernel core dumps must be disabled unless needed.
V-75863 Medium All remote access methods must be monitored.
V-75865 Medium Cron logging must be implemented.
V-75867 Medium Wireless network adapters must be disabled.
V-75869 Medium The Ubuntu operating system must be configured to use TCP syncookies.
V-75745 Medium Successful/unsuccessful uses of the truncate command must generate an audit record.
V-75891 Medium The Ubuntu operating system must be configured to prevent unrestricted mail relaying.
V-75747 Medium Successful/unsuccessful uses of the ftruncate command must generate an audit record.
V-75575 Medium File systems that contain user home directories must be mounted to prevent files with the setuid and setguid bit set from being executed.
V-75741 Medium Successful/unsuccessful uses of the fchmodat command must generate an audit record.
V-75573 Medium Local initialization files must not execute world-writable programs.
V-75743 Medium Successful/unsuccessful uses of the open command must generate an audit record.
V-75571 Medium All local interactive user initialization files executable search paths must contain only paths that resolve to the system default or the users home directory.
V-75907 Medium The Ubuntu operating system must implement certificate status checking for multifactor authentication.
V-75905 Medium The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials.
V-75903 Medium The Ubuntu operating system must have the packages required for multifactor authentication to be installed.
V-75893 Medium The Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure.
V-75901 Medium An X Windows display manager must not be installed unless approved.
V-75579 Medium File systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setguid bit set from being executed.
V-75477 Medium Passwords must have a minimum of 15-characters.
V-75667 Medium The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
V-75475 Medium Passwords must be prohibited from reuse for a minimum of five generations.
V-75665 Medium The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
V-75473 Medium Passwords for new users must have a 60-day maximum password lifetime restriction.
V-75663 Medium The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
V-75471 Medium Passwords for new users must have a 24 hours/1 day minimum password lifetime restriction.
V-75661 Medium The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
V-75599 Medium The /var/log/syslog file must be group-owned by adm.
V-75577 Medium File systems that are used with removable media must be mounted to prevent files with the setuid and setguid bit set from being executed.
V-75593 Medium The /var/log directory must be group-owned by syslog.
V-75595 Medium The /var/log directory must be owned by root.
V-75597 Medium The /var/log directory must have mode 0770 or less permissive.
V-75693 Medium Successful/unsuccessful uses of the chfn command must generate an audit record.
V-75899 Medium If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode.
V-75691 Medium Successful/unsuccessful uses of the su command must generate an audit record.
V-75859 Medium The audit system must take appropriate action when the network cannot be used to off-load audit records.
V-75855 Medium An application firewall must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the Ubuntu operating system is implementing rate-limiting measures on impacted network interfaces.
V-75837 Medium The Ubuntu operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
V-75851 Medium The SSH daemon must not allow compression or must only allow compression after successful authentication.
V-75829 Medium The Ubuntu operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
V-75753 Medium Successful/unsuccessful uses of the open_by_handle_at command must generate an audit record.
V-75751 Medium Successful/unsuccessful uses of the openat command must generate an audit record.
V-75909 Medium The Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
V-75827 Medium The Ubuntu operating system must not permit direct logons to the root account using remote access via SSH.
V-75759 Medium Successful/unsuccessful uses of the chsh command must generate an audit record.
V-75911 Medium The Ubuntu operating system must implement smart card logins for multifactor authentication for access to accounts.
V-75461 Medium The Ubuntu operating system must employ a FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
V-75825 Medium The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon and the user must acknowledge the usage conditions and take explicit actions to log on for further access.
V-75613 Medium System commands must be owned by root.
V-75465 Medium The pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
V-75611 Medium System commands must have mode 0755 or less permissive.
V-75617 Medium Audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
V-75783 Medium Successful/unsuccessful uses of the chage command must generate an audit record.
V-75615 Medium System commands must be group-owned by root.
V-75463 Medium The Ubuntu operating system must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords.
V-75519 Low The file integrity tool must be configured to verify Access Control Lists (ACLs).
V-75443 Low The Ubuntu operating system must limit the number of concurrent sessions to ten for all accounts and/or account types.
V-75521 Low The file integrity tool must be configured to verify extended attributes.
V-75497 Low The Ubuntu operating system must display the date and time of the last successful account logon upon logon.
V-75871 Low For Ubuntu operating systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
V-75589 Low The Ubuntu operating system must use a separate file system for /var.
V-75591 Low The Ubuntu operating system must use a separate file system for the system audit data path.
V-75695 Low Successful/unsuccessful uses of the mount command must generate an audit record.