UCF STIG Viewer Logo

Canonical Ubuntu 16.04 LTS Security Technical Implementation Guide


Overview

Date Finding Count (229)
2020-12-09 CAT I (High): 22 CAT II (Med): 199 CAT III (Low): 8
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-215108 High The telnetd package must not be installed.
V-214963 High The Ubuntu operating system must not be configured to allow blank or null passwords.
V-214939 High The Ubuntu operating system must be a vendor supported release.
V-214999 High The root account must be the only account having unrestricted access to the system.
V-215157 High A File Transfer Protocol (FTP) server package must not be installed unless needed.
V-215126 High The Ubuntu operating system must be configured so that the SSH daemon does not allow authentication using an empty password.
V-215121 High The Ubuntu operating system must enforce SSHv2 for network access to all accounts.
V-214994 High The x86 Ctrl-Alt-Delete key sequence must be disabled.
V-214995 High The x86 Ctrl-Alt-Delete key sequence in the Ubuntu operating system must be disabled if a Graphical User Interface is installed.
V-215137 High The Ubuntu operating system must be configured so that remote X connections are disabled unless to fulfill documented and validated mission requirements.
V-220332 High The system must use a DoD-approved virus scan program.
V-215139 High All networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
V-215110 High The rsh-server package must not be installed.
V-215109 High The Network Information Service (NIS) package must not be installed.
V-214978 High Ubuntu operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
V-214979 High All persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
V-215158 High The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for operational support.
V-214974 High There must be no .shosts files on the Ubuntu operating system.
V-214975 High There must be no shosts.equiv files on the Ubuntu operating system.
V-214976 High The Ubuntu operating system must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-214977 High Ubuntu operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.
V-214972 High Unattended or automatic login via the Graphical User Interface must not be allowed.
V-215072 Medium The audit system must be configured to audit any usage of the lremovexattr system call.
V-215073 Medium The audit system must be configured to audit any usage of the fremovexattr system call.
V-215070 Medium The audit system must be configured to audit any usage of the fsetxattr system call.
V-215071 Medium The audit system must be configured to audit any usage of the removexattr system call.
V-215076 Medium Successful/unsuccessful uses of the fchownat command must generate an audit record.
V-215077 Medium Successful/unsuccessful uses of the lchown command must generate an audit record.
V-215074 Medium Successful/unsuccessful uses of the chown command must generate an audit record.
V-215075 Medium Successful/unsuccessful uses of the fchown command must generate an audit record.
V-215078 Medium Successful/unsuccessful uses of the chmod command must generate an audit record.
V-215079 Medium Successful/unsuccessful uses of the fchmod command must generate an audit record.
V-214989 Medium Advance package Tool (APT) must remove all software components after updated versions have been installed.
V-214988 Medium Advance package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
V-233624 Medium The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
V-214969 Medium The Ubuntu operating system must require users to re-authenticate for privilege escalation and changing roles.
V-214968 Medium Accounts on the Ubuntu operating system that are subject to three unsuccessful logon attempts within 15 minutes must be locked for the maximum configurable period.
V-214967 Medium The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts.
V-214966 Medium Account identifiers (individuals, groups, roles, and devices) must disabled after 35 days of inactivity.
V-214965 Medium The passwd command must be configured to prevent the use of dictionary words as passwords.
V-214964 Medium The Ubuntu operating system must prevent the use of dictionary words for passwords.
V-214962 Medium Passwords must have a minimum of 15-characters.
V-214961 Medium Passwords must be prohibited from reuse for a minimum of five generations.
V-214960 Medium Passwords for new users must have a 60-day maximum password lifetime restriction.
V-215065 Medium Successful/unsuccessful uses of the ssh-agent command must generate an audit record.
V-215064 Medium Successful/unsuccessful uses of the umount command must generate an audit record.
V-215067 Medium The audit system must be configured to audit any usage of the kmod command.
V-215066 Medium Successful/unsuccessful uses of the ssh-keysign command must generate an audit record.
V-215061 Medium Successful/unsuccessful uses of the su command must generate an audit record.
V-215060 Medium The audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.
V-215062 Medium Successful/unsuccessful uses of the chfn command must generate an audit record.
V-215069 Medium The audit system must be configured to audit any usage of the lsetxattr system call.
V-215068 Medium The audit system must be configured to audit any usage of the setxattr system call.
V-215053 Medium The audit event multiplexor must be configured to off-load audit logs onto a different system or storage media from the system being audited.
V-215148 Medium The Ubuntu operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
V-215149 Medium The Ubuntu operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
V-215146 Medium The Ubuntu operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
V-215147 Medium The Ubuntu operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
V-215144 Medium The Ubuntu operating system must be configured to use TCP syncookies.
V-215142 Medium Cron logging must be implemented.
V-215143 Medium Wireless network adapters must be disabled.
V-215140 Medium The audit system must take appropriate action when the network cannot be used to off-load audit records.
V-215141 Medium All remote access methods must be monitored.
V-214952 Medium All passwords must contain at least one special character.
V-214953 Medium The Ubuntu operating system must require the change of at least 8 characters when passwords are changed.
V-214950 Medium The Ubuntu operating system must enforce password complexity by requiring that at least one lower-case character be used.
V-214951 Medium The Ubuntu operating system must enforce password complexity by requiring that at least one numeric character be used.
V-214956 Medium The Ubuntu operating system must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords.
V-214957 Medium The pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
V-214954 Medium The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
V-214955 Medium The Ubuntu operating system must employ a FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
V-214958 Medium Emergency administrator accounts must never be automatically removed or disabled.
V-214959 Medium Passwords for new users must have a 24 hours/1 day minimum password lifetime restriction.
V-214998 Medium Duplicate User IDs (UIDs) must not exist for interactive users.
V-215010 Medium All local interactive user initialization files executable search paths must contain only paths that resolve to the system default or the users home directory.
V-215011 Medium Local initialization files must not execute world-writable programs.
V-215012 Medium File systems that contain user home directories must be mounted to prevent files with the setuid and setguid bit set from being executed.
V-215013 Medium File systems that are used with removable media must be mounted to prevent files with the setuid and setguid bit set from being executed.
V-215014 Medium File systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setguid bit set from being executed.
V-215015 Medium File systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
V-215016 Medium Kernel core dumps must be disabled unless needed.
V-215017 Medium A separate file system must be used for user home directories (such as /home or an equivalent).
V-215098 Medium Successful/unsuccessful uses of the passwd command must generate an audit record.
V-215099 Medium Successful/unsuccessful uses of the unix_update command must generate an audit record.
V-215153 Medium The Ubuntu operating system must not be performing packet forwarding unless the system is a router.
V-215152 Medium The Ubuntu operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
V-215155 Medium The Ubuntu operating system must be configured to prevent unrestricted mail relaying.
V-215154 Medium Network interfaces must not be in promiscuous mode.
V-215156 Medium The Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure.
V-215090 Medium Successful/unsuccessful uses of the newgrp command must generate an audit record.
V-215091 Medium Successful/unsuccessful uses of the chcon command must generate an audit record.
V-215092 Medium Successful/unsuccessful uses of the apparmor_parser command must generate an audit record.
V-215093 Medium Successful/unsuccessful uses of the setfacl command must generate an audit record.
V-215094 Medium Successful/unsuccessful uses of the chacl command must generate an audit record.
V-215095 Medium Successful/unsuccessful modifications to the tallylog file must generate an audit record.
V-215096 Medium Successful/unsuccessful modifications to the faillog file must generate an audit record.
V-215097 Medium Successful/unsuccessful modifications to the lastlog file must generate an audit record.
V-214945 Medium Ubuntu operating system sessions must be automatically logged out after 15 minutes of inactivity.
V-214944 Medium All users must be able to directly initiate a session lock for all connection types.
V-214947 Medium The Ubuntu operating system must prevent direct login into the root account.
V-214941 Medium The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
V-214940 Medium Ubuntu vendor packaged system security patches and updates must be installed and up to date.
V-214943 Medium The Ubuntu operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.
V-214942 Medium The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.
V-214991 Medium File system automounter must be disabled unless required.
V-214949 Medium The Ubuntu operating system must enforce password complexity by requiring that at least one upper-case character be used.
V-214948 Medium The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.
V-215003 Medium All files and directories must have a valid group owner.
V-215002 Medium All files and directories must have a valid owner.
V-215001 Medium Pluggable Authentication Module (PAM) must prohibit the use of cached authentications after one day.
V-215000 Medium User accounts with temporary passwords, must require an immediate change to a permanent password after login.
V-215007 Medium All local interactive user home directories must have mode 0750 or less permissive.
V-215006 Medium All local interactive user home directories defined in the /etc/passwd file must exist.
V-215005 Medium All local interactive user accounts, upon creation, must be assigned a home directory.
V-215004 Medium All local interactive users must have a home directory assigned in the /etc/passwd file.
V-215009 Medium All local initialization files must have mode 0740 or less permissive.
V-215008 Medium All local interactive user home directories must be group-owned by the home directory owners primary group.
V-215124 Medium The Ubuntu operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
V-215125 Medium The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-215127 Medium The Ubuntu operating system must not allow users to override SSH environment variables.
V-215120 Medium The Ubuntu operating system must implement address space layout randomization to protect its memory from unauthorized code execution.
V-215122 Medium The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon and the user must acknowledge the usage conditions and take explicit actions to log on for further access.
V-215123 Medium The Ubuntu operating system must not permit direct logons to the root account using remote access via SSH.
V-215083 Medium Successful/unsuccessful uses of the ftruncate command must generate an audit record.
V-215082 Medium Successful/unsuccessful uses of the truncate command must generate an audit record.
V-215081 Medium Successful/unsuccessful uses of the open command must generate an audit record.
V-215080 Medium Successful/unsuccessful uses of the fchmodat command must generate an audit record.
V-215128 Medium The system must display the date and time of the last successful account logon upon an SSH logon.
V-215129 Medium The Ubuntu operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
V-215085 Medium Successful/unsuccessful uses of the openat command must generate an audit record.
V-215084 Medium Successful/unsuccessful uses of the creat command must generate an audit record.
V-215130 Medium The Ubuntu operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity.
V-215048 Medium The Ubuntu operating system must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
V-215036 Medium The Ubuntu operating system must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
V-215037 Medium The System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.
V-215034 Medium The Ubuntu operating system must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
V-215035 Medium The Ubuntu operating system must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
V-215032 Medium Audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
V-215033 Medium The auditd service must be running in the Ubuntu operating system.
V-215030 Medium System commands must be owned by root.
V-215031 Medium System commands must be group-owned by root.
V-214996 Medium Default permissions must be defined in such a way that all authenticated users can only read and modify their own files.
V-214997 Medium The Ubuntu operating system must not have unnecessary accounts.
V-214992 Medium Pam_Apparmor must be configured to allow system administrators to pass information to any other Ubuntu operating system administrator or user, change security attributes, and to confine all non-privileged users from executing functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
V-214993 Medium The Apparmor module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.
V-215038 Medium The System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full.
V-215039 Medium The audit system must take appropriate action when the audit storage volume is full.
V-215136 Medium The SSH daemon must not allow compression or must only allow compression after successful authentication.
V-215135 Medium The SSH daemon must use privilege separation.
V-215134 Medium The SSH daemon must perform strict mode checking of home directory configuration files.
V-215133 Medium The SSH private host key files must have mode 0600 or less permissive.
V-215132 Medium The SSH public host key files must have mode 0644 or less permissive.
V-215131 Medium The SSH daemon must not allow authentication using known hosts authentication.
V-215138 Medium An application firewall must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the Ubuntu operating system is implementing rate-limiting measures on impacted network interfaces.
V-215055 Medium The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
V-215029 Medium System commands must have mode 0755 or less permissive.
V-215028 Medium Library files must be group-owned by root.
V-215021 Medium The /var/log directory must be owned by root.
V-215020 Medium The /var/log directory must be group-owned by syslog.
V-215023 Medium The /var/log/syslog file must be group-owned by adm.
V-215022 Medium The /var/log directory must have mode 0770 or less permissive.
V-215025 Medium The /var/log/syslog file must have mode 0640 or less permissive.
V-215089 Medium Successful/unsuccessful uses of the chsh command must generate an audit record.
V-215027 Medium Library files must be owned by root.
V-215026 Medium Library files must have mode 0755 or less permissive.
V-214981 Medium All world-writable directories must be group-owned by root, sys, bin, or an application group.
V-214980 Medium All public directories must be owned by root to prevent unauthorized and unintended information transferred via shared system resources.
V-214983 Medium The file integrity tool must perform verification of the correct operation of security functions: upon system start-up and/or restart; upon command by a user with privileged access; and/or every 30 days.
V-214982 Medium A file integrity tool must be installed to verify correct operation of all security functions in the Ubuntu operating system.
V-214987 Medium The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools.
V-214986 Medium The file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered.
V-215102 Medium Successful/unsuccessful uses of the usermod command must generate an audit record.
V-215103 Medium Successful/unsuccessful uses of the crontab command must generate an audit record.
V-215100 Medium Successful/unsuccessful uses of the gpasswd command must generate an audit record.
V-215101 Medium Successful/unsuccessful uses of the chage command must generate an audit record.
V-215106 Medium Successful/unsuccessful uses of the finit_module command must generate an audit record.
V-215107 Medium Successful/unsuccessful uses of the delete_module command must generate an audit record.
V-215104 Medium Successful/unsuccessful uses of the pam_timestamp_check command must generate an audit record.
V-215105 Medium Successful/unsuccessful uses of the init_module command must generate an audit record.
V-215058 Medium The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
V-215059 Medium The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
V-215054 Medium The audit records must be off-loaded onto a different system or storage media from the system being audited.
V-215087 Medium Successful/unsuccessful uses of the sudo command must generate an audit record.
V-215056 Medium The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
V-215057 Medium The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
V-215050 Medium Audit tools must have a mode of 0755 or less permissive.
V-215051 Medium Audit tools must be owned by root.
V-215052 Medium Audit tools must be group-owned by root.
V-215086 Medium Successful/unsuccessful uses of the open_by_handle_at command must generate an audit record.
V-215119 Medium The Ubuntu operating system must implement non-executable data to protect its memory from unauthorized code execution.
V-215118 Medium The Ubuntu operating system must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-215115 Medium A sticky bit must be set on all public directories to prevent unauthorized and unintended information transferred via shared system resources.
V-215114 Medium The Ubuntu operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
V-215117 Medium The Ubuntu operating system must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
V-215116 Medium The Ubuntu operating system must compare internal information system clocks at least every 24 hours with a server which is synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
V-215111 Medium An application firewall must be installed.
V-215113 Medium An application firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
V-215112 Medium An application firewall must be enabled on the system.
V-220333 Medium The system must update the DoD-approved virus scan program every seven days or more frequently.
V-215151 Medium The Ubuntu operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.
V-215049 Medium The audit log files must be owned by root.
V-215150 Medium The Ubuntu operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
V-215047 Medium Audit log directory must be group-owned by root to prevent unauthorized read access.
V-215046 Medium Audit log directory must be owned by root to prevent unauthorized read access.
V-215045 Medium Audit logs must be group-owned by root to prevent unauthorized read access.
V-215044 Medium Audit logs must be owned by root to prevent unauthorized read access.
V-215043 Medium Audit log directories must have a mode of 0750 or less permissive to prevent unauthorized read access.
V-215042 Medium Audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access.
V-215041 Medium Off-loading audit records to another system must be authenticated.
V-215024 Medium The /var/log/syslog file must be owned by syslog.
V-215160 Medium An X Windows display manager must not be installed unless approved.
V-215161 Medium The Ubuntu operating system must have the packages required for multifactor authentication to be installed.
V-215162 Medium The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials.
V-215163 Medium The Ubuntu operating system must implement certificate status checking for multifactor authentication.
V-215164 Medium The Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
V-215165 Medium The Ubuntu operating system must implement smart card logins for multifactor authentication for access to accounts.
V-215159 Medium If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode.
V-214990 Medium Automatic mounting of Universal Serial Bus (USB) mass storage driver must be disabled.
V-215040 Medium The remote audit system must take appropriate action when audit storage is full.
V-214970 Medium Temporary user accounts must be provisioned with an expiration time of 72 hours or less.
V-214971 Medium The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.
V-215063 Low Successful/unsuccessful uses of the mount command must generate an audit record.
V-215145 Low For Ubuntu operating systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
V-215018 Low The Ubuntu operating system must use a separate file system for /var.
V-215019 Low The Ubuntu operating system must use a separate file system for the system audit data path.
V-214946 Low The Ubuntu operating system must limit the number of concurrent sessions to ten for all accounts and/or account types.
V-214985 Low The file integrity tool must be configured to verify extended attributes.
V-214984 Low The file integrity tool must be configured to verify Access Control Lists (ACLs).
V-214973 Low The Ubuntu operating system must display the date and time of the last successful account logon upon logon.