-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathprofile.json
7139 lines (7139 loc) · 955 KB
/
profile.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
{
"name": "Canonical_Ubuntu_20-04_LTS_STIG",
"title": "Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide",
"maintainer": "Nitin Ravindran",
"copyright": "Nitin Ravindran",
"copyright_email": "[email protected]",
"license": "Apache-2.0",
"summary": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected].",
"version": "1.6.0",
"supports": [
{
"platform-name": "ubuntu",
"release": "20.04"
}
],
"inputs": [
{
"name": "temporary_accounts",
"options": {
"type": "Array",
"value": []
}
},
{
"name": "banner_text",
"options": {
"type": "String",
"value": "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
}
},
{
"name": "sudo_accounts",
"options": {
"type": "Array",
"value": [
"ubuntu"
]
}
},
{
"name": "tmout",
"options": {
"type": "Numeric",
"value": 600
}
},
{
"name": "action_mail_acct",
"options": {
"type": "String",
"value": "root"
}
},
{
"name": "audit_tools",
"options": {
"type": "Array",
"value": [
"/sbin/auditctl",
"/sbin/aureport",
"/sbin/ausearch",
"/sbin/autrace",
"/sbin/auditd",
"/sbin/audispd",
"/sbin/augenrules"
]
}
},
{
"name": "standard_audit_log_size",
"options": {
"type": "Numeric",
"value": 8894028
}
},
{
"name": "aide_conf_path",
"options": {
"type": "String",
"value": "/etc/aide/aide.conf"
}
},
{
"name": "maxlogins",
"options": {
"type": "Numeric",
"value": 10
}
},
{
"name": "is_kdump_required",
"options": {
"type": "Boolean",
"value": false
}
},
{
"name": "is_system_networked",
"options": {
"type": "Boolean",
"value": true
}
},
{
"name": "sssd_conf_path",
"options": {
"type": "String",
"value": "/etc/sssd/sssd.conf"
}
},
{
"name": "allowed_ca_fingerprints_regex",
"options": {
"type": "String",
"value": "(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)"
}
},
{
"name": "allowed_network_interfaces",
"options": {
"type": "Array",
"value": [
"lo",
"eth0"
]
}
},
{
"name": "audit_sp_remote_server",
"options": {
"type": "String",
"value": "192.0.0.1"
}
},
{
"name": "approved_wireless_interfaces",
"options": {
"type": "Array",
"value": []
}
},
{
"name": "fips_config_file",
"options": {
"type": "String",
"value": "/proc/sys/crypto/fips_enabled"
}
},
{
"name": "chrony_config_file",
"options": {
"type": "String",
"value": "/etc/chrony/chrony.conf"
}
},
{
"name": "useradd_config_file",
"options": {
"type": "String",
"value": "/etc/default/useradd"
}
},
{
"name": "rsyslog_config_file",
"options": {
"type": "String",
"value": "/etc/rsyslog.d/50-default.conf"
}
},
{
"name": "auditoffload_config_file",
"options": {
"type": "String",
"value": "/etc/cron.weekly/audit-offload"
}
},
{
"name": "audispremote_config_file",
"options": {
"type": "String",
"value": "/etc/audisp/plugins.d/au-remote.conf"
}
},
{
"name": "gdm3_config_file",
"options": {
"type": "String",
"value": "/etc/gdm3/greeter.dconf-defaults"
}
},
{
"name": "disable_fips",
"options": {
"type": "Boolean",
"value": false
}
},
{
"name": "pki_disabled",
"options": {
"type": "Boolean",
"value": false
}
},
{
"name": "admin_groups",
"options": {
"type": "Array",
"value": [
"root"
]
}
}
],
"controls": [
{
"title": "The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. ",
"desc": "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.",
"descriptions": {
"default": "The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems.",
"check": "Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \"cert_policy\" is not set to\n\"ocsp_on\", or the line is commented out, this is a finding.",
"fix": "Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \"cert_policy\" lines in\n\"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\"."
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000377-GPOS-00162 ",
"gid": "V-238232 ",
"rid": "SV-238232r853412_rule ",
"stig_id": "UBTU-20-010065 ",
"fix_id": "F-41401r653870_fix ",
"cci": [
"CCI-001954"
],
"nist": [
"IA-2 (12)"
],
"host": null
},
"code": "control 'SV-238232' do\n title \"The Ubuntu operating system must electronically verify Personal Identity Verification\n(PIV) credentials. \"\n desc \"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized\naccess.\n\nDoD has mandated the use of the CAC to support identity management and personal\nauthentication for systems covered under Homeland Security Presidential Directive (HSPD)\n12, as well as making the CAC a primary component of layered protection for national security\nsystems. \"\n desc 'check', \"Verify the Ubuntu operating system electronically verifies PIV credentials.\n\nVerify that\ncertificate status checking for multifactor authentication is implemented with the\nfollowing command:\n\n$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf |\nawk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy |\ngrep ocsp_on\n\ncert_policy = ca,signature,ocsp_on;\n\nIf \\\"cert_policy\\\" is not set to\n\\\"ocsp_on\\\", or the line is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to do certificate status checking for multifactor\nauthentication.\n\nModify all of the \\\"cert_policy\\\" lines in\n\\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" to include \\\"ocsp_on\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000377-GPOS-00162 '\n tag gid: 'V-238232 '\n tag rid: 'SV-238232r853412_rule '\n tag stig_id: 'UBTU-20-010065 '\n tag fix_id: 'F-41401r653870_fix '\n tag cci: ['CCI-001954']\n tag nist: ['IA-2 (12)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'ocsp_on' }\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238232.rb",
"line": 1
},
"id": "SV-238232"
},
{
"title": "The Ubuntu operating system must not have the telnet package installed. ",
"desc": "Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.",
"descriptions": {
"default": "Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised.",
"check": "Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding.",
"fix": "Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd"
},
"impact": 0.7,
"refs": [],
"tags": {
"severity": "high ",
"gtitle": "SRG-OS-000074-GPOS-00042 ",
"gid": "V-238326 ",
"rid": "SV-238326r654153_rule ",
"stig_id": "UBTU-20-010405 ",
"fix_id": "F-41495r654152_fix ",
"cci": [
"CCI-000197"
],
"nist": [
"IA-5 (1) (c)"
],
"host": null,
"container": null
},
"code": "control 'SV-238326' do\n title 'The Ubuntu operating system must not have the telnet package installed. '\n desc \"Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear\ntext) and easily compromised. \"\n desc 'check', \"Verify that the telnet package is not installed on the Ubuntu operating system by running the\nfollowing command:\n\n$ dpkg -l | grep telnetd\n\nIf the package is installed, this is a finding. \"\n desc 'fix', \"Remove the telnet package from the Ubuntu operating system by running the following command:\n\n\n$ sudo apt-get remove telnetd \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000074-GPOS-00042 '\n tag gid: 'V-238326 '\n tag rid: 'SV-238326r654153_rule '\n tag stig_id: 'UBTU-20-010405 '\n tag fix_id: 'F-41495r654152_fix '\n tag cci: ['CCI-000197']\n tag nist: ['IA-5 (1) (c)']\n tag 'host', 'container'\n\n describe package('telnetd') do\n it { should_not be_installed }\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238326.rb",
"line": 1
},
"id": "SV-238326"
},
{
"title": "The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. ",
"desc": "If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable.",
"descriptions": {
"default": "If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable.",
"check": "If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\"offline_credentials_expiration\" is not set to a value of \"1\" in \"/etc/sssd/sssd.conf\" or\nin a file with a name ending in .conf in the \"/etc/sssd/conf.d/\" directory, this is a finding.",
"fix": "Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \"/etc/sssd/sssd.conf\" just below the line \"[pam]\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \".conf\" and does not begin with a \".\" in the \"/etc/sssd/conf.d/\"\ndirectory instead of the \"/etc/sssd/sssd.conf\" file."
},
"impact": 0.3,
"refs": [],
"tags": {
"severity": "low ",
"gtitle": "SRG-OS-000383-GPOS-00166 ",
"gid": "V-238362 ",
"rid": "SV-238362r853437_rule ",
"stig_id": "UBTU-20-010441 ",
"fix_id": "F-41531r654260_fix ",
"cci": [
"CCI-002007"
],
"nist": [
"IA-5 (13)"
],
"host": null
},
"code": "control 'SV-238362' do\n title \"The Ubuntu operating system must be configured such that Pluggable Authentication Module\n(PAM) prohibits the use of cached authentications after one day. \"\n desc \"If cached authentication information is out-of-date, the validity of the authentication\ninformation may be questionable. \"\n desc 'check', \"If smart card authentication is not being used on the system, this s Not Applicable.\n\nVerify\nthat PAM prohibits the use of cached authentications after one day with the following\ncommand:\n\n$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf\n\noffline_credentials_expiration = 1\n\nIf\n\\\"offline_credentials_expiration\\\" is not set to a value of \\\"1\\\" in \\\"/etc/sssd/sssd.conf\\\" or\nin a file with a name ending in .conf in the \\\"/etc/sssd/conf.d/\\\" directory, this is a finding. \"\n desc 'fix', \"Configure PAM to prohibit the use of cached authentications after one day. Add or change the\nfollowing line in \\\"/etc/sssd/sssd.conf\\\" just below the line \\\"[pam]\\\":\n\n\noffline_credentials_expiration = 1\n\nNote: It is valid for this configuration to be in a\nfile with a name that ends with \\\".conf\\\" and does not begin with a \\\".\\\" in the \\\"/etc/sssd/conf.d/\\\"\ndirectory instead of the \\\"/etc/sssd/sssd.conf\\\" file. \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000383-GPOS-00166 '\n tag gid: 'V-238362 '\n tag rid: 'SV-238362r853437_rule '\n tag stig_id: 'UBTU-20-010441 '\n tag fix_id: 'F-41531r654260_fix '\n tag cci: ['CCI-002007']\n tag nist: ['IA-5 (13)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file = input('sssd_conf_path')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('offline_credentials_expiration') { should cmp '1' }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238362.rb",
"line": 1
},
"id": "SV-238362"
},
{
"title": "The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. ",
"desc": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse.",
"descriptions": {
"default": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse.",
"check": "Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \"PASS_MIN_DAYS\" parameter value is less than\n\"1\" or is commented out, this is a finding.",
"fix": "Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MIN_DAYS 1"
},
"impact": 0.3,
"refs": [],
"tags": {
"severity": "low ",
"gtitle": "SRG-OS-000075-GPOS-00043 ",
"gid": "V-238202 ",
"rid": "SV-238202r653781_rule ",
"stig_id": "UBTU-20-010007 ",
"fix_id": "F-41371r653780_fix ",
"cci": [
"CCI-000198"
],
"nist": [
"IA-5 (1) (d)"
],
"host": null,
"container": null
},
"code": "control 'SV-238202' do\n title \"The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.\nPasswords for new users must have a 24 hours/1 day minimum password lifetime restriction. \"\n desc \"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a\nshort period of time to defeat the organization's policy regarding password reuse. \"\n desc 'check', \"Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for\nnew user accounts by running the following command:\n\n$ grep -i ^pass_min_days\n/etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \\\"PASS_MIN_DAYS\\\" parameter value is less than\n\\\"1\\\" or is commented out, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.\n\n\nAdd or modify the following line in the \\\"/etc/login.defs\\\" file:\n\nPASS_MIN_DAYS 1 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000075-GPOS-00043 '\n tag gid: 'V-238202 '\n tag rid: 'SV-238202r653781_rule '\n tag stig_id: 'UBTU-20-010007 '\n tag fix_id: 'F-41371r653780_fix '\n tag cci: ['CCI-000198']\n tag nist: ['IA-5 (1) (d)']\n tag 'host', 'container'\n\n describe login_defs do\n its('PASS_MIN_DAYS') { should >= '1' }\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238202.rb",
"line": 1
},
"id": "SV-238202"
},
{
"title": "The Ubuntu operating system library directories must be owned by root. ",
"desc": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.",
"descriptions": {
"default": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.",
"check": "Verify the system-wide shared library directories \"/lib\", \"/lib64\", and \"/usr/lib\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \"%n %U\" '{}' \\;\n\nIf any system-wide library directory is returned, this is a\nfinding.",
"fix": "Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\;"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000259-GPOS-00100 ",
"gid": "V-238350 ",
"rid": "SV-238350r654225_rule ",
"stig_id": "UBTU-20-010429 ",
"fix_id": "F-41519r654224_fix ",
"cci": [
"CCI-001499"
],
"nist": [
"CM-5 (6)"
],
"host": null,
"container": null
},
"code": "control 'SV-238350' do\n title 'The Ubuntu operating system library directories must be owned by root. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide shared library directories \\\"/lib\\\", \\\"/lib64\\\", and \\\"/usr/lib\\\" are\nowned by root with the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user root -type\nd -exec stat -c \\\"%n %U\\\" '{}' \\\\;\n\nIf any system-wide library directory is returned, this is a\nfinding. \"\n desc 'fix', \"Configure the library files and their respective parent directories to be protected from\nunauthorized access. Run the following command:\n\n$ sudo find /lib /usr/lib /lib64 ! -user\nroot -type d -exec chown root '{}' \\\\; \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238350 '\n tag rid: 'SV-238350r654225_rule '\n tag stig_id: 'UBTU-20-010429 '\n tag fix_id: 'F-41519r654224_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n library_dirs = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-user root \\-type d').stdout.strip.split(\"\\n\").entries\n end\n\n if library_dirs.count > 0\n library_dirs.each do |lib_file|\n describe file(lib_file) do\n its('owner') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library directories found that are NOT owned by root' do\n subject { library_dirs }\n its('count') { should eq 0 }\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238350.rb",
"line": 1
},
"id": "SV-238350"
},
{
"title": "The Ubuntu operating system must configure the audit tools to be group-owned by root. ",
"desc": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.",
"descriptions": {
"default": "Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.",
"check": "Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \"%n %G\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding.",
"fix": "Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \"[audit_tool]\" with each audit tool not group-owned by root."
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000256-GPOS-00097 ",
"satisfies": [
"SRG-OS-000256-GPOS-00097",
"SRG-OS-000257-GPOS-00098"
],
"gid": "V-238302 ",
"rid": "SV-238302r654081_rule ",
"stig_id": "UBTU-20-010201 ",
"fix_id": "F-41471r654080_fix ",
"cci": [
"CCI-001493",
"CCI-001494"
],
"nist": [
"AU-9 a",
"AU-9"
],
"host": null
},
"code": "control 'SV-238302' do\n title 'The Ubuntu operating system must configure the audit tools to be group-owned by root. '\n desc \"Protecting audit information also includes identifying and protecting the tools used to\nview and manipulate log data. Therefore, protecting audit tools is necessary to prevent\nunauthorized operation on audit information.\n\nOperating systems providing tools to\ninterface with audit information will leverage user permissions and roles identifying the\nuser accessing the tools and the corresponding rights the user enjoys in order to make access\ndecisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to,\nvendor-provided and open source audit tools needed to successfully view and manipulate\naudit information system activity and records. Audit tools include custom queries and\nreport generators.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system configures the audit tools to be group-owned by root to\nprevent any unauthorized access.\n\nCheck the group ownership by running the following\ncommand:\n\n$ stat -c \\\"%n %G\\\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace\n/sbin/auditd /sbin/audispd /sbin/augenrules\n\n/sbin/auditctl root\n/sbin/aureport\nroot\n/sbin/ausearch root\n/sbin/autrace root\n/sbin/auditd root\n/sbin/audispd root\n\n/sbin/augenrules root\n\nIf any of the audit tools are not group-owned by root, this is a\nfinding. \"\n desc 'fix', \"Configure the audit tools on the Ubuntu operating system to be protected from unauthorized\naccess by setting the file group as root using the following command:\n\n$ sudo chown :root\n[audit_tool]\n\nReplace \\\"[audit_tool]\\\" with each audit tool not group-owned by root. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000256-GPOS-00097 '\n tag satisfies: %w(SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098)\n tag gid: 'V-238302 '\n tag rid: 'SV-238302r654081_rule '\n tag stig_id: 'UBTU-20-010201 '\n tag fix_id: 'F-41471r654080_fix '\n tag cci: %w(CCI-001493 CCI-001494)\n tag nist: ['AU-9 a', 'AU-9']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n audit_tools = input('audit_tools')\n\n audit_tools.each do |tool|\n describe file(tool) do\n its('group') { should cmp 'root' }\n end\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238302.rb",
"line": 1
},
"id": "SV-238302"
},
{
"title": "The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. ",
"desc": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.",
"descriptions": {
"default": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.",
"check": "Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \"log_group\" parameter is other than \"root\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \"root\" group by using the following command:\n$ sudo stat -c \"%n %G\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\"root\", this is a finding.",
"fix": "Configure the audit log directory and its underlying files to be owned by \"root\" group.\n\nSet\nthe \"log_group\" parameter of the audit configuration file to the \"root\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000057-GPOS-00027 ",
"satisfies": [
"SRG-OS-000057-GPOS-00027",
"SRG-OS-000058-GPOS-00028",
"SRG-OS-000059-GPOS-00029"
],
"gid": "V-238247 ",
"rid": "SV-238247r832947_rule ",
"stig_id": "UBTU-20-010124 ",
"fix_id": "F-41416r832946_fix ",
"cci": [
"CCI-000162"
],
"nist": [
"AU-9 a"
],
"host": null
},
"code": "control 'SV-238247' do\n title \"The Ubuntu operating system must permit only authorized groups ownership of the audit log\nfiles. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify the group owner is set to own newly created audit logs in the audit configuration file\nwith the following command:\n$ sudo grep -iw log_group /etc/audit/auditd.conf\nlog_group =\nroot\n\nIf the value of the \\\"log_group\\\" parameter is other than \\\"root\\\", this is a\nfinding.\n\nDetermine where the audit logs are stored with the following command:\n$ sudo grep\n-iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the\npath of the directory containing the audit logs, determine if the audit log files are owned by\nthe \\\"root\\\" group by using the following command:\n$ sudo stat -c \\\"%n %G\\\" /var/log/audit/*\n\n/var/log/audit/audit.log root\n\nIf the audit log files are owned by a group other than\n\\\"root\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log directory and its underlying files to be owned by \\\"root\\\" group.\n\nSet\nthe \\\"log_group\\\" parameter of the audit configuration file to the \\\"root\\\" value so when a new log\nfile is created, its group owner is properly set:\n$ sudo sed -i '/^log_group/D'\n/etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root'\n/etc/audit/auditd.conf\n\nLast, signal the audit daemon to reload the configuration file to\nupdate the group owners of existing files:\n$ sudo systemctl kill auditd -s SIGHUP \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029)\n tag gid: 'V-238247 '\n tag rid: 'SV-238247r832947_rule '\n tag stig_id: 'UBTU-20-010124 '\n tag fix_id: 'F-41416r832946_fix '\n tag cci: ['CCI-000162']\n tag nist: ['AU-9 a']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n admin_groups = input('admin_groups')\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n its('group') { should be_in admin_groups }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238247.rb",
"line": 1
},
"id": "SV-238247"
},
{
"title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. ",
"desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).",
"descriptions": {
"default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).",
"check": "Verify that an audit event is generated for any successful/unsuccessful use of the \"usermod\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above.",
"fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"usermod\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000064-GPOS-00033 ",
"gid": "V-238292 ",
"rid": "SV-238292r654051_rule ",
"stig_id": "UBTU-20-010176 ",
"fix_id": "F-41461r654050_fix ",
"cci": [
"CCI-000172"
],
"nist": [
"AU-12 c"
],
"host": null
},
"code": "control 'SV-238292' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the usermod command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the \\\"usermod\\\"\ncommand.\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo\nauditctl -l | grep -w usermod\n\n-a always,exit -F path=/usr/sbin/usermod -F perm=x -F\nauid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return a line that\nmatches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for\nspecifying an arbitrary identifier, and the string after it does not need to match the example\noutput above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"usermod\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F path=/usr/sbin/usermod -F\nperm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod\n\nTo reload the rules\nfile, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238292 '\n tag rid: 'SV-238292r654051_rule '\n tag stig_id: 'UBTU-20-010176 '\n tag fix_id: 'F-41461r654050_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/usermod'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238292.rb",
"line": 1
},
"id": "SV-238292"
},
{
"title": "The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. ",
"desc": "Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates).",
"descriptions": {
"default": "Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates).",
"check": "Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \"crl_offline\" or \"crl_auto\" is\npart of the \"cert_policy\" definition in \"/etc/pam_pkcs11/pam_pkcs11.conf\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\"cert_policy\" is not set to include \"crl_auto\" or \"crl_offline\", this is a finding.",
"fix": "Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\"cert_policy\" option in \"/etc/pam/_pkcs11/pam_pkcs11.conf\" to include \"crl_auto\" or\n\"crl_offline\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \"/etc/pam_pkcs11/\" directory and an \"/etc/pam_pkcs11/pam_pkcs11.conf\", find\nan example to copy into place and modify accordingly at\n\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000384-GPOS-00167 ",
"gid": "V-238233 ",
"rid": "SV-238233r853413_rule ",
"stig_id": "UBTU-20-010066 ",
"fix_id": "F-41402r653873_fix ",
"cci": [
"CCI-001991"
],
"nist": [
"IA-5 (2) (d)"
],
"host": null
},
"code": "control 'SV-238233' do\n title \"The Ubuntu operating system for PKI-based authentication, must implement a local cache of\nrevocation data in case of the inability to access revocation information via the network. \"\n desc \"Without configuring a local cache of revocation data, there is the potential to allow access\nto users who are no longer authorized (users with revoked certificates). \"\n desc 'check', \"Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation\ndata when unable to access it from the network.\n\nVerify that \\\"crl_offline\\\" or \\\"crl_auto\\\" is\npart of the \\\"cert_policy\\\" definition in \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\" using the\nfollowing command:\n\n# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E --\n'crl_auto|crl_offline'\n\ncert_policy = ca,signature,ocsp_on,crl_auto;\n\nIf\n\\\"cert_policy\\\" is not set to include \\\"crl_auto\\\" or \\\"crl_offline\\\", this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system, for PKI-based authentication, to use local\nrevocation data when unable to access the network to obtain it remotely.\n\nAdd or update the\n\\\"cert_policy\\\" option in \\\"/etc/pam/_pkcs11/pam_pkcs11.conf\\\" to include \\\"crl_auto\\\" or\n\\\"crl_offline\\\".\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the system is\nmissing an \\\"/etc/pam_pkcs11/\\\" directory and an \\\"/etc/pam_pkcs11/pam_pkcs11.conf\\\", find\nan example to copy into place and modify accordingly at\n\\\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\\\". \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000384-GPOS-00167 '\n tag gid: 'V-238233 '\n tag rid: 'SV-238233r853413_rule '\n tag stig_id: 'UBTU-20-010066 '\n tag fix_id: 'F-41402r653873_fix '\n tag cci: ['CCI-001991']\n tag nist: ['IA-5 (2) (d)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n config_file_exists = file('/etc/pam_pkcs11/pam_pkcs11.conf').exist?\n if config_file_exists\n describe.one do\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_auto' }\n end\n describe parse_config_file('/etc/pam_pkcs11/pam_pkcs11.conf') do\n its('cert_policy') { should include 'crl_offline' }\n end\n end\n else\n describe '/etc/pam_pkcs11/pam_pkcs11.conf exists' do\n subject { config_file_exists }\n it { should be true }\n end\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238233.rb",
"line": 1
},
"id": "SV-238233"
},
{
"title": "The Ubuntu operating system library files must be group-owned by root or a system account. ",
"desc": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.",
"descriptions": {
"default": "If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications.",
"check": "Verify the system-wide library files contained in the directories \"/lib\", \"/lib64\", and\n\"/usr/lib\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \"%n %G\" '{}' \\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding.",
"fix": "Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \"[FILE]\" with any system command file not group-owned by\n\"root\" or a required system account:\n\n$ sudo chgrp root [FILE]"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000259-GPOS-00100 ",
"gid": "V-238351 ",
"rid": "SV-238351r832962_rule ",
"stig_id": "UBTU-20-010430 ",
"fix_id": "F-41520r832961_fix ",
"cci": [
"CCI-001499"
],
"nist": [
"CM-5 (6)"
],
"host": null,
"container": null
},
"code": "control 'SV-238351' do\n title 'The Ubuntu operating system library files must be group-owned by root or a system account. '\n desc \"If the operating system were to allow any user to make changes to software libraries, then\nthose changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to\noperating systems with software libraries that are accessible and configurable, as in the\ncase of interpreted languages. Software libraries also include privileged programs which\nexecute with escalated privileges. Only qualified and authorized individuals must be\nallowed to obtain access to information system components for purposes of initiating\nchanges, including upgrades and modifications. \"\n desc 'check', \"Verify the system-wide library files contained in the directories \\\"/lib\\\", \\\"/lib64\\\", and\n\\\"/usr/lib\\\" are group-owned by root, or a required system account, with the following\ncommand:\n\n$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c \\\"%n %G\\\" '{}' \\\\;\n\n\nIf any system-wide shared library file is returned and is not group-owned by a required\nsystem account, this is a finding. \"\n desc 'fix', \"Configure the system library files to be protected from unauthorized access. Run the\nfollowing command, replacing \\\"[FILE]\\\" with any system command file not group-owned by\n\\\"root\\\" or a required system account:\n\n$ sudo chgrp root [FILE] \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000259-GPOS-00100 '\n tag gid: 'V-238351 '\n tag rid: 'SV-238351r832962_rule '\n tag stig_id: 'UBTU-20-010430 '\n tag fix_id: 'F-41520r832961_fix '\n tag cci: ['CCI-001499']\n tag nist: ['CM-5 (6)']\n tag 'host', 'container'\n\n library_files = if os.arch == 'x86_64'\n command('find /lib /usr/lib /usr/lib32 /lib32 /lib64 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n else\n command('find /lib /usr/lib /usr/lib32 /lib32 ! \\-group root \\-type f').stdout.strip.split(\"\\n\").entries\n end\n\n if library_files.count > 0\n library_files.each do |lib_file|\n describe file(lib_file) do\n its('group') { should cmp 'root' }\n end\n end\n else\n describe 'Number of system-wide shared library files found that are NOT group-owned by root' do\n subject { library_files }\n its('count') { should eq 0 }\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238351.rb",
"line": 1
},
"id": "SV-238351"
},
{
"title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. ",
"desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).",
"descriptions": {
"default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).",
"check": "Verify that an audit event is generated for any successful/unsuccessful use of the\n\"pam_timestamp_check\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \"-k\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove.",
"fix": "Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \"pam_timestamp_check\" command.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000064-GPOS-00033 ",
"gid": "V-238294 ",
"rid": "SV-238294r654057_rule ",
"stig_id": "UBTU-20-010178 ",
"fix_id": "F-41463r654056_fix ",
"cci": [
"CCI-000172"
],
"nist": [
"AU-12 c"
],
"host": null
},
"code": "control 'SV-238294' do\n title \"The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the pam_timestamp_check command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify that an audit event is generated for any successful/unsuccessful use of the\n\\\"pam_timestamp_check\\\" command.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep -w pam_timestamp_check\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k\nprivileged-pam_timestamp_check\n\nIf the command does not return a line that matches the\nexample or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\" allows for specifying\nan arbitrary identifier, and the string after it does not need to match the example output\nabove. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful uses\nof the \\\"pam_timestamp_check\\\" command.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-a always,exit -F\npath=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k\nprivileged-pam_timestamp_check\n\nTo reload the rules file, issue the following command:\n\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag gid: 'V-238294 '\n tag rid: 'SV-238294r654057_rule '\n tag stig_id: 'UBTU-20-010178 '\n tag fix_id: 'F-41463r654056_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/usr/sbin/pam_timestamp_check'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238294.rb",
"line": 1
},
"id": "SV-238294"
},
{
"title": "The Ubuntu operating system must prohibit password reuse for a minimum of five generations. ",
"desc": "Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.",
"descriptions": {
"default": "Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.",
"check": "Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \"remember\" parameter value is not greater\nthan or equal to \"5\", is commented out, or is not set at all, this is a finding.",
"fix": "Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \"remember\" parameter value to the following line in\n\"/etc/pam.d/common-password\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000"
},
"impact": 0.3,
"refs": [],
"tags": {
"severity": "low ",
"gtitle": "SRG-OS-000077-GPOS-00045 ",
"satisfies": [
"SRG-OS-000077-GPOS-00045",
"SRG-OS-000073-GPOS-00041"
],
"gid": "V-238234 ",
"rid": "SV-238234r832945_rule ",
"stig_id": "UBTU-20-010070 ",
"fix_id": "F-41403r832944_fix ",
"cci": [
"CCI-000196",
"CCI-000200"
],
"nist": [
"IA-5 (1) (c)",
"IA-5 (1) (e)"
],
"host": null
},
"code": "control 'SV-238234' do\n title 'The Ubuntu operating system must prohibit password reuse for a minimum of five generations. '\n desc \"Password complexity, or strength, is a measure of the effectiveness of a password in\nresisting attempts at guessing and brute-force attacks. If the information system or\napplication allows the user to consecutively reuse their password when that password has\nexceeded its defined lifetime, the end result is a password that is not changed as per policy\nrequirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five\ngenerations by running the following command:\n\n$ grep -i remember\n/etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so obscure\nsha512 shadow remember=5 rounds=5000\n\nIf the \\\"remember\\\" parameter value is not greater\nthan or equal to \\\"5\\\", is commented out, or is not set at all, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of\nfive generations.\n\nAdd or modify the \\\"remember\\\" parameter value to the following line in\n\\\"/etc/pam.d/common-password\\\" file:\n\npassword [success=1 default=ignore] pam_unix.so\nobscure sha512 shadow remember=5 rounds=5000 \"\n impact 0.3\n tag severity: 'low '\n tag gtitle: 'SRG-OS-000077-GPOS-00045 '\n tag satisfies: %w(SRG-OS-000077-GPOS-00045 SRG-OS-000073-GPOS-00041)\n tag gid: 'V-238234 '\n tag rid: 'SV-238234r832945_rule '\n tag stig_id: 'UBTU-20-010070 '\n tag fix_id: 'F-41403r832944_fix '\n tag cci: %w(CCI-000196 CCI-000200)\n tag nist: ['IA-5 (1) (c)', 'IA-5 (1) (e)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n describe file('/etc/pam.d/common-password') do\n it { should exist }\n end\n\n describe command(\"grep -i remember /etc/pam.d/common-password | sed 's/.*remember=\\\\([^ ]*\\\\).*/\\\\1/'\") do\n its('exit_status') { should eq 0 }\n its('stdout.strip') { should cmp >= 5 }\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238234.rb",
"line": 1
},
"id": "SV-238234"
},
{
"title": "The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. ",
"desc": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.",
"descriptions": {
"default": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.",
"check": "Verify that the audit log files have a mode of \"0600\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \"0600\" or\nless by using the following command:\n\n$ sudo stat -c \"%n %a\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\"0600\", this is a finding.",
"fix": "Configure the audit log files to have a mode of \"0600\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \"0600\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/*"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000057-GPOS-00027 ",
"satisfies": [
"SRG-OS-000057-GPOS-00027",
"SRG-OS-000058-GPOS-00028"
],
"gid": "V-238245 ",
"rid": "SV-238245r653910_rule ",
"stig_id": "UBTU-20-010122 ",
"fix_id": "F-41414r653909_fix ",
"cci": [
"CCI-000162",
"CCI-000163"
],
"nist": [
"AU-9 a"
],
"host": null
},
"code": "control 'SV-238245' do\n title \"The Ubuntu operating system must be configured so that audit log files are not read or\nwrite-accessible by unauthorized users. \"\n desc \"Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.\n\nAudit information includes all\ninformation (e.g., audit records, audit settings, audit reports) needed to successfully\naudit operating system activity.\n\n \"\n desc 'check', \"Verify that the audit log files have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where the\naudit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, determine if the audit log files have a mode of \\\"0600\\\" or\nless by using the following command:\n\n$ sudo stat -c \\\"%n %a\\\" /var/log/audit/*\n\n/var/log/audit/audit.log 600\n\nIf the audit log files have a mode more permissive than\n\\\"0600\\\", this is a finding. \"\n desc 'fix', \"Configure the audit log files to have a mode of \\\"0600\\\" or less permissive.\n\nDetermine where\nthe audit logs are stored with the following command:\n\n$ sudo grep -iw log_file\n/etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the\ndirectory containing the audit logs, configure the audit log files to have a mode of \\\"0600\\\" or\nless permissive by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/* \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000057-GPOS-00027 '\n tag satisfies: %w(SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028)\n tag gid: 'V-238245 '\n tag rid: 'SV-238245r653910_rule '\n tag stig_id: 'UBTU-20-010122 '\n tag fix_id: 'F-41414r653909_fix '\n tag cci: %w(CCI-000162 CCI-000163)\n tag nist: ['AU-9 a']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n log_file = auditd_conf.log_file\n\n log_file_exists = !log_file.nil?\n if log_file_exists\n describe file(log_file) do\n it { should_not be_more_permissive_than('0600') }\n end\n else\n describe('Audit log file ' + log_file + ' exists') do\n subject { log_file_exists }\n it { should be true }\n end\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238245.rb",
"line": 1
},
"id": "SV-238245"
},
{
"title": "The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. ",
"desc": "Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.",
"descriptions": {
"default": "Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.",
"check": "Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\"libpam-pkcs11\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \"no\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding.",
"fix": "Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \"pam_pkcs11.so\" in \"/etc/pam.d/common-auth\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\"PubkeyAuthentication yes\" in the \"/etc/ssh/sshd_config\" file."
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000105-GPOS-00052 ",
"satisfies": [
"SRG-OS-000105-GPOS-00052",
"SRG-OS-000106-GPOS-00053",
"SRG-OS-000107-GPOS-00054",
"SRG-OS-000108-GPOS-00055"
],
"gid": "V-238210 ",
"rid": "SV-238210r858517_rule ",
"stig_id": "UBTU-20-010033 ",
"fix_id": "F-41379r653804_fix ",
"cci": [
"CCI-000765",
"CCI-000766",
"CCI-000767",
"CCI-000768"
],
"nist": [
"IA-2 (1)",
"IA-2 (2)",
"IA-2 (3)",
"IA-2 (4)"
],
"host": null
},
"code": "control 'SV-238210' do\n title \"The Ubuntu operating system must implement smart card logins for multifactor\nauthentication for local and network access to privileged and non-privileged accounts. \"\n desc \"Without the use of multifactor authentication, the ease of access to privileged functions is\ngreatly increased.\n\nMultifactor authentication requires using two or more factors to\nachieve authentication.\n\nFactors include:\n1) something a user knows (e.g.,\npassword/PIN);\n2) something a user has (e.g., cryptographic identification device,\ntoken); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an\ninformation system account with authorizations of a privileged user.\n\nNetwork access is\ndefined as access to an information system by a user (or a process acting on behalf of a user)\ncommunicating through a network (e.g., local area network, wide area network, or the\ninternet).\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system has the packages required for multifactor\nauthentication installed with the following commands:\n\n$ dpkg -l | grep libpam-pkcs11\n\nii\nlibpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards\n\nIf the\n\\\"libpam-pkcs11\\\" package is not installed, this is a finding.\n\nVerify the sshd daemon allows\npublic key authentication with the following command:\n\n$ grep -r ^Pubkeyauthentication\n/etc/ssh/sshd_config*\n\nPubkeyAuthentication yes\n\nIf this option is set to \\\"no\\\" or is\nmissing, this is a finding.\nIf conflicting results are returned, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to use multifactor authentication for network access\nto accounts.\n\nAdd or update \\\"pam_pkcs11.so\\\" in \\\"/etc/pam.d/common-auth\\\" to match the\nfollowing line:\n\nauth [success=2 default=ignore] pam_pkcs11.so\n\nSet the sshd option\n\\\"PubkeyAuthentication yes\\\" in the \\\"/etc/ssh/sshd_config\\\" file. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000105-GPOS-00052 '\n tag satisfies: %w(SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055)\n tag gid: 'V-238210 '\n tag rid: 'SV-238210r858517_rule '\n tag stig_id: 'UBTU-20-010033 '\n tag fix_id: 'F-41379r653804_fix '\n tag cci: %w(CCI-000765 CCI-000766 CCI-000767 CCI-000768)\n tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n elsif input('pki_disabled')\n impact 0.0\n describe 'This system is not using PKI for authentication so the controls is Not Applicable.' do\n skip 'This system is not using PKI for authentication so the controls is Not Applicable.'\n end\n else\n describe package('libpam-pkcs11') do\n it { should be_installed }\n end\n\n describe sshd_config do\n its('PubkeyAuthentication') { should cmp 'yes' }\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238210.rb",
"line": 1
},
"id": "SV-238210"
},
{
"title": "The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. ",
"desc": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.",
"descriptions": {
"default": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.",
"check": "Verify that the Ubuntu operating system configures the \"/var/log\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \"%n %G\" /var/log\n/var/log\nsyslog\n\nIf the \"/var/log\" directory is not group-owned by syslog, this is a finding.",
"fix": "Configure the Ubuntu operating system to have syslog group-own the \"/var/log\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000206-GPOS-00084 ",
"gid": "V-238338 ",
"rid": "SV-238338r654189_rule ",
"stig_id": "UBTU-20-010417 ",
"fix_id": "F-41507r654188_fix ",
"cci": [
"CCI-001314"
],
"nist": [
"SI-11 b"
],
"host": null,
"container": null
},
"code": "control 'SV-238338' do\n title \"The Ubuntu operating system must configure the /var/log directory to be group-owned by\nsyslog. \"\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log\\\" directory to be\ngroup-owned by syslog with the following command:\n\n$ sudo stat -c \\\"%n %G\\\" /var/log\n/var/log\nsyslog\n\nIf the \\\"/var/log\\\" directory is not group-owned by syslog, this is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog group-own the \\\"/var/log\\\" directory by\nrunning the following command:\n\n$ sudo chgrp syslog /var/log \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238338 '\n tag rid: 'SV-238338r654189_rule '\n tag stig_id: 'UBTU-20-010417 '\n tag fix_id: 'F-41507r654188_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host', 'container'\n\n describe directory('/var/log') do\n its('group') { should cmp 'syslog' }\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238338.rb",
"line": 1
},
"id": "SV-238338"
},
{
"title": "The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. ",
"desc": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.",
"descriptions": {
"default": "Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.",
"check": "Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \"-k\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above.",
"fix": "Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \"/etc/passwd\".\n\nAdd or\nupdate the following rule to \"/etc/audit/rules.d/stig.rules\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000004-GPOS-00004 ",
"satisfies": [
"SRG-OS-000004-GPOS-00004",
"SRG-OS-000239-GPOS-00089",
"SRG-OS-000240-GPOS-00090",
"SRG-OS-000241-GPOS-00091",
"SRG-OS-000303-GPOS-00120",
"SRG-OS-000458-GPOS-00203",
"SRG-OS-000463-GPOS-00207",
"SRG-OS-000476-GPOS-00221"
],
"gid": "V-238238 ",
"rid": "SV-238238r853416_rule ",
"stig_id": "UBTU-20-010100 ",
"fix_id": "F-41407r653888_fix ",
"cci": [
"CCI-000018",
"CCI-000172",
"CCI-001403",
"CCI-001404",
"CCI-001405",
"CCI-002130"
],
"nist": [
"AC-2 (4)",
"AU-12 c"
],
"host": null
},
"code": "control 'SV-238238' do\n title \"The Ubuntu operating system must generate audit records for all account creations,\nmodifications, disabling, and termination events that affect /etc/passwd. \"\n desc \"Once an attacker establishes access to a system, the attacker often attempts to create a\npersistent method of reestablishing access. One way to accomplish this is for the attacker to\ncreate an account. Auditing account creation actions provides logging that can be used for\nforensic purposes.\n\nTo address access requirements, many operating systems may be\nintegrated with enterprise level authentication/access/auditing mechanisms that meet or\nexceed access control policy requirements.\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nCheck the\ncurrently configured audit rules with the following command:\n\n$ sudo auditctl -l | grep\npasswd\n\n-w /etc/passwd -p wa -k usergroup_modification\n\nIf the command does not return a\nline that matches the example or the line is commented out, this is a finding.\n\nNote: The \\\"-k\\\"\nallows for specifying an arbitrary identifier, and the string after it does not need to match\nthe example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to generate audit records for all account creations,\nmodifications, disabling, and termination events that affect \\\"/etc/passwd\\\".\n\nAdd or\nupdate the following rule to \\\"/etc/audit/rules.d/stig.rules\\\":\n\n-w /etc/passwd -p wa -k\nusergroup_modification\n\nTo reload the rules file, issue the following command:\n\n$ sudo\naugenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000004-GPOS-00004 '\n tag satisfies: %w(SRG-OS-000004-GPOS-00004 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000303-GPOS-00120 SRG-OS-000458-GPOS-00203 SRG-OS-000463-GPOS-00207 SRG-OS-000476-GPOS-00221)\n tag gid: 'V-238238 '\n tag rid: 'SV-238238r853416_rule '\n tag stig_id: 'UBTU-20-010100 '\n tag fix_id: 'F-41407r653888_fix '\n tag cci: %w(CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-002130)\n tag nist: ['AC-2 (4)', 'AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/etc/passwd'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238238.rb",
"line": 1
},
"id": "SV-238238"
},
{
"title": "The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. ",
"desc": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.",
"descriptions": {
"default": "Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements.",
"check": "Verify that the Ubuntu operating system configures the \"/var/log/syslog\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \"%n %U\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \"/var/log/syslog\" file is not owned by syslog, this is a\nfinding.",
"fix": "Configure the Ubuntu operating system to have syslog own the \"/var/log/syslog\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000206-GPOS-00084 ",
"gid": "V-238342 ",
"rid": "SV-238342r654201_rule ",
"stig_id": "UBTU-20-010421 ",
"fix_id": "F-41511r654200_fix ",
"cci": [
"CCI-001314"
],
"nist": [
"SI-11 b"
],
"host": null,
"container": null
},
"code": "control 'SV-238342' do\n title 'The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. '\n desc \"Only authorized personnel should be aware of errors and the details of the errors. Error\nmessages are an indicator of an organization's operational state or can identify the\noperating system or platform. Additionally, Personally Identifiable Information (PII)\nand operational information must not be revealed through error messages to unauthorized\npersonnel or their designated representatives.\n\nThe structure and content of error\nmessages must be carefully considered by the organization and development team. The extent\nto which the information system is able to identify and handle error conditions is guided by\norganizational policy and operational requirements. \"\n desc 'check', \"Verify that the Ubuntu operating system configures the \\\"/var/log/syslog\\\" file to be owned by\nsyslog with the following command:\n\n$ sudo stat -c \\\"%n %U\\\" /var/log/syslog\n\n/var/log/syslog syslog\n\nIf the \\\"/var/log/syslog\\\" file is not owned by syslog, this is a\nfinding. \"\n desc 'fix', \"Configure the Ubuntu operating system to have syslog own the \\\"/var/log/syslog\\\" file by\nrunning the following command:\n\n$ sudo chown syslog /var/log/syslog \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000206-GPOS-00084 '\n tag gid: 'V-238342 '\n tag rid: 'SV-238342r654201_rule '\n tag stig_id: 'UBTU-20-010421 '\n tag fix_id: 'F-41511r654200_fix '\n tag cci: ['CCI-001314']\n tag nist: ['SI-11 b']\n tag 'host', 'container'\n\n describe file('/var/log/syslog') do\n its('owner') { should cmp 'syslog' }\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238342.rb",
"line": 1
},
"id": "SV-238342"
},
{
"title": "The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. ",
"desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).",
"descriptions": {
"default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).",
"check": "Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \"fdisk\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\"-k\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above.",
"fix": "Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \"fdisk\".\n\nAdd or update the following rule in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000477-GPOS-00222 ",
"gid": "V-238320 ",
"rid": "SV-238320r832956_rule ",
"stig_id": "UBTU-20-010298 ",
"fix_id": "F-41489r832955_fix ",
"cci": [
"CCI-000172"
],
"nist": [
"AU-12 c"
],
"host": null
},
"code": "control 'SV-238320' do\n title \"The Ubuntu operating system must generate audit records when successful/unsuccessful\nattempts to use the fdisk command. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter). \"\n desc 'check', \"Verify the Ubuntu operating system is configured to audit the execution of the partition\nmanagement program \\\"fdisk\\\".\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep fdisk\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nIf\nthe command does not return a line, or the line is commented out, this is a finding.\n\nNote: The\n\\\"-k\\\" allows for specifying an arbitrary identifier, and the string after it does not need to\nmatch the example output above. \"\n desc 'fix', \"Configure the Ubuntu operating system to audit the execution of the partition management\nprogram \\\"fdisk\\\".\n\nAdd or update the following rule in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /usr/sbin/fdisk -p x -k fdisk\n\nTo reload the\nrules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000477-GPOS-00222 '\n tag gid: 'V-238320 '\n tag rid: 'SV-238320r832956_rule '\n tag stig_id: 'UBTU-20-010298 '\n tag fix_id: 'F-41489r832955_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/sbin/fdisk'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'x' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238320.rb",
"line": 1
},
"id": "SV-238320"
},
{
"title": "Ubuntu operating systems handling data requiring \"data at rest\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. ",
"desc": "Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation.",
"descriptions": {
"default": "Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation.",
"check": "If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.",
"fix": "To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed."
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000185-GPOS-00079 ",
"gid": "V-238335 ",
"rid": "SV-238335r654180_rule ",
"stig_id": "UBTU-20-010414 ",
"fix_id": "F-41504r654179_fix ",
"cci": [
"CCI-001199"
],
"nist": [
"SC-28"
],
"host": null,
"container": null
},
"code": "control 'SV-238335' do\n title \"Ubuntu operating systems handling data requiring \\\"data at rest\\\" protections must employ\ncryptographic mechanisms to prevent unauthorized disclosure and modification of the\ninformation at rest. \"\n desc \"Information at rest refers to the state of information when it is located on a secondary\nstorage device (e.g., disk drive and tape drive, when used for backups) within an operating\nsystem.\n\nThis requirement addresses protection of user-generated data, as well as\noperating system-specific configuration data. Organizations may choose to employ\ndifferent mechanisms to achieve confidentiality and integrity protections, as\nappropriate, in accordance with the security category and/or classification of the\ninformation. \"\n desc 'check', \"If there is a documented and approved reason for not having data-at-rest encryption, this\nrequirement is Not Applicable.\n\nVerify the Ubuntu operating system prevents unauthorized\ndisclosure or modification of all information requiring at-rest protection by using disk\nencryption.\n\nDetermine the partition layout for the system with the following command:\n\n\n#sudo fdisk -l\n(..)\nDisk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors\nUnits:\nsectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size\n(minimum/optimal): 512 bytes / 512 bytes\nDisklabel type: gpt\nDisk identifier:\n83298450-B4E3-4B19-A9E4-7DF147A5FEFB\n\nDevice Start End Sectors Size Type\n/dev/vda1\n2048 4095 2048 1M BIOS boot\n/dev/vda2 4096 2101247 2097152 1G Linux filesystem\n/dev/vda3\n2101248 31455231 29353984 14G Linux filesystem\n(...)\n\nVerify the system partitions are\nall encrypted with the following command:\n\n# more /etc/crypttab\n\nEvery persistent disk\npartition present must have an entry in the file.\n\nIf any partitions other than the boot\npartition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. \"\n desc 'fix', \"To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\n\nNote: Encrypting a partition in an already-installed system is more difficult because it\nwill need to be resized and existing partitions changed. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000185-GPOS-00079 '\n tag gid: 'V-238335 '\n tag rid: 'SV-238335r654180_rule '\n tag stig_id: 'UBTU-20-010414 '\n tag fix_id: 'F-41504r654179_fix '\n tag cci: ['CCI-001199']\n tag nist: ['SC-28']\n tag 'host', 'container'\n\n describe 'Not Applicable' do\n skip 'Encryption of data at rest is handled by the IaaS'\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238335.rb",
"line": 1
},
"id": "SV-238335"
},
{
"title": "Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. ",
"desc": "To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system.",
"descriptions": {
"default": "To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system.",
"check": "Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \"password_pbkdf2\", this is a finding.",
"fix": "Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \"/etc/grub.d/40_custom\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\"root\\\"\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \"grub.conf\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub"
},
"impact": 0.7,
"refs": [],
"tags": {
"severity": "high ",
"gtitle": "SRG-OS-000080-GPOS-00048 ",
"gid": "V-238204 ",
"rid": "SV-238204r832936_rule ",
"stig_id": "UBTU-20-010009 ",
"fix_id": "F-41373r832935_fix ",
"cci": [
"CCI-000213"
],
"nist": [
"AC-3"
],
"host": null,
"container": null
},
"code": "control 'SV-238204' do\n title \"Ubuntu operating systems when booted must require authentication upon booting into\nsingle-user and maintenance modes. \"\n desc \"To mitigate the risk of unauthorized access to sensitive information by entities that have\nbeen issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web\nportals) must be properly configured to incorporate access control methods that do not rely\nsolely on the possession of a certificate for access.\n\nSuccessful authentication must not\nautomatically give an entity access to an asset or security boundary. Authorization\nprocedures and controls must be implemented to ensure each authenticated entity also has a\nvalidated and current authorization. Authorization is the process of determining whether\nan entity, once authenticated, is permitted to access a specific asset. Information systems\nuse access control policies and enforcement mechanisms to implement this requirement.\n\n\nAccess control policies include identity-based policies, role-based policies, and\nattribute-based policies. Access enforcement mechanisms include access control lists,\naccess control matrices, and cryptography. These policies and mechanisms must be employed\nby the application to control access between users (or processes acting on behalf of users)\nand objects (e.g., devices, files, records, processes, programs, and domains) in the\ninformation system. \"\n desc 'check', \"Run the following command to verify the encrypted password is set:\n\n$ sudo grep -i password\n/boot/grub/grub.cfg\n\npassword_pbkdf2 root\ngrub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG\n\nIf the root password\nentry does not begin with \\\"password_pbkdf2\\\", this is a finding. \"\n desc 'fix', \"Configure the system to require a password for authentication upon booting into single-user\nand maintenance modes.\n\nGenerate an encrypted (grub) password for root with the following\ncommand:\n\n$ grub-mkpasswd-pbkdf2\nEnter Password:\nReenter Password:\nPBKDF2 hash of\nyour password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG\n\nUsing\nthe hash from the output, modify the \\\"/etc/grub.d/40_custom\\\" file with the following\ncommand to add a boot password:\n\n$ sudo sed -i '$i set\nsuperusers=\\\\\\\"root\\\\\\\"\\\\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom\n\n\nwhere <hash> is the hash generated by grub-mkpasswd-pbkdf2 command.\n\nGenerate an\nupdated \\\"grub.conf\\\" file with the new password by using the following command:\n\n$ sudo\nupdate-grub \"\n impact 0.7\n tag severity: 'high '\n tag gtitle: 'SRG-OS-000080-GPOS-00048 '\n tag gid: 'V-238204 '\n tag rid: 'SV-238204r832936_rule '\n tag stig_id: 'UBTU-20-010009 '\n tag fix_id: 'F-41373r832935_fix '\n tag cci: ['CCI-000213']\n tag nist: ['AC-3']\n tag 'host', 'container'\n\n grubfile = file('/boot/grub/grub.cfg').content.lines\n\n grubfile_passes = grubfile.any? { |line| line.match?(/^password_pbkdf2\\s+root/) }\n\n describe 'Grub' do\n it 'should use an encrypted password for root' do\n expect(grubfile_passes).to be_true, 'No password set for root in grub config'\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238204.rb",
"line": 1
},
"id": "SV-238204"
},
{
"title": "The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. ",
"desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).",
"descriptions": {
"default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).",
"check": "Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above.",
"fix": "Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \"faillog\" file.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000064-GPOS-00033 ",
"satisfies": [
"SRG-OS-000064-GPOS-00033",
"SRG-OS-000470-GPOS-00214",
"SRG-OS-000473-GPOS-00218"
],
"gid": "V-238286 ",
"rid": "SV-238286r654033_rule ",
"stig_id": "UBTU-20-010170 ",
"fix_id": "F-41455r654032_fix ",
"cci": [
"CCI-000172"
],
"nist": [
"AU-12 c"
],
"host": null
},
"code": "control 'SV-238286' do\n title \"The Ubuntu operating system must generate audit records for the use and modification of\nfaillog file. \"\n desc \"Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\n \"\n desc 'check', \"Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nCheck the currently configured audit rules with the\nfollowing command:\n\n$ sudo auditctl -l | grep faillog\n\n-w /var/log/faillog -p wa -k logins\n\n\nIf the command does not return a line that matches the example or the line is commented out,\nthis is a finding.\n\nNote: The \\\"-k\\\" allows for specifying an arbitrary identifier, and the\nstring after it does not need to match the example output above. \"\n desc 'fix', \"Configure the audit system to generate an audit event for any successful/unsuccessful\nmodifications to the \\\"faillog\\\" file.\n\nAdd or update the following rules in the\n\\\"/etc/audit/rules.d/stig.rules\\\" file:\n\n-w /var/log/faillog -p wa -k logins\n\nTo reload\nthe rules file, issue the following command:\n\n$ sudo augenrules --load \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000064-GPOS-00033 '\n tag satisfies: %w(SRG-OS-000064-GPOS-00033 SRG-OS-000470-GPOS-00214 SRG-OS-000473-GPOS-00218)\n tag gid: 'V-238286 '\n tag rid: 'SV-238286r654033_rule '\n tag stig_id: 'UBTU-20-010170 '\n tag fix_id: 'F-41455r654032_fix '\n tag cci: ['CCI-000172']\n tag nist: ['AU-12 c']\n tag 'host'\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable to a container' do\n skip 'Control not applicable to a container'\n end\n else\n @audit_file = '/var/log/faillog'\n\n audit_lines_exist = !auditd.lines.index { |line| line.include?(@audit_file) }.nil?\n if audit_lines_exist\n describe auditd.file(@audit_file) do\n its('permissions') { should_not cmp [] }\n its('action') { should_not include 'never' }\n end\n\n @perms = auditd.file(@audit_file).permissions\n\n @perms.each do |perm|\n describe perm do\n it { should include 'w' }\n it { should include 'a' }\n end\n end\n else\n describe('Audit line(s) for ' + @audit_file + ' exist') do\n subject { audit_lines_exist }\n it { should be true }\n end\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238286.rb",
"line": 1
},
"id": "SV-238286"
},
{
"title": "The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. ",
"desc": "Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity.",
"descriptions": {
"default": "Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity.",
"check": "Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \"INACTIVE\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding.",
"fix": "Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \"0\" will disable the account immediately after the\npassword expires."
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000118-GPOS-00060 ",
"gid": "V-238330 ",
"rid": "SV-238330r654165_rule ",
"stig_id": "UBTU-20-010409 ",
"fix_id": "F-41499r654164_fix ",
"cci": [
"CCI-000795"
],
"nist": [
"IA-4 e"
],
"host": null,
"container": null
},
"code": "control 'SV-238330' do\n title \"The Ubuntu operating system must disable account identifiers (individuals, groups, roles,\nand devices) after 35 days of inactivity. \"\n desc \"Inactive identifiers pose a risk to systems and applications because attackers may exploit\nan inactive identifier and potentially obtain undetected access to the system. Owners of\ninactive accounts will not notice if unauthorized access to their user account has been\nobtained.\n\nOperating systems need to track periods of inactivity and disable application\nidentifiers after 35 days of inactivity. \"\n desc 'check', \"Verify the account identifiers (individuals, groups, roles, and devices) are disabled\nafter 35 days of inactivity with the following command:\n\nCheck the account inactivity value\nby performing the following command:\n\n$ sudo grep INACTIVE /etc/default/useradd\n\n\nINACTIVE=35\n\nIf \\\"INACTIVE\\\" is not set to a value 0<[VALUE]<=35, or is commented out,\nthis is a finding. \"\n desc 'fix', \"Configure the Ubuntu operating system to disable account identifiers after 35 days of\ninactivity after the password expiration.\n\nRun the following command to change the\nconfiguration for adduser:\n\n$ sudo useradd -D -f 35\n\nNote: DoD recommendation is 35 days,\nbut a lower value is acceptable. The value \\\"0\\\" will disable the account immediately after the\npassword expires. \"\n impact 0.5\n tag severity: 'medium '\n tag gtitle: 'SRG-OS-000118-GPOS-00060 '\n tag gid: 'V-238330 '\n tag rid: 'SV-238330r654165_rule '\n tag stig_id: 'UBTU-20-010409 '\n tag fix_id: 'F-41499r654164_fix '\n tag cci: ['CCI-000795']\n tag nist: ['IA-4 e']\n tag 'host', 'container'\n\n config_file = input('useradd_config_file')\n config_file_exists = file(config_file).exist?\n\n if config_file_exists\n describe parse_config_file(config_file) do\n its('INACTIVE') { should cmp > '0' }\n its('INACTIVE') { should cmp <= 35 }\n end\n else\n describe(config_file + ' exists') do\n subject { config_file_exists }\n it { should be true }\n end\n end\nend\n",
"source_location": {
"ref": "./controls/SV-238330.rb",
"line": 1
},
"id": "SV-238330"
},
{
"title": "The Ubuntu operating system must generate audit records for successful/unsuccessful uses\nof the init_module and finit_module syscalls. ",
"desc": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.",
"descriptions": {
"default": "Without generating audit records that are specific to the security and mission needs of the\norganization, it would be difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.\n\nAudit records can be\ngenerated from various components within the information system (e.g., module or policy\nfilter).\n\nThe system call rules are loaded into a matching engine that intercepts each\nsyscall that all programs on the system makes. Therefore, it is very important to only use\nsyscall rules when absolutely necessary since these affect performance. The more rules, the\nbigger the performance hit. The performance is helped, though, by combining syscalls into\none rule whenever possible.",
"check": "Verify the Ubuntu operating system generates an audit record for any\nsuccessful/unsuccessful attempts to use the \"init_module\" and \"finit_module\" syscalls.\n\n\nCheck the currently configured audit rules with the following command:\n\n$ sudo auditctl -l\n| grep init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module -F\nauid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S\ninit_module,finit_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command\ndoes not return audit rules for the \"init_module\" and \"finit_module\" syscalls or the lines\nare commented out, this is a finding.\n\nNotes:\nFor 32-bit architectures, only the 32-bit\nspecific output lines from the commands are required.\nThe \"-k\" allows for specifying an\narbitrary identifier, and the string after it does not need to match the example output above.",
"fix": "Configure the audit system to generate an audit event for any successful/unsuccessful use of\nthe \"init_module\" and \"finit_module\" syscalls.\n\nAdd or update the following rules in the\n\"/etc/audit/rules.d/stig.rules\" file:\n\n-a always,exit -F arch=b32 -S\ninit_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng\n-a\nalways,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F\nauid!=4294967295 -k module_chng\n\nNotes: For 32-bit architectures, only the 32-bit\nspecific entries are required.\n\nTo reload the rules file, issue the following command:\n\n$\nsudo augenrules --load"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium ",
"gtitle": "SRG-OS-000064-GPOS-00033 ",
"satisfies": [
"SRG-OS-000064-GPOS-00033",
"SRG-OS-000471-GPOS-00216"
],