| DISA_STIG_Ubuntu_16.04_LTS_v2r3.audit from DISA Canonical Ubuntu 16.04 LTS v2r3 STIG | |
| UBTU-16-010000 - The Ubuntu operating system must be a vendor supported release. | SYSTEM AND INFORMATION INTEGRITY |
| UBTU-16-010010 - Ubuntu vendor packaged system security patches and updates must be installed and up to date. | CONFIGURATION MANAGEMENT |
| UBTU-16-010020 - The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon - enabled | ACCESS CONTROL |
| UBTU-16-010020 - The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon - text | ACCESS CONTROL |
| UBTU-16-010030 - The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | ACCESS CONTROL |
| UBTU-16-010040 - The Ubuntu operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures. | ACCESS CONTROL |
| UBTU-16-010050 - All users must be able to directly initiate a session lock for all connection types. | ACCESS CONTROL |
| UBTU-16-010060 - Ubuntu operating system sessions must be automatically logged out after 15 minutes of inactivity - export | ACCESS CONTROL |
| UBTU-16-010060 - Ubuntu operating system sessions must be automatically logged out after 15 minutes of inactivity - readonly | ACCESS CONTROL |
| UBTU-16-010060 - Ubuntu operating system sessions must be automatically logged out after 15 minutes of inactivity - timeout | ACCESS CONTROL |
| UBTU-16-010070 - The Ubuntu operating system must limit the number of concurrent sessions to ten for all accounts and/or account types. | ACCESS CONTROL |
| UBTU-16-010080 - The Ubuntu operating system must prevent direct login into the root account. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-16-010099 - The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used - /etc/pam.d/common-password | IDENTIFICATION AND AUTHENTICATION |
| UBTU-16-010099 - The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used - dpkg -s libpam-pwquality | IDENTIFICATION AND AUTHENTICATION |
| UBTU-16-010100 - The Ubuntu operating system must enforce password complexity by requiring that at least one upper-case character be used. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-16-010110 - The Ubuntu operating system must enforce password complexity by requiring that at least one lower-case character be used. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-16-010120 - The Ubuntu operating system must enforce password complexity by requiring that at least one numeric character be used. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-16-010130 - All passwords must contain at least one special character. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-16-010140 - The Ubuntu operating system must require the change of at least 8 characters when passwords are changed. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-16-010150 - The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-16-010160 - The Ubuntu operating system must employ a FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-16-010170 - The Ubuntu operating system must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-16-010180 - The pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-16-010200 - Emergency administrator accounts must never be automatically removed or disabled. | ACCESS CONTROL |
| UBTU-16-010210 - Passwords for new users must have a 24 hours/1 day minimum password lifetime restriction. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-16-010220 - Passwords for new users must have a 60-day maximum password lifetime restriction. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-16-010230 - Passwords must be prohibited from reuse for a minimum of five generations. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-16-010240 - Passwords must have a minimum of 15-characters. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-16-010250 - The Ubuntu operating system must not be configured to allow blank or null passwords. | CONFIGURATION MANAGEMENT |
| UBTU-16-010260 - The Ubuntu operating system must prevent the use of dictionary words for passwords. | CONFIGURATION MANAGEMENT |
| UBTU-16-010270 - The passwd command must be configured to prevent the use of dictionary words as passwords. | CONFIGURATION MANAGEMENT |
| UBTU-16-010280 - Account identifiers (individuals, groups, roles, and devices) must disabled after 35 days of inactivity. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-16-010290 - The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts. | ACCESS CONTROL |
| UBTU-16-010291 - Accounts on the Ubuntu operating system that are subject to three unsuccessful logon attempts within 15 minutes must be locked for the maximum configurable period - account required pam_faillock.so | ACCESS CONTROL |
| UBTU-16-010291 - Accounts on the Ubuntu operating system that are subject to three unsuccessful logon attempts within 15 minutes must be locked for the maximum configurable period - unlock_time | ACCESS CONTROL |
| UBTU-16-010300 - The Ubuntu operating system must require users to re-authenticate for privilege escalation and changing roles - sudoers | IDENTIFICATION AND AUTHENTICATION |
| UBTU-16-010300 - The Ubuntu operating system must require users to re-authenticate for privilege escalation and changing roles - sudoers.d | IDENTIFICATION AND AUTHENTICATION |
| UBTU-16-010310 - Temporary user accounts must be provisioned with an expiration time of 72 hours or less. | ACCESS CONTROL |
| UBTU-16-010320 - The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt. | CONFIGURATION MANAGEMENT |
| UBTU-16-010330 - Unattended or automatic login via the Graphical User Interface must not be allowed - autologin-user | CONFIGURATION MANAGEMENT |
| UBTU-16-010330 - Unattended or automatic login via the Graphical User Interface must not be allowed - autologin-user-timeout | CONFIGURATION MANAGEMENT |
| UBTU-16-010340 - The Ubuntu operating system must display the date and time of the last successful account logon upon logon. | CONFIGURATION MANAGEMENT |
| UBTU-16-010350 - There must be no .shosts files on the Ubuntu operating system. | CONFIGURATION MANAGEMENT |
| UBTU-16-010360 - There must be no shosts.equiv files on the Ubuntu operating system. | CONFIGURATION MANAGEMENT |
| UBTU-16-010370 - The Ubuntu operating system must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | SYSTEM AND COMMUNICATIONS PROTECTION |
| UBTU-16-010380 - Ubuntu operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | ACCESS CONTROL |
| UBTU-16-010390 - Ubuntu operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | ACCESS CONTROL |
| UBTU-16-010400 - All persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | SYSTEM AND COMMUNICATIONS PROTECTION |
| UBTU-16-010410 - All public directories must be owned by root to prevent unauthorized and unintended information transferred via shared system resources. | SYSTEM AND COMMUNICATIONS PROTECTION |
