| DISA_STIG_Ubuntu_18.04_LTS_v2r15.audit from DISA Canonical Ubuntu 18.04 LTS v2r15 STIG | |
| UBTU-18-010000 - Ubuntu operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | ACCESS CONTROL |
| UBTU-18-010001 - Ubuntu operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | ACCESS CONTROL |
| UBTU-18-010002 - The Ubuntu operating system must initiate session audits at system startup. | AUDIT AND ACCOUNTABILITY |
| UBTU-18-010003 - Ubuntu operating systems handling data requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. | SYSTEM AND COMMUNICATIONS PROTECTION |
| UBTU-18-010005 - The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect classified information and for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | SYSTEM AND COMMUNICATIONS PROTECTION |
| UBTU-18-010006 - The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. | AUDIT AND ACCOUNTABILITY |
| UBTU-18-010007 - The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system in real time, if the system is interconnected. | AUDIT AND ACCOUNTABILITY |
| UBTU-18-010008 - The Ubuntu operating system must have a crontab script running weekly to off-load audit events of standalone systems. | AUDIT AND ACCOUNTABILITY |
| UBTU-18-010016 - Advance package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. | CONFIGURATION MANAGEMENT |
| UBTU-18-010017 - The Ubuntu operating system must be configured so that Advance package Tool (APT) removes all software components after updated versions have been installed. | SYSTEM AND INFORMATION INTEGRITY |
| UBTU-18-010018 - The Ubuntu operating system must not have the Network Information Service (NIS) package installed. | CONFIGURATION MANAGEMENT |
| UBTU-18-010019 - The Ubuntu operating system must not have the rsh-server package installed. | CONFIGURATION MANAGEMENT |
| UBTU-18-010021 - The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention (ENSLTP). | SYSTEM AND INFORMATION INTEGRITY |
| UBTU-18-010022 - The Ubuntu operating system must be configured to preserve log records from failure events. | SYSTEM AND COMMUNICATIONS PROTECTION |
| UBTU-18-010023 - The Ubuntu operating system must have an application firewall installed in order to control remote access methods. | ACCESS CONTROL |
| UBTU-18-010025 - The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system or storage media from the system being audited. | AUDIT AND ACCOUNTABILITY |
| UBTU-18-010030 - The Ubuntu operating system must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-18-010031 - The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt. | CONFIGURATION MANAGEMENT |
| UBTU-18-010032 - The Ubuntu operating system must display the date and time of the last successful account logon upon logon. | ACCESS CONTROL |
| UBTU-18-010033 - The Ubuntu operating system must be configured so that three consecutive invalid logon attempts by a user automatically locks the account until released by an administrator. | ACCESS CONTROL |
| UBTU-18-010035 - The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local access to the system via a graphical user logon. | ACCESS CONTROL |
| UBTU-18-010036 - The Ubuntu operating system must prevent direct login into the root account. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-18-010037 - The Ubuntu operating system must be configured so that only users who need access to security functions are part of the sudo group. | SYSTEM AND COMMUNICATIONS PROTECTION |
| UBTU-18-010038 - The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting any publically accessible connection to the system. | ACCESS CONTROL |
| UBTU-18-010100 - The Ubuntu operating system must enforce password complexity by requiring that at least one upper-case character be used. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-18-010101 - The Ubuntu operating system must enforce password complexity by requiring that at least one lower-case character be used. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-18-010102 - The Ubuntu operating system must enforce password complexity by requiring that at least one numeric character be used. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-18-010103 - The Ubuntu operating system must require the change of at least 8 characters when passwords are changed. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-18-010104 - The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-18-010105 - The Ubuntu operating system must not have the telnet package installed. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-18-010106 - The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime. Passwords for new users must have a 24 hours/1 day minimum password lifetime restriction. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-18-010107 - The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction. Passwords for new users must have a 60-day maximum password lifetime restriction. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-18-010108 - The Ubuntu operating system must prohibit password reuse for a minimum of five generations. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-18-010109 - The Ubuntu operating system must enforce a minimum 15-character password length. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-18-010110 - The Ubuntu operating system must employ a FIPS 140-2 approved cryptographic hashing algorithms for all created and stored passwords. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-18-010112 - The Ubuntu operating system must allow the use of a temporary password for system logons with an immediate change to a permanent password. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-18-010113 - The Ubuntu operating system must prevent the use of dictionary words for passwords. | CONFIGURATION MANAGEMENT |
| UBTU-18-010114 - The Ubuntu operating system must require users to re-authenticate for privilege escalation and changing roles. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-18-010116 - The Ubuntu Operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used. | CONFIGURATION MANAGEMENT |
| UBTU-18-010120 - The Ubuntu operating system must set a sticky bit on all public directories to prevent unauthorized and unintended information transferred via shared system resources. | SYSTEM AND COMMUNICATIONS PROTECTION |
| UBTU-18-010121 - The Ubuntu operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. | SYSTEM AND INFORMATION INTEGRITY |
| UBTU-18-010122 - The Ubuntu operating system must configure the /var/log directory to be group-owned by syslog. | SYSTEM AND INFORMATION INTEGRITY |
| UBTU-18-010123 - The Ubuntu operating system must configure the /var/log directory to be owned by root. | SYSTEM AND INFORMATION INTEGRITY |
| UBTU-18-010124 - The Ubuntu operating system must configure the /var/log directory to have mode 0755 or less permissive. | SYSTEM AND INFORMATION INTEGRITY |
| UBTU-18-010125 - The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by adm. | SYSTEM AND INFORMATION INTEGRITY |
| UBTU-18-010126 - The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. | SYSTEM AND INFORMATION INTEGRITY |
| UBTU-18-010127 - The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less permissive. | SYSTEM AND INFORMATION INTEGRITY |
| UBTU-18-010128 - The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. | AUDIT AND ACCOUNTABILITY |
| UBTU-18-010129 - The Ubuntu operating system must configure audit tools to be owned by root. | AUDIT AND ACCOUNTABILITY |
