Detections
Analytics

DISA STIG Ubuntu 18.04 LTS v2r2

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Ubuntu 18.04 LTS v2r2

Updated: 10/1/2021

Authority: DISA STIG

Plugin: Unix

Revision: 1.6

Estimated Item Count: 445

Audit Changelog

Ā 
Revision 1.6

Oct 1, 2021

Miscellaneous
  • Audit deprecated.
  • Metadata updated.
  • References updated.
Revision 1.5

Sep 28, 2021

Functional Update
  • UBTU-18-010110 - The Ubuntu operating system must employ a FIPS 140-2 approved cryptographic hashing algorithms for all created and stored passwords - sha512
Revision 1.4

Jul 30, 2021

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.3

Jun 17, 2021

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.2

Jun 14, 2021

Functional Update
  • UBTU-18-010201 - The Ubuntu operating system must generate audit records for the use and modification of the tallylog file.
  • UBTU-18-010202 - The Ubuntu operating system must generate audit records for the use and modification of faillog file.
  • UBTU-18-010203 - The Ubuntu operating system must generate audit records for the use and modification of the lastlog file.
  • UBTU-18-010237 - The Ubuntu operating system must generate audit records for privileged activities or other system-level access.
  • UBTU-18-010238 - The Ubuntu operating system must generate audit records for the /var/log/wtmp file.
  • UBTU-18-010239 - The Ubuntu operating system must generate audit records for the /var/run/wtmp file.
  • UBTU-18-010240 - The Ubuntu operating system must generate audit records for the /var/log/btmp file.
  • UBTU-18-010244 - The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
  • UBTU-18-010245 - The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
  • UBTU-18-010246 - The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
  • UBTU-18-010247 - The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
  • UBTU-18-010248 - The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
  • UBTU-18-010315 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the su command - audit.rules
  • UBTU-18-010316 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chfn command - audit.rules
  • UBTU-18-010317 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the mount command - audit.rules
  • UBTU-18-010318 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the umount command - audit.rules
  • UBTU-18-010319 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the ssh-agent command - audit.rules
  • UBTU-18-010320 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the ssh-keysign command - audit.rules
  • UBTU-18-010321 - The Ubuntu operating system must generate audit records for any usage of the setxattr system call - root b32
  • UBTU-18-010321 - The Ubuntu operating system must generate audit records for any usage of the setxattr system call - root b64
  • UBTU-18-010321 - The Ubuntu operating system must generate audit records for any usage of the setxattr system call - user b32
  • UBTU-18-010321 - The Ubuntu operating system must generate audit records for any usage of the setxattr system call - user b64
  • UBTU-18-010322 - The Ubuntu operating system must generate audit records for any usage of the lsetxattr system call - root b32
  • UBTU-18-010322 - The Ubuntu operating system must generate audit records for any usage of the lsetxattr system call - root b64
  • UBTU-18-010322 - The Ubuntu operating system must generate audit records for any usage of the lsetxattr system call - user b32
  • UBTU-18-010322 - The Ubuntu operating system must generate audit records for any usage of the lsetxattr system call - user b64
  • UBTU-18-010323 - The Ubuntu operating system must generate audit records for any usage of the fsetxattr system call - root b32
  • UBTU-18-010323 - The Ubuntu operating system must generate audit records for any usage of the fsetxattr system call - root b64
  • UBTU-18-010323 - The Ubuntu operating system must generate audit records for any usage of the fsetxattr system call - user b32
  • UBTU-18-010323 - The Ubuntu operating system must generate audit records for any usage of the fsetxattr system call - user b64
  • UBTU-18-010324 - The Ubuntu operating system must generate audit records for any usage of the removexattr system call - root b32
  • UBTU-18-010324 - The Ubuntu operating system must generate audit records for any usage of the removexattr system call - root b64
  • UBTU-18-010324 - The Ubuntu operating system must generate audit records for any usage of the removexattr system call - user b32
  • UBTU-18-010324 - The Ubuntu operating system must generate audit records for any usage of the removexattr system call - user b64
  • UBTU-18-010325 - The Ubuntu operating system must generate audit records for any usage of the lremovexattr system call - root b32
  • UBTU-18-010325 - The Ubuntu operating system must generate audit records for any usage of the lremovexattr system call - root b64
  • UBTU-18-010325 - The Ubuntu operating system must generate audit records for any usage of the lremovexattr system call - user b32
  • UBTU-18-010325 - The Ubuntu operating system must generate audit records for any usage of the lremovexattr system call - user b64
  • UBTU-18-010326 - The Ubuntu operating system must generate audit records for any usage of the fremovexattr system call - root b32
  • UBTU-18-010326 - The Ubuntu operating system must generate audit records for any usage of the fremovexattr system call - root b64
  • UBTU-18-010326 - The Ubuntu operating system must generate audit records for any usage of the fremovexattr system call - user b32
  • UBTU-18-010326 - The Ubuntu operating system must generate audit records for any usage of the fremovexattr system call - user b64
  • UBTU-18-010327 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chown system call - b32
  • UBTU-18-010327 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chown system call - b64
  • UBTU-18-010328 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the fchown system call - b32
  • UBTU-18-010328 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the fchown system call - b64
  • UBTU-18-010329 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the fchownat system call - b32
  • UBTU-18-010329 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the fchownat system call - b64
  • UBTU-18-010330 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the lchown system call - b32
  • UBTU-18-010330 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the lchown system call - b64
  • UBTU-18-010331 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chmod system call - b32
  • UBTU-18-010331 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chmod system call - b64
  • UBTU-18-010332 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the fchmod system call - b32
  • UBTU-18-010332 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the fchmod system call - b64
  • UBTU-18-010333 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the fchmodat system call - b32
  • UBTU-18-010333 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the fchmodat system call - b64
  • UBTU-18-010334 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the open system call - EACCES b32
  • UBTU-18-010334 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the open system call - EACCES b64
  • UBTU-18-010334 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the open system call - EPERM b32
  • UBTU-18-010334 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the open system call - EPERM b64
  • UBTU-18-010338 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the openat system call - EACCES b32
  • UBTU-18-010338 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the openat system call - EACCES b64
  • UBTU-18-010338 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the openat system call - EPERM b32
  • UBTU-18-010338 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the openat system call - EPERM b64
  • UBTU-18-010339 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the open_by_handle_at system call - EACCES b32
  • UBTU-18-010339 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the open_by_handle_at system call - EACCES b64
  • UBTU-18-010339 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the open_by_handle_at system call - EPERM b32
  • UBTU-18-010339 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the open_by_handle_at system call - EPERM b64
  • UBTU-18-010340 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the sudo command.
  • UBTU-18-010341 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the sudoedit command.
  • UBTU-18-010342 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chsh command.
  • UBTU-18-010343 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the newgrp command.
  • UBTU-18-010344 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chcon command.
  • UBTU-18-010345 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the apparmor_parser command.
  • UBTU-18-010346 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the setfacl command.
  • UBTU-18-010347 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chacl command.
  • UBTU-18-010348 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the passwd command.
  • UBTU-18-010349 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the unix_update command.
  • UBTU-18-010350 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the gpasswd command.
  • UBTU-18-010351 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chage command.
  • UBTU-18-010352 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the usermod command.
  • UBTU-18-010353 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the crontab command.
  • UBTU-18-010354 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the pam_timestamp_check command.
  • UBTU-18-010355 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the init_module syscall - b32
  • UBTU-18-010355 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the init_module syscall - b64
  • UBTU-18-010356 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the finit_module syscall - b32
  • UBTU-18-010356 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the finit_module syscall - b64
  • UBTU-18-010357 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the delete_module syscall - b32
  • UBTU-18-010357 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the delete_module syscall - b64
  • UBTU-18-010358 - The Ubuntu operating system must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions - egid b32
  • UBTU-18-010358 - The Ubuntu operating system must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions - egid b64
  • UBTU-18-010358 - The Ubuntu operating system must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions - euid b32
  • UBTU-18-010358 - The Ubuntu operating system must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions - euid b64
  • UBTU-18-010366 - The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use setxattr system call - b32
  • UBTU-18-010366 - The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use setxattr system call - b64
  • UBTU-18-010367 - The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use lsetxattr system call - b32
  • UBTU-18-010367 - The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use lsetxattr system call - b64
  • UBTU-18-010368 - The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use fsetxattr system call - b32
  • UBTU-18-010368 - The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use fsetxattr system call - b64
  • UBTU-18-010369 - The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use the removexattr system call - b32
  • UBTU-18-010369 - The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use the removexattr system call - b64
  • UBTU-18-010370 - The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use the lremovexattr system call - b32
  • UBTU-18-010370 - The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use the lremovexattr system call - b64
  • UBTU-18-010375 - The Ubuntu operating system must generate audit records when successful/unsuccessful use of unlink system call - b32
  • UBTU-18-010375 - The Ubuntu operating system must generate audit records when successful/unsuccessful use of unlink system call - b64
  • UBTU-18-010376 - The Ubuntu operating system must generate audit records when successful/unsuccessful use of unlinkat system call - b32
  • UBTU-18-010376 - The Ubuntu operating system must generate audit records when successful/unsuccessful use of unlinkat system call - b64
  • UBTU-18-010377 - The Ubuntu operating system must generate audit records when successful/unsuccessful use of rename system call - b32
  • UBTU-18-010377 - The Ubuntu operating system must generate audit records when successful/unsuccessful use of rename system call - b64
  • UBTU-18-010378 - The Ubuntu operating system must generate audit records when successful/unsuccessful use of renameat system call - b32
  • UBTU-18-010378 - The Ubuntu operating system must generate audit records when successful/unsuccessful use of renameat system call - b64
  • UBTU-18-010379 - The Ubuntu operating system must generate audit records when loading dynamic kernel modules - b32
  • UBTU-18-010379 - The Ubuntu operating system must generate audit records when loading dynamic kernel modules - b64
  • UBTU-18-010380 - The Ubuntu operating system must generate audit records when unloading dynamic kernel modules - b32
  • UBTU-18-010380 - The Ubuntu operating system must generate audit records when unloading dynamic kernel modules - b64
  • UBTU-18-010382 - The Ubuntu operating system must generate audit records when successful/unsuccessful uses of the truncate system call - EACCES b32
  • UBTU-18-010382 - The Ubuntu operating system must generate audit records when successful/unsuccessful uses of the truncate system call - EACCES b64
  • UBTU-18-010382 - The Ubuntu operating system must generate audit records when successful/unsuccessful uses of the truncate system call - EPERM b32
  • UBTU-18-010382 - The Ubuntu operating system must generate audit records when successful/unsuccessful uses of the truncate system call - EPERM b64
  • UBTU-18-010383 - The Ubuntu operating system must generate audit records when successful/unsuccessful uses of the ftruncate system call - EACCES b32
  • UBTU-18-010383 - The Ubuntu operating system must generate audit records when successful/unsuccessful uses of the ftruncate system call - EACCES b64
  • UBTU-18-010383 - The Ubuntu operating system must generate audit records when successful/unsuccessful uses of the ftruncate system call - EPERM b32
  • UBTU-18-010383 - The Ubuntu operating system must generate audit records when successful/unsuccessful uses of the ftruncate system call - EPERM b64
  • UBTU-18-010384 - The Ubuntu operating system must generate audit records when successful/unsuccessful uses of the creat system call - EACCES b32
  • UBTU-18-010384 - The Ubuntu operating system must generate audit records when successful/unsuccessful uses of the creat system call - EACCES b64
  • UBTU-18-010384 - The Ubuntu operating system must generate audit records when successful/unsuccessful uses of the creat system call - EPERM b32
  • UBTU-18-010384 - The Ubuntu operating system must generate audit records when successful/unsuccessful uses of the creat system call - EPERM b64
  • UBTU-18-010387 - The Ubuntu operating system must generate records for successful/unsuccessful uses of init_module or finit_module syscalls - b32
  • UBTU-18-010387 - The Ubuntu operating system must generate records for successful/unsuccessful uses of init_module or finit_module syscalls - b64
  • UBTU-18-010388 - The Ubuntu operating system must generate records for successful/unsuccessful uses of delete_module syscall - b32
  • UBTU-18-010388 - The Ubuntu operating system must generate records for successful/unsuccessful uses of delete_module syscall - b64
  • UBTU-18-010389 - The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use modprobe command.
  • UBTU-18-010391 - The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use the kmod command.
  • UBTU-18-010392 - The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use the fdisk command.
  • UBTU-18-010410 - The Ubuntu operating system must monitor remote access methods - daemon.notice
  • UBTU-18-010411 - The Ubuntu operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
  • UBTU-18-010506 - The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools - audispd
  • UBTU-18-010506 - The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools - auditctl
  • UBTU-18-010506 - The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools - auditd
  • UBTU-18-010506 - The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools - augenrules
  • UBTU-18-010506 - The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools - aureport
  • UBTU-18-010506 - The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools - ausearch
  • UBTU-18-010506 - The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools - autrace
Informational Update
  • UBTU-18-010410 - The Ubuntu operating system must monitor remote access methods - daemon.notice
Miscellaneous
  • References updated.
Revision 1.1

Mar 23, 2021

Miscellaneous
  • Metadata updated.
  • References updated.