| DISA_STIG_Ubuntu_20.04_LTS_v2r1.audit from DISA Canonical Ubuntu 20.04 LTS v2r1 STIG | |
| UBTU-20-010000 - The Ubuntu operating system must provision temporary user accounts with an expiration time of 72 hours or less. | ACCESS CONTROL |
| UBTU-20-010002 - The Ubuntu operating system must enable the graphical user logon banner to display the Standard Mandatory DoD Notice and Consent Banner before granting local access to the system via a graphical user logon. | ACCESS CONTROL |
| UBTU-20-010003 - The Ubuntu operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting local access to the system via a graphical user logon. | ACCESS CONTROL |
| UBTU-20-010004 - The Ubuntu operating system must retain a user's session lock until that user reestablishes access using established identification and authentication procedures. | ACCESS CONTROL |
| UBTU-20-010005 - The Ubuntu operating system must allow users to directly initiate a session lock for all connection types. | ACCESS CONTROL |
| UBTU-20-010006 - The Ubuntu operating system must map the authenticated identity to the user or group account for PKI-based authentication. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-20-010007 - The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime. Passwords for new users must have a 24 hours/1 day minimum password lifetime restriction. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-20-010008 - The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction. Passwords for new users must have a 60-day maximum password lifetime restriction. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-20-010009 - Ubuntu operating systems when booted must require authentication upon booting into single-user and maintenance modes. | ACCESS CONTROL |
| UBTU-20-010010 - The Ubuntu operating system must uniquely identify interactive users. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-20-010012 - The Ubuntu operating system must ensure only users who need access to security functions are part of sudo group. | SYSTEM AND COMMUNICATIONS PROTECTION |
| UBTU-20-010013 - The Ubuntu operating system must automatically terminate a user session after inactivity timeouts have expired. | ACCESS CONTROL |
| UBTU-20-010014 - The Ubuntu operating system must require users to reauthenticate for privilege escalation or when changing roles. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-20-010016 - The Ubuntu operating system default filesystem permissions must be defined in such a way that all authenticated users can read and modify only their own files. | CONFIGURATION MANAGEMENT |
| UBTU-20-010033 - The Ubuntu operating system must implement smart card logins for multifactor authentication for local and network access to privileged and nonprivileged accounts. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-20-010035 - The Ubuntu operating system must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions. | MAINTENANCE |
| UBTU-20-010036 - The Ubuntu operating system must immediately terminate all network connections associated with SSH traffic after a period of inactivity. | SYSTEM AND COMMUNICATIONS PROTECTION |
| UBTU-20-010037 - The Ubuntu operating system must immediately terminate all network connections associated with SSH traffic at the end of the session or after 10 minutes of inactivity. | SYSTEM AND COMMUNICATIONS PROTECTION |
| UBTU-20-010038 - The Ubuntu operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting any local or remote connection to the system. | ACCESS CONTROL |
| UBTU-20-010042 - The Ubuntu operating system must use SSH to protect the confidentiality and integrity of transmitted information. | SYSTEM AND COMMUNICATIONS PROTECTION |
| UBTU-20-010043 - The Ubuntu operating system must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission. | ACCESS CONTROL, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION |
| UBTU-20-010044 - The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission. | ACCESS CONTROL, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION |
| UBTU-20-010045 - The Ubuntu operating system SSH server must be configured to use only FIPS-validated key exchange algorithms. | ACCESS CONTROL |
| UBTU-20-010047 - The Ubuntu operating system must not allow unattended or automatic login via SSH. | CONFIGURATION MANAGEMENT |
| UBTU-20-010048 - The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements. | CONFIGURATION MANAGEMENT |
| UBTU-20-010049 - The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display. | CONFIGURATION MANAGEMENT |
| UBTU-20-010050 - The Ubuntu operating system must enforce password complexity by requiring that at least one upper-case character be used. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-20-010051 - The Ubuntu operating system must enforce password complexity by requiring that at least one lower-case character be used. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-20-010052 - The Ubuntu operating system must enforce password complexity by requiring that at least one numeric character be used. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-20-010053 - The Ubuntu operating system must require the change of at least 8 characters when passwords are changed. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-20-010054 - The Ubuntu operating system must enforce a minimum 15-character password length. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-20-010055 - The Ubuntu operating system must enforce password complexity by requiring that at least one special character be used. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-20-010056 - The Ubuntu operating system must prevent the use of dictionary words for passwords. | CONFIGURATION MANAGEMENT |
| UBTU-20-010057 - The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used. | CONFIGURATION MANAGEMENT |
| UBTU-20-010060 - The Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-20-010063 - The Ubuntu operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-20-010064 - The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-20-010065 - The Ubuntu operating system must electronically verify Personal Identity Verification (PIV) credentials. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-20-010066 - The Ubuntu operating system for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-20-010070 - The Ubuntu operating system must prohibit password reuse for a minimum of five generations. | IDENTIFICATION AND AUTHENTICATION |
| UBTU-20-010072 - The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made. | ACCESS CONTROL |
| UBTU-20-010074 - The Ubuntu operating system must be configured so that the script which runs each 30 days or less to check file integrity is the default one. | SYSTEM AND INFORMATION INTEGRITY |
| UBTU-20-010075 - The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt. | CONFIGURATION MANAGEMENT |
| UBTU-20-010100 - The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| UBTU-20-010101 - The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| UBTU-20-010102 - The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| UBTU-20-010103 - The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| UBTU-20-010104 - The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| UBTU-20-010117 - The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure. | AUDIT AND ACCOUNTABILITY |
