{"id": "srg_gpos", "policy": "Security Requirements Guide - General Purpose Operating System", "title": "Security Requirements Guide - General Purpose Operating System", "source": "https://www.cyber.mil/stigs/downloads/", "definition_location": "/aptdata/openscap/scap-security-guide/controls/srg_gpos.yml", "controls": [{"id": "Variables", "levels": ["high", "medium", "low"], "notes": "", "title": "Variables", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["var_sshd_disable_compression=no", "var_password_hashing_algorithm=SHA512", "var_password_pam_dictcheck=1", "sshd_idle_timeout_value=10_minutes", "var_accounts_authorized_local_users_regex=rhel9", "var_account_disable_post_pw_expiration=35", "login_banner_text=dod_banners", "var_authselect_profile=sssd", "var_auditd_name_format=stig"], "controls": []}, {"id": "SRG-OS-000392-GPOS-00172", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must audit all activities performed during nonlocal maintenance and diagnostic sessions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sudoers_d", "audit_rules_dac_modification_fchmodat2", "audit_rules_execution_setfacl", "audit_rules_unsuccessful_file_modification_open_by_handle_at", "audit_rules_file_deletion_events_renameat2", "audit_rules_dac_modification_fchownat", "audit_rules_unsuccessful_file_modification_rename", "audit_rules_privileged_commands_chage", "package_audit_installed", "audit_rules_dac_modification_lchown", "audit_rules_privileged_commands_umount", "audit_rules_unsuccessful_file_modification_truncate", "audit_rules_kernel_module_loading_delete", "audit_rules_dac_modification_setxattr", "audit_rules_execution_semanage", "audit_rules_unsuccessful_file_modification_unlink", "audit_rules_login_events_tallylog", "audit_rules_privileged_commands_ssh_agent", "audit_rules_execution_chacl", "audit_rules_unsuccessful_file_modification_ftruncate", "audit_rules_privileged_commands_kmod", "audit_rules_media_export", "audit_rules_privileged_commands_gpasswd", "audit_rules_dac_modification_fchown", "audit_rules_usergroup_modification_shadow", "audit_rules_dac_modification_lsetxattr", "audit_rules_privileged_commands_sudo", "audit_rules_privileged_commands_unix_update", "audit_rules_privileged_commands_chsh", "audit_rules_file_deletion_events_renameat", "audit_rules_privileged_commands_userhelper", "audit_rules_privileged_commands_pam_timestamp_check", "audit_rules_unsuccessful_file_modification_openat", "audit_rules_login_events_faillock", "audit_rules_execution_chcon", "audit_rules_privileged_commands_crontab", "audit_rules_file_deletion_events_unlink", "audit_rules_dac_modification_chmod", "audit_rules_dac_modification_fsetxattr", "audit_rules_privileged_commands_mount", "audit_rules_privileged_commands_postqueue", "audit_rules_file_deletion_events_rmdir", "audit_rules_dac_modification_fchmodat", "audit_rules_file_deletion_events_rename", "audit_rules_privileged_commands_sudoedit", "audit_rules_execution_setfiles", "audit_rules_privileged_commands_usermod", "audit_rules_privileged_commands_newgrp", "audit_rules_dac_modification_umount2", "audit_rules_dac_modification_fchmod", "audit_rules_file_deletion_events_unlinkat", "audit_rules_execution_setsebool", "audit_rules_kernel_module_loading_init", "audit_rules_login_events_lastlog", "audit_rules_privileged_commands_su", "grub2_audit_argument", "audit_rules_dac_modification_lremovexattr", "audit_rules_unsuccessful_file_modification_unlinkat", "audit_rules_unsuccessful_file_modification_renameat", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_umount", "audit_rules_privileged_commands_ssh_keysign", "audit_rules_usergroup_modification_passwd", "audit_rules_dac_modification_chown", "audit_rules_usergroup_modification_opasswd", "audit_rules_sudoers", "audit_rules_dac_modification_fremovexattr", "audit_rules_unsuccessful_file_modification_open", "audit_rules_privileged_commands_unix_chkpwd", "audit_rules_privileged_commands_postdrop", "audit_rules_privileged_commands_passwd", "service_auditd_enabled", "audit_rules_usergroup_modification_gshadow", "audit_rules_usergroup_modification_group", "audit_rules_kernel_module_loading_finit", "audit_rules_unsuccessful_file_modification_creat"], "controls": []}, {"id": "SRG-OS-000437-GPOS-00194", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must remove all software components after updated versions have been installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["clean_components_post_updating"], "controls": []}, {"id": "SRG-OS-000256-GPOS-00097", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must protect audit tools from unauthorized access.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_audit_tools_group_ownership", "file_audit_tools_ownership", "file_audit_tools_permissions"], "controls": []}, {"id": "SRG-OS-000404-GPOS-00183", "levels": ["high"], "notes": "", "title": "Ubuntu 22.04 must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest on all operating system components.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["encrypt_partitions"], "controls": []}, {"id": "SRG-OS-000473-GPOS-00218", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when concurrent logons to the same account occur from different sources.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_login_events_faillock", "audit_rules_login_events_lastlog", "grub2_audit_argument", "audit_rules_login_events_tallylog"], "controls": []}, {"id": "SRG-OS-000476-GPOS-00221", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records for all account creations, modifications, disabling, and termination events.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sudoers_d", "audit_rules_usergroup_modification_shadow", "audit_rules_usergroup_modification_passwd", "audit_rules_usergroup_modification_opasswd", "audit_rules_usergroup_modification_group", "audit_rules_sudoers", "audit_rules_usergroup_modification_gshadow"], "controls": []}, {"id": "SRG-OS-000353-GPOS-00141", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must not alter original content or time ordering of audit records when it provides an audit reduction capability.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled", "package_audit_installed"], "controls": []}, {"id": "SRG-OS-000095-GPOS-00049", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must be configured to disable non-essential capabilities.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_sctp_disabled", "kernel_module_can_disabled", "kernel_module_tipc_disabled", "kernel_module_bluetooth_disabled"], "controls": []}, {"id": "SRG-OS-000383-GPOS-00166", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must prohibit the use of cached authenticators after one day.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sssd_offline_cred_expiration"], "controls": []}, {"id": "SRG-OS-000104-GPOS-00051", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users).", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["group_unique_id", "account_unique_id", "gid_passwd_group_same"], "controls": []}, {"id": "SRG-OS-000031-GPOS-00012", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_screensaver_mode_blank"], "controls": []}, {"id": "SRG-OS-000257-GPOS-00098", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must protect audit tools from unauthorized modification.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_audit_tools_group_ownership", "file_audit_tools_ownership", "file_audit_tools_permissions"], "controls": []}, {"id": "SRG-OS-000420-GPOS-00186", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_tcp_syncookies", "sysctl_net_ipv4_tcp_invalid_ratelimit", "firewalld-backend", "sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred"], "controls": []}, {"id": "SRG-OS-000370-GPOS-00155", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_fapolicyd_installed", "service_fapolicyd_enabled"], "controls": []}, {"id": "SRG-OS-000033-GPOS-00014", "levels": ["high"], "notes": "", "title": "Ubuntu 22.04 must implement DoD-approved encryption to protect the confidentiality of remote access sessions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_libreswan_crypto_policy", "sysctl_crypto_fips_enabled", "sshd_rekey_limit", "var_rekey_limit_size=1G", "var_rekey_limit_time=1hour"], "controls": []}, {"id": "SRG-OS-000710-GPOS-00160", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must, for password-based authentication, verify when users create or update passwords the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).", "description": null, "rationale": "Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication.\nLong passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability.\n\nHowever, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain\ncircumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten.\nCryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes\npasswords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name\nof the service, username, and derivatives thereof.", "automated": "no", "status": "does not meet", "mitigation": "This requirement must be implemented at the system level using an authorized third-party mechanism to compare authenticators selected by users to lists of commonly-used, expected, or compromised passwords.", "artifact_description": null, "status_justification": "Ubuntu 22.04 does not natively support a method of comparing user selected passwords to lists of commonly-used, expected, or compromised passwords.", "fixtext": "This requirement is a permanent finding and cannot be fixed.\n\nAn appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.", "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000373-GPOS-00158", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must require users to reauthenticate when changing authenticators.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_remove_nopasswd", "disallow_bypass_password_sudo", "sudo_remove_no_authenticate"], "controls": []}, {"id": "SRG-OS-000304-GPOS-00121", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must notify system administrators (SAs) and information system security officers (ISSOs) of account enabling actions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sudoers_d", "audit_rules_usergroup_modification_shadow", "audit_rules_usergroup_modification_passwd", "audit_rules_usergroup_modification_opasswd", "audit_rules_usergroup_modification_group", "audit_rules_sudoers", "audit_rules_usergroup_modification_gshadow"], "controls": []}, {"id": "SRG-OS-000259-GPOS-00100", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must limit privileges to change software resident within software libraries.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dir_permissions_library_dirs", "dir_group_ownership_library_dirs", "file_permissions_binary_dirs", "file_ownership_library_dirs", "file_permissions_library_dirs", "dir_ownership_library_dirs", "root_permissions_syslibrary_files", "file_ownership_binary_dirs", "file_groupownership_system_commands_dirs"], "controls": []}, {"id": "SRG-OS-000106-GPOS-00053", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must use multifactor authentication for network access to non-privileged accounts.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_enable_pubkey_auth", "configure_opensc_card_drivers", "sshd_disable_empty_passwords", "var_smartcard_drivers=cac"], "controls": []}, {"id": "SRG-OS-000276-GPOS-00106", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must notify system administrators and ISSOs when accounts are disabled.", "description": null, "rationale": null, "automated": "no", "status": "does not meet", "mitigation": "Mitigate with third-party software.\n\nAlthough the listed mitigation is supporting the security function, it is not sufficient to reduce the residual risk of this requirement.", "artifact_description": null, "status_justification": "Notification when accounts are created/modified/deleted must\nbe provided by a third-party application that will communicate that an audit record\nof these actions has been created.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_usergroup_modification_passwd"], "controls": []}, {"id": "SRG-OS-000142-GPOS-00071", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_tcp_syncookies"], "controls": []}, {"id": "SRG-OS-000324-GPOS-00125", "levels": ["high"], "notes": "", "title": "Ubuntu 22.04 must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["disable_ctrlaltdel_reboot", "sysctl_fs_protected_symlinks", "package_sudo_installed", "sudo_remove_nopasswd", "disallow_bypass_password_sudo", "sysctl_fs_protected_hardlinks", "service_debug-shell_disabled", "disable_ctrlaltdel_burstaction", "sudo_remove_no_authenticate", "sudo_require_reauthentication", "var_sudo_timestamp_timeout=always_prompt"], "controls": []}, {"id": "SRG-OS-000365-GPOS-00152", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must audit the enforcement actions used to restrict access associated with changes to the system.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled", "package_audit_installed"], "controls": []}, {"id": "SRG-OS-000280-GPOS-00110", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must provide a logoff capability for user-initiated communications sessions when requiring user access authentication.", "description": null, "rationale": "If a user cannot explicitly end an operating system session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session.\n\nInformation resources to which users gain access via authentication includes for example, local workstations and remote services. For some types of interactive sessions, including, for example, remote logon, information systems typically send logoff messages as final messages prior to terminating sessions.", "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "The \"logoff\" and \"exit\" commands are baked into the OS and are available to all users and the user can terminate a remote session by closing their SSH terminal.", "status_justification": "The use of the \"exit\" command will end any communication session on the system.\nThis is part of the kernel and cannot be removed without recompiling.", "fixtext": "Ubuntu 22.04 inherently meets this requirement.\nNo fix is required.", "check": "Ubuntu 22.04 supports this requirement and cannot be configured to be out of compliance.\nUbuntu 22.04 inherently meets this requirement.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000002-GPOS-00002", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must automatically remove or disable temporary user accounts after 72 hours.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_temp_expire_date"], "controls": []}, {"id": "SRG-OS-000423-GPOS-00187", "levels": ["high"], "notes": "", "title": "Ubuntu 22.04 must protect the confidentiality and integrity of transmitted information.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_crypto_fips_enabled", "service_sshd_enabled", "configure_bind_crypto_policy", "package_openssh-server_installed"], "controls": []}, {"id": "SRG-OS-000205-GPOS-00083", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.", "description": null, "rationale": "Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization.\n\nOrganizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements.\nInformation that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers.", "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Common Criteria evaluation.", "status_justification": "Ubuntu 22.04 is secure in the event of a failure.\nAuthentication and authorizations are still necessary to access the system.", "fixtext": "Ubuntu 22.04 inherently meets this requirement.\nNo fix is required.", "check": "Ubuntu 22.04 supports this requirement and cannot be configured to be out of compliance.\nUbuntu 22.04 inherently meets this requirement.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000121-GPOS-00062", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users).", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["group_unique_id", "account_unique_id"], "controls": []}, {"id": "SRG-OS-000446-GPOS-00200", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must perform verification of the correct operation of security functions: upon system start-up and/or restart; upon command by a user with privileged access; and/or every 30 days.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["aide_periodic_cron_checking"], "controls": []}, {"id": "SRG-OS-000028-GPOS-00009", "levels": ["high"], "notes": "", "title": "Ubuntu 22.04 must retain a users session lock until that user reestablishes access using established identification and authentication procedures.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_screensaver_lock_locked", "dconf_gnome_lock_screen_on_smartcard_removal", "dconf_gnome_screensaver_lock_enabled"], "controls": []}, {"id": "SRG-OS-000185-GPOS-00079", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must protect the confidentiality and integrity of all information at rest.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["encrypt_partitions"], "controls": []}, {"id": "SRG-OS-000254-GPOS-00095", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must initiate session audits at system start-up.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_audit_argument", "service_auditd_enabled", "package_audit_installed", "grub2_audit_backlog_limit_argument", "var_audit_backlog_limit=8192"], "controls": []}, {"id": "SRG-OS-000393-GPOS-00173", "levels": ["high"], "notes": "", "title": "Ubuntu 22.04 must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_crypto_policy", "package_crypto-policies_installed", "var_system_crypto_policy=fips"], "controls": []}, {"id": "SRG-OS-000362-GPOS-00149", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must prohibit user installation of system software without explicit privileged status.", "description": null, "rationale": "Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user.\nOperating system functionality will vary, and while users are not permitted to install unapproved software, there may be instances where the organization allows the user to install approved software packages, such as from an approved software repository.\nThe operating system or software configuration management utility must enforce control of software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization.", "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Ubuntu 22.04 uses DNF or Dandified YUM, the next generation version of the Yellowdog Updater, Modified and RPM (Red Hat Package Manager) to install system software. Both of these utilities and the archive repositories are installed with root privileges and they require root privileges to execute.", "status_justification": "The UNIX permissions construct separates user and privileged user (the operating system accounts) access.", "fixtext": "Ubuntu 22.04 inherently meets this requirement. No fix is required.", "check": "Ubuntu 22.04 supports this requirement and cannot be configured to be out of compliance. Ubuntu 22.04 inherently meets this requirement.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000356-GPOS-00144", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["chronyd_or_ntpd_set_maxpoll", "chronyd_sync_clock", "var_time_service_set_maxpoll=18_hours"], "controls": []}, {"id": "SRG-OS-000463-GPOS-00207", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful attempts to modify security objects occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_execution_semanage", "audit_rules_execution_setsebool", "audit_rules_execution_chcon", "audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_fsetxattr", "audit_rules_dac_modification_lsetxattr", "audit_rules_usergroup_modification_opasswd", "audit_rules_dac_modification_fremovexattr", "audit_rules_execution_setfiles"], "controls": []}, {"id": "SRG-OS-000057-GPOS-00027", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must protect audit information from unauthorized read access.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_var_log_audit", "file_group_ownership_var_log_audit", "directory_group_ownership_var_log_audit", "directory_ownership_var_log_audit", "file_ownership_var_log_audit_stig", "audit_rules_immutable"], "controls": []}, {"id": "SRG-OS-000206-GPOS-00084", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must reveal error messages only to authorized users.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_var_log_audit", "file_owner_var_log_messages", "file_owner_var_log", "file_group_ownership_var_log_audit", "file_groupowner_var_log_messages", "directory_group_ownership_var_log_audit", "directory_ownership_var_log_audit", "file_groupowner_var_log", "file_ownership_var_log_audit_stig", "file_permissions_var_log", "file_permissions_var_log_messages"], "controls": []}, {"id": "SRG-OS-000730-GPOS-00190", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must, for password-based authentication, employ automated tools to assist the user in selecting strong password authenticators.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_dictcheck", "accounts_password_pam_maxclassrepeat", "var_password_pam_maxclassrepeat=4", "var_password_pam_dictcheck=1", "var_password_pam_unix_rounds=100000", "var_password_pam_remember=5", "var_password_pam_remember_control_flag=requisite_or_required"], "controls": []}, {"id": "SRG-OS-000466-GPOS-00210", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful attempts to delete privileges occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sudoers_d", "audit_rules_dac_modification_fchmodat2", "audit_rules_file_deletion_events_renameat2", "audit_rules_dac_modification_fchownat", "audit_rules_dac_modification_lchown", "audit_rules_execution_chacl", "audit_rules_usergroup_modification_shadow", "audit_rules_dac_modification_fchown", "audit_rules_privileged_commands_sudo", "audit_rules_file_deletion_events_renameat", "audit_rules_file_deletion_events_unlink", "audit_rules_dac_modification_chmod", "audit_rules_file_deletion_events_rmdir", "audit_rules_dac_modification_fchmodat", "audit_rules_file_deletion_events_rename", "audit_rules_privileged_commands_usermod", "audit_rules_dac_modification_fchmod", "audit_rules_file_deletion_events_unlinkat", "audit_rules_privileged_commands_su", "audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_removexattr", "audit_rules_usergroup_modification_passwd", "audit_rules_dac_modification_chown", "audit_rules_sudoers", "audit_rules_dac_modification_fremovexattr", "audit_rules_usergroup_modification_group", "audit_rules_usergroup_modification_gshadow"], "controls": []}, {"id": "SRG-OS-000343-GPOS-00134", "levels": ["low"], "notes": "", "title": "Ubuntu 22.04 must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_space_left_percentage", "auditd_data_retention_space_left_action", "auditd_data_retention_admin_space_left_action", "auditd_data_retention_action_mail_acct", "auditd_data_retention_admin_space_left_percentage", "var_auditd_admin_space_left_action=single", "var_auditd_admin_space_left_percentage=5pc", "var_auditd_space_left_percentage=25pc", "var_auditd_action_mail_acct=root", "var_auditd_space_left_action=email"], "controls": []}, {"id": "SRG-OS-000076-GPOS-00044", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce a 60-day maximum password lifetime restriction.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_maximum_age_login_defs", "accounts_password_set_max_life_existing", "var_accounts_maximum_age_login_defs=60"], "controls": []}, {"id": "SRG-OS-000344-GPOS-00135", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.", "description": "Ubuntu 22.04 must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.", "rationale": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required.\nWithout a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.\n\nAlerts provide organizations with urgent messages.\nReal-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).", "automated": "no", "status": "does not meet", "mitigation": "Mitigate with third-party software.\nAlthough the listed mitigation is supporting the security function, it is not sufficient to reduce the residual risk of this requirement.", "artifact_description": null, "status_justification": "Notification when accounts are created/modified/deleted must be provided by a third party application that will communicate that an audit record of these actions has been created.", "fixtext": "This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.", "check": "Ubuntu 22.04 does not support this requirement.\nThis is an applicable-does not meet finding.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000132-GPOS-00067", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must separate user functionality (including user interface services) from operating system management functionality.", "description": null, "rationale": "Operating system management functionality includes functions necessary for administration and requires privileged user access.\nAllowing non-privileged users to access operating system management functionality capabilities increases the risk that non-privileged users may obtain elevated privileges.\n\nOperating system management functionality includes functions necessary to administer console, network components, workstations, or servers and typically requires privileged user access.\n\nThe separation of user functionality from information system management functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, different network addresses, different TCP/UDP ports, virtualization techniques, combinations of these methods, or other methods, as appropriate.\n\nAn example of this type of separation is observed in web administrative interfaces that use separate authentication methods for users of any other information system resources.\nThis may include isolating the administrative interface on a different security domain and with additional access controls.", "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Ubuntu 22.04 management functionality must be executed by the administrator user, which is only accessible through the sudo command (with a proper authentication request). The sudo manpage has more information.", "status_justification": "The UNIX permissions construct separates user and privileged user (the Ubuntu 22.04 operating system accounts) access.", "fixtext": "Ubuntu 22.04 inherently meets this requirement.\nNo fix is required.", "check": "Ubuntu 22.04 supports this requirement and cannot be configured to be out of compliance.\nUbuntu 22.04 inherently meets this requirement.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000312-GPOS-00122", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must allow operating system admins to pass information to any other operating system admin or user.", "description": null, "rationale": "Discretionary Access Control (DAC) is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write).\nOwnership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control.\nAn example of DAC includes user-controlled file permissions.", "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "The group and other or world permission on a file allows an operating system admins to pass information to any other operating system admin or user.", "status_justification": "The UNIX file permission model allows operating system admins to pass information to operating system admins and users.", "fixtext": "Ubuntu 22.04 inherently meets this requirement. No fix is required.", "check": "Ubuntu 22.04 supports this requirement and cannot be configured to be out of compliance. Ubuntu 22.04 inherently meets this requirement.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000042-GPOS-00021", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must produce audit records containing the individual identities of group account users.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled", "package_audit_installed"], "controls": []}, {"id": "SRG-OS-000358-GPOS-00145", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must record time stamps for audit records that meet a minimum granularity of one second for a minimum degree of precision.", "description": null, "rationale": "Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records.\n\nTime stamps generated by the operating system include date and time.\nGranularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks.", "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Linux kernel audit subsystem always adds a timestamp to each audit buffer used to contain the entire audit log data.\nFunction kernel/audit.c:audit_log_start() calls kernel/audit.c:audit_get_stamp() to fetch the timestamp and formats the message into the audit log buffer.", "status_justification": "The Ubuntu 22.04 clock is part of the Linux kernel and is driven by a timer interrupt.\nThe \"ntp_adjtime\" only allows for two modes of operation: \"ntp_adjtime\" or \"adj_nano\".", "fixtext": "Ubuntu 22.04 inherently meets this requirement.\nNo fix is required.", "check": "Ubuntu 22.04 supports this requirement and cannot be configured to be out of compliance.\nUbuntu 22.04 inherently meets this requirement.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000275-GPOS-00105", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must notify system administrators and ISSOs when accounts are modified.", "description": null, "rationale": null, "automated": "no", "status": "does not meet", "mitigation": "Mitigate with third-party software.  \n\nAlthough the listed mitigation is supporting the security function, it is not sufficient to reduce the residual risk of this requirement.", "artifact_description": null, "status_justification": "Notification when accounts are created/modified/deleted must be provided by a third-party application that will communicate that an audit record of these actions has been created.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_usergroup_modification_passwd"], "controls": []}, {"id": "SRG-OS-000481-GPOS-00481", "levels": ["high"], "notes": "", "title": "Ubuntu 22.04 must protect the confidentiality and integrity of communications with wireless peripherals.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["wireless_disable_interfaces"], "controls": []}, {"id": "SRG-OS-000359-GPOS-00146", "levels": ["low"], "notes": "", "title": "Ubuntu 22.04 must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["chronyd_or_ntpd_set_maxpoll", "package_audit_installed", "var_time_service_set_maxpoll=18_hours"], "controls": []}, {"id": "SRG-OS-000096-GPOS-00050", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_firewalld_installed", "service_firewalld_enabled", "chronyd_client_only", "configure_firewalld_ports", "chronyd_no_chronyc_network", "firewalld_sshd_port_enabled"], "controls": []}, {"id": "SRG-OS-000396-GPOS-00176", "levels": ["high"], "notes": "", "title": "Ubuntu 22.04 must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_crypto_fips_enabled", "fips_crypto_subpolicy", "system_booted_in_fips_mode", "enable_fips_mode", "configure_crypto_policy", "package_crypto-policies_installed"], "controls": []}, {"id": "SRG-OS-000281-GPOS-00111", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions.", "description": null, "rationale": "If a user cannot explicitly end an operating system session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session.\nUsers need to be aware of whether or not the session has been terminated.\n\nInformation resources to which users gain access via authentication includes for example, local workstations and remote services.\nLogoff messages can be displayed after authenticated sessions have been terminated. \nHowever, for some types of interactive sessions, including, for example, remote logon, and information systems typically send logoff messages as final messages prior to terminating sessions.", "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "When logging off from a SSH terminal session, SSH prints \"Connection to <host> closed\". This is hard coded in client_loop() in clientloop.c, https://github.com/openssh/openssh-portable/blob/master/clientloop.c When the remote ends the connection, a message is also printed. \"Connection to <host> closed by remote host\". This message is hard-code in client_process_net_input() in clientloop.c", "status_justification": "Ubuntu 22.04 meets this requirement and it is not configurable.", "fixtext": "Ubuntu 22.04 inherently meets this requirement.\nNo fix is required.", "check": "Ubuntu 22.04 supports this requirement and cannot be configured to be out of compliance. Ubuntu 22.04 inherently meets this requirement.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000042-GPOS-00020", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records containing the full-text recording of privileged commands.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sudoers_d", "audit_rules_dac_modification_fchmodat2", "audit_rules_execution_setfacl", "audit_rules_unsuccessful_file_modification_open_by_handle_at", "audit_rules_file_deletion_events_renameat2", "audit_rules_dac_modification_fchownat", "audit_rules_privileged_commands_chage", "audit_rules_dac_modification_lchown", "audit_rules_privileged_commands_umount", "audit_rules_unsuccessful_file_modification_truncate", "audit_rules_kernel_module_loading_delete", "audit_rules_dac_modification_setxattr", "audit_rules_execution_semanage", "audit_rules_privileged_commands_ssh_agent", "audit_rules_execution_chacl", "audit_rules_unsuccessful_file_modification_ftruncate", "audit_rules_privileged_commands_kmod", "audit_rules_media_export", "audit_rules_privileged_commands_gpasswd", "audit_rules_dac_modification_fchown", "audit_rules_usergroup_modification_shadow", "audit_rules_dac_modification_lsetxattr", "audit_rules_privileged_commands_sudo", "audit_rules_privileged_commands_unix_update", "audit_rules_privileged_commands_chsh", "audit_rules_file_deletion_events_renameat", "audit_rules_privileged_commands_userhelper", "audit_rules_privileged_commands_pam_timestamp_check", "audit_rules_unsuccessful_file_modification_openat", "audit_rules_execution_chcon", "audit_rules_file_deletion_events_unlink", "audit_rules_dac_modification_chmod", "audit_rules_dac_modification_fsetxattr", "audit_rules_privileged_commands_mount", "audit_rules_privileged_commands_postqueue", "audit_rules_file_deletion_events_rmdir", "audit_rules_dac_modification_fchmodat", "audit_rules_file_deletion_events_rename", "audit_rules_privileged_commands_sudoedit", "audit_rules_execution_setfiles", "audit_rules_privileged_commands_usermod", "audit_rules_privileged_commands_newgrp", "audit_rules_dac_modification_fchmod", "audit_rules_file_deletion_events_unlinkat", "audit_rules_execution_setsebool", "grub2_audit_argument", "audit_rules_login_events_lastlog", "audit_rules_privileged_commands_su", "audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_removexattr", "audit_rules_privileged_commands_ssh_keysign", "audit_rules_usergroup_modification_passwd", "audit_rules_dac_modification_chown", "audit_rules_usergroup_modification_opasswd", "audit_rules_sudoers", "audit_rules_dac_modification_fremovexattr", "audit_rules_unsuccessful_file_modification_open", "audit_rules_privileged_commands_unix_chkpwd", "audit_rules_privileged_commands_postdrop", "audit_rules_privileged_commands_passwd", "audit_rules_privileged_commands_crontab", "audit_rules_usergroup_modification_gshadow", "audit_rules_usergroup_modification_group", "audit_rules_kernel_module_loading_finit", "audit_rules_unsuccessful_file_modification_creat"], "controls": []}, {"id": "SRG-OS-000071-GPOS-00039", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce password complexity by requiring that at least one numeric character be used.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_dcredit", "accounts_password_pam_enforce_root", "var_password_pam_dcredit=1"], "controls": []}, {"id": "SRG-OS-000755-GPOS-00220", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must monitor the use of maintenance tools that execute with increased privilege.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_sudo", "audit_rules_privileged_commands_su", "audit_rules_suid_privilege_function", "audit_rules_privileged_commands_sudoedit"], "controls": []}, {"id": "SRG-OS-000405-GPOS-00184", "levels": ["high"], "notes": "", "title": "Ubuntu 22.04 must implement cryptographic mechanisms to prevent unauthorized disclosure of all information at rest on all operating system components.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["encrypt_partitions"], "controls": []}, {"id": "SRG-OS-000394-GPOS-00174", "levels": ["high"], "notes": "", "title": "Ubuntu 22.04 must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_crypto_policy", "package_crypto-policies_installed", "var_system_crypto_policy=fips"], "controls": []}, {"id": "SRG-OS-000375-GPOS-00160", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_pcsc-lite_installed", "sssd_enable_smartcards", "package_opensc_installed", "sssd_certificate_verification", "install_smartcard_packages", "service_pcscd_enabled", "package_pcsc-lite-ccid_installed", "var_sssd_certificate_verification_digest_function=sha512"], "controls": []}, {"id": "SRG-OS-000134-GPOS-00068", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must isolate security functions from nonsecurity functions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_policycoreutils_installed", "selinux_state", "grub2_init_on_free", "grub2_vsyscall_argument", "grub2_page_poison_argument"], "controls": []}, {"id": "SRG-OS-000745-GPOS-00210", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must accept only external credentials that are NIST-compliant.", "description": null, "rationale": "Allowing only NIST-compliant external authenticators ensures that the system meets or exceeds federal requirements, enabling federal government relying parties to trust these authenticators during authentication transactions at a specified authenticator assurance level.", "automated": "no", "status": "does not meet", "mitigation": "Ensure system level controls are in place to implement comprehensive authenticator and identifier alignment to correlating system requirements.\n\nAlthough the listed mitigation is supporting the security function, it is not sufficient to reduce the residual risk of this requirement.", "artifact_description": null, "status_justification": "Ubuntu 22.04 does not natively provide mechanisms which satisfy all requirements identified in NIST SP 800-63b.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000274-GPOS-00104", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must notify system administrators and ISSOs when accounts are created.", "description": null, "rationale": "Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access.\nOne way to accomplish this is for the attacker to create a new account. Notification of account creation is one method for mitigating this risk.\nA comprehensive account management process will ensure an audit trail that documents the creation of operating system user accounts and notifies administrators and ISSOs that it exists.\nSuch a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.\n\nTo address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.", "automated": "no", "status": "does not meet", "mitigation": "Mitigate with third-party software.\nAlthough the listed mitigation is supporting the security function, it is not sufficient to reduce the residual risk of this requirement.", "artifact_description": null, "status_justification": "Notification when accounts are created/modified/deleted must be provided by a third-party application that will communicate that an audit record of these actions has been created.", "fixtext": "This requirement is a permanent finding and cannot be fixed.\nAn appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.", "check": "Ubuntu 22.04 does not support this requirement.\nThis is an applicable-does not meet finding.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000063-GPOS-00032", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_etc_audit_rulesd", "file_permissions_etc_audit_auditd"], "controls": []}, {"id": "SRG-OS-000300-GPOS-00118", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must protect wireless access to the system using authentication of users and/or devices.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["wireless_disable_interfaces", "kernel_module_bluetooth_disabled"], "controls": []}, {"id": "SRG-OS-000113-GPOS-00058", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "The release notes of OpenSSH 7.6 states \"OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support.\"\nhttps://www.openssh.com/txt/release-7.6", "status_justification": "The OpenSSH package in Ubuntu 22.04 is version 9.6, which is newer than 7.6 which only supports SSH protocol 2.0 which is restraint to replay attacks.", "fixtext": "Ubuntu 22.04 inherently meets this requirement.\nNo fix is required.", "check": "Ubuntu 22.04 supports this requirement and cannot be configured to be out of compliance.\nUbuntu 22.04 inherently meets this requirement.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000258-GPOS-00099", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must protect audit tools from unauthorized deletion.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_audit_tools_group_ownership", "file_audit_tools_ownership", "file_audit_tools_permissions"], "controls": []}, {"id": "SRG-OS-000075-GPOS-00043", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce 24 hours/1 day as the minimum password lifetime.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_minimum_age_login_defs", "accounts_password_set_min_life_existing", "var_accounts_minimum_age_login_defs=1"], "controls": []}, {"id": "SRG-OS-000354-GPOS-00142", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must not alter original content or time ordering of audit records when it provides a report generation capability.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled", "package_audit_installed"], "controls": []}, {"id": "SRG-OS-000690-GPOS-00140", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must prohibit the use or connection of unauthorized hardware components.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_usbguard_installed", "usbguard_generate_policy", "service_usbguard_enabled"], "controls": []}, {"id": "SRG-OS-000705-GPOS-00150", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must implement multifactor authentication for local, network, and/or remote access to privileged accounts and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_sssd_enabled", "package_sssd_installed", "install_smartcard_packages"], "controls": []}, {"id": "SRG-OS-000080-GPOS-00048", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupownership_audit_configuration", "require_singleuser_auth", "grub2_password", "file_permissions_audit_configuration", "file_ownership_audit_configuration", "account_temp_expire_date", "grub2_admin_username"], "controls": []}, {"id": "SRG-OS-000355-GPOS-00143", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must, for networked systems, compare internal information system clocks at least every 24 hours with an authoritative time source.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["chronyd_server_directive", "package_chrony_installed", "chronyd_or_ntpd_set_maxpoll", "chronyd_specify_remote_server", "service_chronyd_enabled", "var_multiple_time_servers=stig"], "controls": []}, {"id": "SRG-OS-000297-GPOS-00115", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must control remote access methods.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_firewalld_installed", "service_firewalld_enabled", "configure_firewalld_ports"], "controls": []}, {"id": "SRG-OS-000373-GPOS-00157", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must require users to reauthenticate when changing roles.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_remove_nopasswd", "sudo_remove_no_authenticate"], "controls": []}, {"id": "SRG-OS-000462-GPOS-00206", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful attempts to modify privileges occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sudoers_d", "audit_rules_dac_modification_fchmodat2", "audit_rules_execution_setfacl", "audit_rules_unsuccessful_file_modification_open_by_handle_at", "audit_rules_file_deletion_events_renameat2", "audit_rules_dac_modification_fchownat", "audit_rules_privileged_commands_chage", "audit_rules_dac_modification_lchown", "audit_rules_unsuccessful_file_modification_truncate", "audit_rules_kernel_module_loading_delete", "audit_rules_dac_modification_setxattr", "audit_rules_execution_semanage", "audit_rules_privileged_commands_ssh_agent", "audit_rules_execution_chacl", "audit_rules_unsuccessful_file_modification_ftruncate", "audit_rules_privileged_commands_kmod", "audit_rules_media_export", "audit_rules_privileged_commands_gpasswd", "audit_rules_dac_modification_fchown", "audit_rules_usergroup_modification_shadow", "audit_rules_dac_modification_lsetxattr", "audit_rules_privileged_commands_sudo", "audit_rules_privileged_commands_unix_update", "audit_rules_privileged_commands_chsh", "audit_rules_file_deletion_events_renameat", "audit_rules_privileged_commands_userhelper", "audit_rules_privileged_commands_pam_timestamp_check", "audit_rules_unsuccessful_file_modification_openat", "audit_rules_execution_chcon", "audit_rules_file_deletion_events_unlink", "audit_rules_dac_modification_chmod", "audit_rules_dac_modification_fsetxattr", "audit_rules_privileged_commands_postqueue", "audit_rules_file_deletion_events_rmdir", "audit_rules_dac_modification_fchmodat", "audit_rules_file_deletion_events_rename", "audit_rules_privileged_commands_sudoedit", "audit_rules_execution_setfiles", "audit_rules_privileged_commands_usermod", "audit_rules_privileged_commands_newgrp", "audit_rules_dac_modification_umount2", "audit_rules_dac_modification_fchmod", "audit_rules_file_deletion_events_unlinkat", "audit_rules_execution_setsebool", "audit_rules_kernel_module_loading_init", "audit_rules_login_events_lastlog", "audit_rules_privileged_commands_su", "grub2_audit_argument", "audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_umount", "audit_rules_privileged_commands_ssh_keysign", "audit_rules_usergroup_modification_passwd", "audit_rules_dac_modification_chown", "audit_rules_usergroup_modification_opasswd", "audit_rules_sudoers", "audit_rules_dac_modification_fremovexattr", "audit_rules_unsuccessful_file_modification_open", "audit_rules_privileged_commands_unix_chkpwd", "audit_rules_privileged_commands_postdrop", "audit_rules_privileged_commands_passwd", "audit_rules_privileged_commands_crontab", "audit_rules_usergroup_modification_gshadow", "audit_rules_usergroup_modification_group", "audit_rules_kernel_module_loading_finit", "audit_rules_unsuccessful_file_modification_creat"], "controls": []}, {"id": "SRG-OS-000472-GPOS-00217", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records showing starting and ending time for user access to the system.", "description": null, "rationale": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\nAudit records can be generated from various components within the information system (e.g., module or policy filter).", "automated": "no", "status": "inherently met", "mitigation": "Linux kernel audit subsystem always adds a timestamp to each audit buffer used to contain the entire audit log data. Function kernel/audit.c:audit_log_start() calls kernel/audit.c:audit_get_stamp() to fetch the timestamp and formats the message into the audit log buffer.", "artifact_description": null, "status_justification": "Date/time stamps in the audit log are a function of the audit subsystem and cannot be modified or removed short of recompiling the audit packages.", "fixtext": "The technology inherently meets this requirement. No fix is required", "check": "Ubuntu 22.04 supports this requirement and cannot be configured to be out of compliance.\nUbuntu 22.04 inherently meets this requirement.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000039-GPOS-00017", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must produce audit records containing information to establish where the events occurred.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_name_format", "service_auditd_enabled", "package_audit_installed"], "controls": []}, {"id": "SRG-OS-000037-GPOS-00015", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must produce audit records containing information to establish what type of events occurred.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sudoers_d", "audit_rules_dac_modification_fchmodat2", "audit_rules_privileged_commands_pkexec", "audit_rules_execution_setfacl", "audit_rules_unsuccessful_file_modification_open_by_handle_at", "audit_rules_file_deletion_events_renameat2", "audit_rules_privileged_commands_modprobe", "audit_rules_dac_modification_fchownat", "package_audit_installed", "audit_rules_privileged_commands_chage", "audit_rules_dac_modification_lchown", "audit_rules_privileged_commands_umount", "audit_rules_unsuccessful_file_modification_truncate", "audit_rules_kernel_module_loading_delete", "audit_rules_dac_modification_setxattr", "audit_rules_execution_semanage", "audit_rules_privileged_commands_ssh_agent", "audit_rules_execution_chacl", "audit_rules_unsuccessful_file_modification_ftruncate", "audit_rules_privileged_commands_kmod", "audit_rules_media_export", "audit_rules_privileged_commands_gpasswd", "audit_rules_dac_modification_fchown", "audit_rules_usergroup_modification_shadow", "audit_rules_dac_modification_lsetxattr", "audit_rules_privileged_commands_sudo", "audit_rules_privileged_commands_unix_update", "audit_rules_privileged_commands_chsh", "audit_rules_file_deletion_events_renameat", "audit_rules_privileged_commands_userhelper", "audit_rules_privileged_commands_pam_timestamp_check", "audit_rules_unsuccessful_file_modification_openat", "audit_rules_execution_chcon", "audit_rules_privileged_commands_crontab", "audit_rules_file_deletion_events_unlink", "audit_rules_dac_modification_chmod", "audit_rules_dac_modification_fsetxattr", "audit_rules_privileged_commands_mount", "audit_rules_privileged_commands_postqueue", "audit_rules_file_deletion_events_rmdir", "audit_rules_dac_modification_fchmodat", "audit_rules_file_deletion_events_rename", "audit_rules_privileged_commands_sudoedit", "audit_rules_execution_setfiles", "audit_rules_privileged_commands_usermod", "audit_rules_privileged_commands_newgrp", "audit_rules_dac_modification_umount2", "audit_rules_dac_modification_fchmod", "audit_rules_file_deletion_events_unlinkat", "audit_rules_execution_setsebool", "audit_rules_kernel_module_loading_init", "audit_rules_login_events_lastlog", "audit_rules_privileged_commands_su", "grub2_audit_argument", "audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_umount", "audit_rules_privileged_commands_ssh_keysign", "audit_rules_usergroup_modification_passwd", "audit_rules_dac_modification_chown", "audit_rules_usergroup_modification_opasswd", "audit_rules_sudoers", "audit_rules_dac_modification_fremovexattr", "audit_rules_unsuccessful_file_modification_open", "audit_rules_privileged_commands_unix_chkpwd", "audit_rules_privileged_commands_postdrop", "audit_rules_privileged_commands_passwd", "service_auditd_enabled", "audit_rules_usergroup_modification_gshadow", "audit_rules_usergroup_modification_group", "audit_rules_kernel_module_loading_finit", "audit_rules_unsuccessful_file_modification_creat"], "controls": []}, {"id": "SRG-OS-000433-GPOS-00193", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must implement address space layout randomization to protect its memory from unauthorized code execution.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_randomize_va_space", "grub2_pti_argument"], "controls": []}, {"id": "SRG-OS-000376-GPOS-00161", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must accept Personal Identity Verification (PIV) credentials.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_opensc_installed"], "controls": []}, {"id": "SRG-OS-000114-GPOS-00059", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must uniquely identify peripherals before establishing a connection.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_usb-storage_disabled", "dconf_gnome_disable_autorun", "dconf_gnome_disable_automount_open", "service_autofs_disabled"], "controls": []}, {"id": "SRG-OS-000477-GPOS-00222", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_kernel_module_loading_init", "audit_rules_privileged_commands_modprobe", "audit_rules_privileged_commands_kmod", "audit_rules_privileged_commands_rmmod", "audit_privileged_commands_init", "audit_privileged_commands_shutdown", "audit_privileged_commands_reboot", "audit_rules_kernel_module_loading_delete", "audit_rules_kernel_module_loading_finit", "audit_privileged_commands_poweroff"], "controls": []}, {"id": "SRG-OS-000241-GPOS-00091", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must audit all account removal actions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sudoers_d", "audit_rules_usergroup_modification_shadow", "audit_rules_usergroup_modification_passwd", "audit_rules_usergroup_modification_opasswd", "audit_rules_usergroup_modification_group", "audit_rules_sudoers", "audit_rules_usergroup_modification_gshadow"], "controls": []}, {"id": "SRG-OS-000341-GPOS-00132", "levels": ["low"], "notes": "", "title": "Ubuntu 22.04 must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_audit_backlog_limit_argument", "auditd_audispd_configure_sufficiently_large_partition", "partition_for_var_log_audit", "var_audit_backlog_limit=8192"], "controls": []}, {"id": "SRG-OS-000030-GPOS-00011", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must provide the capability for users to directly initiate a session lock for all connection types.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_screensaver_lock_locked", "dconf_gnome_lock_screen_on_smartcard_removal", "dconf_gnome_screensaver_lock_enabled"], "controls": []}, {"id": "SRG-OS-000326-GPOS-00126", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must prevent all software from executing at higher privilege levels than users executing the software.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_suid_privilege_function"], "controls": []}, {"id": "SRG-OS-000480-GPOS-00230", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.", "description": null, "rationale": "Users home directories/folders may contain information of a sensitive nature.\nNon-privileged users should coordinate any sharing of information with an SA\nthrough shared resources.", "automated": "no", "status": "does not meet", "mitigation": "Ensure discretionary access control policies are implemented at the system level to enforce\n   restrictions preventing non-privileged user from granting other users access to their home directories.\n\nAlthough the listed mitigation is supporting the security function, it is not sufficient to reduce the residual risk of this requirement.", "artifact_description": null, "status_justification": "Ubuntu 22.04 does not natively support a method of limiting the ability of non-privileged users to grant\n other users direct access to the contents of their home directories/folders.", "fixtext": "This requirement is a permanent finding and cannot be fixed.\nAn appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.", "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000067-GPOS-00035", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04, for PKI-based authentication, must enforce authorized access to the corresponding private key.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ssh_keys_passphrase_protected"], "controls": []}, {"id": "SRG-OS-000055-GPOS-00026", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must use internal system clocks to generate time stamps for audit records.", "description": "Ubuntu 22.04 must use internal system clocks to generate time stamps for audit records.", "rationale": "Without an internal clock used as the reference for the time stored on each event to provide a trusted common reference for the time, forensic analysis would be impeded.\nDetermining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.\n\nIf the internal clock is not used, the system may not be able to provide time stamps for log messages.\nAdditionally, externally generated time stamps may not be accurate.", "automated": "no", "status": "inherently met", "mitigation": "The \"ausearch\" tool manpage describes how it can be used to search for audit records based on their associated timestamps: http://man7.org/linux/man-pages/man8/ausearch.8.html.", "artifact_description": null, "status_justification": "The default setup of \"rsyslogd\" uses timestamps and the default setup of \"chronyd\" uses the system clock.", "fixtext": "Ubuntu 22.04 supports this requirement and cannot be configured to be out of compliance.\nUbuntu 22.04 inherently meets this requirement.", "check": "Ubuntu 22.04 supports this requirement and cannot be configured to be out of compliance.\nUbuntu 22.04 inherently meets this requirement.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000775-GPOS-00230", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must include only approved trust anchors in trust stores or certificate stores managed by the organization.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sssd_has_trust_anchor"], "controls": []}, {"id": "SRG-OS-000062-GPOS-00031", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must provide audit record generation capability for DoD-defined auditable events for all operating system components.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sudoers_d", "audit_rules_dac_modification_fchmodat2", "audit_rules_execution_setfacl", "audit_rules_unsuccessful_file_modification_open_by_handle_at", "audit_rules_file_deletion_events_renameat2", "audit_rules_dac_modification_fchownat", "package_audit_installed", "audit_rules_privileged_commands_chage", "audit_rules_dac_modification_lchown", "audit_rules_unsuccessful_file_modification_truncate", "audit_rules_kernel_module_loading_delete", "audit_rules_dac_modification_setxattr", "audit_rules_execution_semanage", "audit_rules_privileged_commands_ssh_agent", "audit_rules_execution_chacl", "audit_rules_unsuccessful_file_modification_ftruncate", "audit_rules_privileged_commands_kmod", "audit_rules_media_export", "audit_rules_privileged_commands_gpasswd", "audit_rules_dac_modification_fchown", "audit_rules_usergroup_modification_shadow", "audit_rules_dac_modification_lsetxattr", "audit_rules_privileged_commands_sudo", "audit_rules_privileged_commands_unix_update", "audit_rules_privileged_commands_chsh", "audit_rules_file_deletion_events_renameat", "audit_rules_privileged_commands_userhelper", "audit_rules_privileged_commands_pam_timestamp_check", "audit_rules_unsuccessful_file_modification_openat", "audit_rules_execution_chcon", "audit_rules_privileged_commands_crontab", "audit_rules_file_deletion_events_unlink", "audit_rules_dac_modification_chmod", "audit_rules_dac_modification_fsetxattr", "audit_rules_privileged_commands_postqueue", "audit_rules_file_deletion_events_rmdir", "audit_rules_dac_modification_fchmodat", "audit_rules_file_deletion_events_rename", "audit_rules_privileged_commands_sudoedit", "audit_rules_execution_setfiles", "audit_rules_privileged_commands_usermod", "audit_rules_privileged_commands_newgrp", "audit_rules_dac_modification_umount2", "audit_rules_dac_modification_fchmod", "audit_rules_file_deletion_events_unlinkat", "audit_rules_execution_setsebool", "audit_rules_kernel_module_loading_init", "audit_rules_login_events_lastlog", "audit_rules_privileged_commands_su", "grub2_audit_argument", "configure_usbguard_auditbackend", "audit_rules_dac_modification_lremovexattr", "auditd_local_events", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_umount", "audit_rules_privileged_commands_ssh_keysign", "audit_rules_usergroup_modification_passwd", "audit_rules_dac_modification_chown", "audit_rules_usergroup_modification_opasswd", "audit_rules_sudoers", "audit_rules_dac_modification_fremovexattr", "audit_rules_unsuccessful_file_modification_open", "audit_rules_privileged_commands_unix_chkpwd", "audit_rules_privileged_commands_postdrop", "audit_rules_privileged_commands_passwd", "service_auditd_enabled", "audit_rules_usergroup_modification_gshadow", "audit_rules_usergroup_modification_group", "audit_rules_kernel_module_loading_finit", "audit_rules_unsuccessful_file_modification_creat"], "controls": []}, {"id": "SRG-OS-000424-GPOS-00188", "levels": ["high"], "notes": "", "title": "Ubuntu 22.04 must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["wireless_disable_interfaces", "service_sshd_enabled", "ssh_client_rekey_limit", "package_openssh-server_installed"], "controls": []}, {"id": "SRG-OS-000240-GPOS-00090", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must audit all account disabling actions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sudoers_d", "audit_rules_usergroup_modification_shadow", "audit_rules_usergroup_modification_passwd", "audit_rules_usergroup_modification_opasswd", "audit_rules_usergroup_modification_group", "audit_rules_sudoers", "audit_rules_usergroup_modification_gshadow"], "controls": []}, {"id": "SRG-OS-000298-GPOS-00116", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must provide the capability to immediately disconnect or disable remote access to the operating system.", "description": null, "rationale": "Without the ability to immediately disconnect or disable remote access, an attack or other compromise taking place would not be immediately stopped.\n\nUbuntu 22.04 remote access functionality must have the capability to immediately disconnect current users remotely accessing the information system and/or disable further remote access.\nThe speed of disconnect or disablement varies based on the criticality of missions functions and the need to eliminate immediate or future remote access to organizational information systems.\n\nThe remote access functionality (e.g., RDP) may implement features such as automatic disconnect (or user-initiated disconnect) in case of adverse information based on an indicator of compromise or attack.", "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "The admin can shutdown networking to the host by port, NIC, or the entire network as desired.", "status_justification": "The use of the \"exit\" command will end any communication session on the system. This is part of the kernel and cannot be removed without recompiling.\n\nThe admin can shutdown networking to the host by port, NIC, or the entire network as desired.", "fixtext": "Ubuntu 22.04 inherently meets this requirement.\nNo fix is required.", "check": "Ubuntu 22.04 supports this requirement and cannot be configured to be out of compliance.\nUbuntu 22.04 inherently meets this requirement.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000032-GPOS-00013", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must monitor remote access methods.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_loglevel_verbose", "rsyslog_remote_access_monitoring"], "controls": []}, {"id": "SRG-OS-000445-GPOS-00199", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must verify correct operation of all security functions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_aide_installed", "selinux_context_elevation_for_sudo", "selinux_state", "selinux_policytype", "var_selinux_policy_name=targeted", "var_selinux_state=enforcing"], "controls": []}, {"id": "SRG-OS-000480-GPOS-00228", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_umask_etc_profile", "accounts_umask_etc_login_defs", "accounts_umask_etc_csh_cshrc", "accounts_umask_etc_bashrc", "var_accounts_user_umask=077"], "controls": []}, {"id": "SRG-OS-000041-GPOS-00019", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must produce audit records containing information to establish the outcome of the events.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled", "package_audit_installed"], "controls": []}, {"id": "SRG-OS-000468-GPOS-00212", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful attempts to delete security objects occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_execution_chcon", "audit_rules_dac_modification_lremovexattr", "audit_rules_file_deletion_events_renameat2", "audit_rules_file_deletion_events_unlink", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_fsetxattr", "audit_rules_dac_modification_lsetxattr", "audit_rules_file_deletion_events_rmdir", "audit_rules_file_deletion_events_rename", "audit_rules_privileged_commands_chage", "audit_rules_file_deletion_events_renameat", "audit_rules_file_deletion_events_unlinkat"], "controls": []}, {"id": "SRG-OS-000378-GPOS-00163", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must authenticate peripherals before establishing a connection.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_usb-storage_disabled", "package_usbguard_installed", "usbguard_generate_policy", "service_autofs_disabled", "service_usbguard_enabled", "dconf_gnome_disable_autorun", "dconf_gnome_disable_automount_open"], "controls": []}, {"id": "SRG-OS-000480-GPOS-00225", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must prevent the use of dictionary words for passwords.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_dictcheck", "accounts_password_pam_enforce_root"], "controls": []}, {"id": "SRG-OS-000780-GPOS-00240", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["encrypt_partitions"], "controls": []}, {"id": "SRG-OS-000363-GPOS-00150", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must notify designated personnel if baseline configurations are changed in an unauthorized manner.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["aide_periodic_cron_checking", "package_s-nail_installed", "aide_use_fips_hashes", "package_aide_installed", "aide_build_database"], "controls": []}, {"id": "SRG-OS-000112-GPOS-00057", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must implement replay-resistant authentication mechanisms for network access to privileged accounts.", "description": null, "rationale": "A replay attack may enable an unauthorized user to gain access to Ubuntu 22.04. Authentication sessions between the authenticator and Ubuntu 22.04 validating the user credentials must not be vulnerable to a replay attack.\n\nAn authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.\n\nA privileged account is any information system account with authorizations of a privileged user.\n\nTechniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.", "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "The release notes of OpenSSH 7.6 states \"OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support.\"\nhttps://www.openssh.com/txt/release-7.6", "status_justification": "The OpenSSH package in Ubuntu 22.04 is version 9.6, which is newer than 7.6 which only supports SSH protocol 2.0 which is restraint to replay attacks.", "fixtext": "Ubuntu 22.04 inherently meets this requirement.\nNo fix is required.", "check": "Ubuntu 22.04 supports this requirement and cannot be configured to be out of compliance.\nUbuntu 22.04 inherently meets this requirement.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000108-GPOS-00055", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must use multifactor authentication for local access to nonprivileged accounts.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_enable_pubkey_auth", "configure_opensc_card_drivers"], "controls": []}, {"id": "SRG-OS-000239-GPOS-00089", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must audit all account modifications.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sudoers_d", "audit_rules_usergroup_modification_shadow", "audit_rules_usergroup_modification_passwd", "audit_rules_usergroup_modification_opasswd", "audit_rules_usergroup_modification_group", "audit_rules_sudoers", "audit_rules_usergroup_modification_gshadow"], "controls": []}, {"id": "SRG-OS-000029-GPOS-00010", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must initiate a session lock after a 15-minute period of inactivity for all connection types.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_screensaver_user_locks", "dconf_gnome_session_idle_user_locks", "dconf_gnome_screensaver_idle_delay", "dconf_gnome_screensaver_lock_delay", "inactivity_timeout_value=15_minutes", "var_screensaver_lock_delay=5_seconds"], "controls": []}, {"id": "SRG-OS-000255-GPOS-00096", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must produce audit records containing information to establish the identity of any individual or process associated with the event.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_log_format", "service_auditd_enabled", "package_audit_installed"], "controls": []}, {"id": "SRG-OS-000351-GPOS-00139", "levels": ["low"], "notes": "", "title": "Ubuntu 22.04 must provide a report generation capability that supports on-demand reporting requirements.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled", "package_audit_installed"], "controls": []}, {"id": "SRG-OS-000348-GPOS-00136", "levels": ["low"], "notes": "", "title": "Ubuntu 22.04 must provide an audit reduction capability that supports on-demand audit review and analysis.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled", "package_audit_installed"], "controls": []}, {"id": "SRG-OS-000120-GPOS-00061", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["libreswan_approved_tunnels", "set_password_hashing_algorithm_passwordauth", "set_password_hashing_algorithm_systemauth", "package_rsyslog-gnutls_installed"], "controls": []}, {"id": "SRG-OS-000785-GPOS-00250", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must synchronize system clocks within and between systems or system components.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_chronyd_enabled", "chronyd_or_ntpd_set_maxpoll", "package_chrony_installed"], "controls": []}, {"id": "SRG-OS-000312-GPOS-00123", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must allow operating system admins to grant their privileges to other operating system admins.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["use_pam_wheel_for_su", "sysctl_fs_protected_hardlinks", "sysctl_fs_protected_symlinks"], "controls": []}, {"id": "SRG-OS-000278-GPOS-00108", "levels": ["high"], "notes": "", "title": "Ubuntu 22.04 must use cryptographic mechanisms to protect the integrity of audit tools.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["aide_check_audit_tools"], "controls": []}, {"id": "SRG-OS-000465-GPOS-00209", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_execution_semanage", "audit_rules_execution_setfiles", "audit_rules_execution_chcon", "audit_rules_execution_setsebool"], "controls": []}, {"id": "SRG-OS-000046-GPOS-00022", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_system_shutdown", "postfix_client_configure_mail_alias", "postfix_client_configure_mail_alias_postmaster", "auditd_data_retention_action_mail_acct", "var_postfix_root_mail_alias=mil_sysadmin", "var_audit_failure_mode=panic", "var_auditd_action_mail_acct=root"], "controls": []}, {"id": "SRG-OS-000303-GPOS-00120", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must audit all account enabling actions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sudoers_d", "audit_rules_usergroup_modification_shadow", "audit_rules_usergroup_modification_passwd", "audit_rules_usergroup_modification_opasswd", "audit_rules_usergroup_modification_group", "audit_rules_sudoers", "audit_rules_usergroup_modification_gshadow"], "controls": []}, {"id": "SRG-OS-000432-GPOS-00191", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.", "description": null, "rationale": "A common vulnerability of operating system is unpredictable behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information system responses to the invalid input may be disruptive or cause the system to fail into an unsafe state.\nThe behavior will be derived from the organizational and system requirements and includes, but is not limited to, notification of the appropriate personnel, creating an audit record, and rejecting invalid input.", "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "The Ubuntu 22.04 operating system is tested by the vendor within the standards of the software industry for inconsistent actions based on known inputs.", "status_justification": "Manpages for system calls contain description of errors returned when invalid input are received. Network protocols have RFCs associated which describe the expected behavior when those protocols receive invalid input. The Ubuntu 22.04 Linux kernel implements those protocols by following the RFC and properly dealing with invalid inputs.", "fixtext": "Ubuntu 22.04 inherently meets this requirement. No fix is required.", "check": "Ubuntu 22.04 supports this requirement and cannot be configured to be out of compliance. Ubuntu 22.04  inherently meets this requirement.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000458-GPOS-00203", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful attempts to access security objects occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_fsetxattr", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_lsetxattr", "audit_rules_dac_modification_fremovexattr", "audit_rules_dac_modification_setxattr"], "controls": []}, {"id": "SRG-OS-000123-GPOS-00064", "levels": ["medium"], "notes": "", "title": "The information system must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_temp_expire_date"], "controls": []}, {"id": "SRG-OS-000478-GPOS-00223", "levels": ["high"], "notes": "", "title": "Ubuntu 22.04 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_kerberos_crypto_policy", "system_booted_in_fips_mode", "enable_fips_mode", "aide_use_fips_hashes"], "controls": []}, {"id": "SRG-OS-000439-GPOS-00195", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dnf-automatic_apply_updates"], "controls": []}, {"id": "SRG-OS-000058-GPOS-00028", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must protect audit information from unauthorized modification.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_var_log_audit", "file_group_ownership_var_log_audit", "directory_group_ownership_var_log_audit", "directory_ownership_var_log_audit", "file_ownership_var_log_audit_stig", "audit_rules_immutable"], "controls": []}, {"id": "SRG-OS-000001-GPOS-00001", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must provide automated mechanisms for supporting account management functions.", "description": "Ubuntu 22.04 must provide automated mechanisms for supporting account management functions.", "rationale": "Enterprise environments make account management challenging and complex.\nA manual process for account management functions adds the risk of a potential oversight or other errors.\n\nA comprehensive account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed.\nExamples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated, or by disabling accounts located in non-centralized account stores such as multiple servers.\nThis requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service.\n\nThe automated mechanisms may reside within the operating system itself or may be offered by another infrastructure providing automated account management capabilities.\nAutomated mechanisms may be composed of differing technologies that, when placed together, contain an overall automated mechanism supporting an organization's automated account management requirements.\n\nAccount management functions include: assigning group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. \nThe use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephonic notification to report atypical system account usage.", "automated": "no", "status": "does not meet", "mitigation": "Mitigate with third-party software.\n\nAlthough the listed mitigation is supporting the security function, it is not sufficient to reduce the residual risk of this requirement.", "artifact_description": null, "status_justification": "Mitigate with third-party software.\n\nAs noted in the vulnerability discussion, \"The automated mechanisms may reside within the operating system itself or may be offered by another infrastructure providing automated account management capabilities.\nAutomated mechanisms may be composed of differing technologies that, when placed together, contain an overall automated mechanism supporting an organization's automated account management requirements.\nThis is not required to be provided by Ubuntu 22.04 and must be implemented via a third party solution.", "fixtext": "This requirement is a permanent finding and cannot be fixed.\nAn appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.", "check": "Ubuntu 22.04 does not support this requirement.\nThis is an applicable-does not meet finding.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000447-GPOS-00201", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["aide_periodic_cron_checking", "aide_scan_notification"], "controls": []}, {"id": "SRG-OS-000368-GPOS-00154", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["fapolicy_default_deny", "mount_option_var_log_noexec", "mount_option_home_nodev", "mount_option_var_nodev", "mount_option_var_log_nodev", "mount_option_var_tmp_nosuid", "mount_option_var_tmp_noexec", "mount_option_dev_shm_noexec", "mount_option_var_log_audit_nodev", "mount_option_boot_nodev", "mount_option_nodev_nonroot_local_partitions", "mount_option_tmp_nodev", "mount_option_tmp_noexec", "mount_option_boot_nosuid", "mount_option_var_log_audit_nosuid", "mount_option_var_tmp_nodev", "mount_option_dev_shm_nodev", "service_fapolicyd_enabled", "mount_option_var_log_audit_noexec", "mount_option_dev_shm_nosuid", "mount_option_tmp_nosuid", "mount_option_var_log_nosuid", "mount_option_home_nosuid", "package_fapolicyd_installed"], "controls": []}, {"id": "SRG-OS-000023-GPOS-00006", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["banner_etc_issue", "dconf_gnome_banner_enabled", "dconf_gnome_login_banner_text", "sshd_enable_warning_banner"], "controls": []}, {"id": "SRG-OS-000279-GPOS-00109", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must automatically terminate a user session after inactivity time-outs have expired or at shutdown.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_tmout", "sshd_set_idle_timeout"], "controls": []}, {"id": "SRG-OS-000109-GPOS-00056", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_root_login", "configure_opensc_card_drivers"], "controls": []}, {"id": "SRG-OS-000027-GPOS-00008", "levels": ["low"], "notes": "", "title": "Ubuntu 22.04 must limit the number of concurrent sessions to ten for all accounts and/or account types.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_max_concurrent_login_sessions", "var_accounts_max_concurrent_login_sessions=10"], "controls": []}, {"id": "SRG-OS-000054-GPOS-00025", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must provide the capability to filter audit records for events of interest based upon all audit fields within audit records.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled", "package_audit_installed"], "controls": []}, {"id": "SRG-OS-000725-GPOS-00180", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must for password-based authentication, allow user selection of long passwords and passphrases, including spaces and all printable characters.", "description": null, "rationale": "A long passphrase is better than a shorter complex password. By not allowing spaces or other printable\ncharters it limits users choice to create a long, memorable passwords.", "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "PAM and shadow-utils don't provide facilitates to limit the characters used in passwords.", "status_justification": "The password change facilities in Ubuntu 22.04 allow for the use of all printable characters including spaces.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000059-GPOS-00029", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must protect audit information from unauthorized deletion.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_var_log_audit", "file_group_ownership_var_log_audit", "directory_group_ownership_var_log_audit", "directory_permissions_var_log_audit", "directory_ownership_var_log_audit", "file_ownership_var_log_audit_stig", "audit_rules_immutable"], "controls": []}, {"id": "SRG-OS-000471-GPOS-00216", "levels": ["medium"], "notes": "", "title": "The audit system must be configured to audit the loading and unloading of dynamic kernel modules.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_kernel_module_loading_init", "audit_rules_privileged_commands_kmod", "audit_rules_privileged_commands_rmmod", "audit_rules_kernel_module_loading_delete", "audit_rules_kernel_module_loading_finit"], "controls": []}, {"id": "SRG-OS-000064-GPOS-00033", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful attempts to access privileges occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_dac_modification_fchmodat2", "audit_rules_unsuccessful_file_modification_open_by_handle_at", "audit_rules_dac_modification_fchownat", "audit_rules_dac_modification_lchown", "audit_rules_dac_modification_setxattr", "audit_rules_unsuccessful_file_modification_ftruncate", "audit_rules_dac_modification_fchown", "audit_rules_dac_modification_lsetxattr", "audit_rules_privileged_commands_sudo", "audit_rules_privileged_commands_unix_update", "audit_rules_unsuccessful_file_modification_openat", "audit_rules_dac_modification_chmod", "audit_rules_dac_modification_fsetxattr", "audit_rules_dac_modification_fchmodat", "audit_rules_dac_modification_fchmod", "audit_rules_privileged_commands_su", "audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_chown", "audit_rules_dac_modification_fremovexattr", "audit_rules_unsuccessful_file_modification_open", "audit_rules_unsuccessful_file_modification_creat"], "controls": []}, {"id": "SRG-OS-000467-GPOS-00211", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful attempts to delete security levels occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_file_deletion_events_renameat2", "audit_rules_file_deletion_events_unlink", "audit_rules_file_deletion_events_rmdir", "audit_rules_file_deletion_events_rename", "audit_rules_file_deletion_events_renameat", "audit_rules_file_deletion_events_unlinkat"], "controls": []}, {"id": "SRG-OS-000479-GPOS-00224", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must, at a minimum, off-load audit data from interconnected systems in real time and off-load audit data from standalone systems weekly.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["rsyslog_encrypt_offload_actionsendstreamdriverauthmode", "rsyslog_encrypt_offload_actionsendstreamdrivermode", "rsyslog_remote_loghost", "auditd_name_format", "rsyslog_encrypt_offload_defaultnetstreamdriver", "package_rsyslog_installed", "auditd_overflow_action"], "controls": []}, {"id": "SRG-OS-000228-GPOS-00088", "levels": ["medium"], "notes": "", "title": "Any publically accessible connection to Ubuntu 22.04 must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["banner_etc_issue", "dconf_gnome_banner_enabled", "sshd_enable_warning_banner"], "controls": []}, {"id": "SRG-OS-000480-GPOS-00226", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_logon_fail_delay", "var_accounts_fail_delay=4"], "controls": []}, {"id": "SRG-OS-000480-GPOS-00227", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_authorized_local_users", "accounts_user_dot_no_world_writable_programs", "file_groupowner_cron_deny", "sshd_disable_root_login", "dconf_gnome_disable_restart_shutdown", "dconf_gnome_disable_automount_open", "accounts_umask_etc_bashrc", "package_rsyslog-gnutls_installed", "sysctl_net_ipv6_conf_all_accept_ra", "partition_for_var_tmp", "service_firewalld_enabled", "package_tuned_removed", "no_user_host_based_files", "mount_option_nodev_nonroot_local_partitions", "sshd_print_last_log", "no_empty_passwords", "package_vsftpd_removed", "installed_OS_is_vendor_supported", "service_auditd_enabled", "sysctl_kernel_unprivileged_bpf_disabled", "rsyslog_nolisten", "file_owner_backup_etc_passwd", "rsyslog_remote_loghost", "disable_ctrlaltdel_reboot", "dconf_gnome_disable_ctrlaltdel_reboot", "display_login_attempts", "sshd_disable_kerb_auth", "sysctl_kernel_core_pattern", "mount_option_boot_nosuid", "sysctl_net_ipv6_conf_all_accept_source_route", "networkmanager_dns_mode", "disable_ctrlaltdel_burstaction", "grub2_vsyscall_argument", "dconf_gnome_disable_autorun", "mount_option_krb_sec_remote_filesystems", "sshd_rekey_limit", "sysctl_net_ipv6_conf_default_accept_ra", "sysctl_net_ipv4_icmp_echo_ignore_broadcasts", "selinux_all_devicefiles_labeled", "service_debug-shell_disabled", "partition_for_var_log", "package_tftp-server_removed", "grub2_disable_interactive_boot", "file_owner_etc_group", "file_permissions_backup_etc_group", "accounts_user_home_paths_only", "partition_for_home", "sshd_disable_gssapi_auth", "sshd_enable_strictmodes", "file_groupownership_home_directories", "rootfiles_configured", "file_permissions_ungroupowned", "file_owner_cron_weekly", "dir_perms_world_writable_root_owned", "configured_firewalld_default_deny", "no_host_based_files", "chronyd_no_chronyc_network", "file_owner_backup_etc_shadow", "file_permissions_crontab", "file_owner_sshd_config", "package_gssproxy_removed", "package_libreswan_installed", "auditd_log_format", "sudoers_validate_passwd", "sysctl_net_ipv4_conf_default_send_redirects", "file_groupowner_cron_monthly", "file_groupowner_grub2_cfg", "file_permission_user_init_files_root", "disable_users_coredumps", "aide_verify_ext_attributes", "aide_verify_acls", "file_permission_user_init_files", "file_groupowner_backup_etc_shadow", "sshd_disable_rhosts", "sysctl_net_ipv6_conf_all_forwarding", "sysctl_net_ipv6_conf_default_accept_redirects", "file_owner_etc_shadow", "mount_option_nodev_removable_partitions", "package_openssh-clients_installed", "package_rsyslog_installed", "chrony_set_nts", "file_groupowner_etc_shadow", "file_owner_sshd_drop_in_config", "file_owner_etc_passwd", "sysctl_net_ipv4_conf_all_forwarding", "package_policycoreutils-python-utils_installed", "grub2_page_poison_argument", "package_nss-tools_installed", "mount_option_nosuid_remote_filesystems", "file_permissions_etc_shadow", "partition_for_tmp", "file_permissions_cron_d", "use_kerberos_security_all_exports", "file_permissions_cron_allow", "sysctl_net_ipv4_ip_forward", "package_nfs-utils_removed", "coredump_disable_backtraces", "file_owner_cron_allow", "accounts_umask_interactive_users", "file_owner_crontab", "no_empty_passwords_etc_shadow", "partition_for_var_log_audit", "file_groupowner_backup_etc_gshadow", "file_owner_cron_hourly", "file_groupowner_backup_etc_group", "file_groupowner_sshd_config", "sysctl_net_ipv4_conf_default_rp_filter", "file_permissions_etc_group", "sysctl_net_ipv6_conf_all_accept_redirects", "file_permissions_cron_monthly", "accounts_no_uid_except_zero", "sysctl_kernel_kexec_load_disabled", "accounts_have_homedir_login_defs", "sysctl_net_ipv4_conf_all_accept_source_route", "set_firewalld_default_zone", "file_owner_grub2_cfg", "file_groupowner_backup_etc_passwd", "directory_owner_sshd_config_d", "package_policycoreutils_installed", "file_owner_backup_etc_group", "package_gdm_removed", "sshd_disable_compression", "file_groupowner_etc_passwd", "file_permissions_sshd_config", "sysctl_kernel_randomize_va_space", "file_groupowner_crontab", "directory_groupowner_sshd_config_d", "sshd_disable_user_known_hosts", "sysctl_net_ipv6_conf_default_accept_source_route", "sysctl_kernel_yama_ptrace_scope", "no_files_unowned_by_user", "tftp_uses_secure_mode_systemd", "file_permissions_etc_gshadow", "package_firewalld_installed", "auditd_write_logs", "xwindows_runlevel_target", "file_groupowner_cron_d", "file_groupowner_cron_weekly", "file_groupowner_cron_allow", "file_permissions_sshd_pub_key", "file_permissions_backup_etc_gshadow", "sysctl_net_ipv4_tcp_syncookies", "file_owner_cron_daily", "sshd_disable_x11_forwarding", "firewalld_sshd_port_enabled", "service_systemd-coredump_disabled", "file_permissions_sshd_drop_in_config", "grub2_pti_argument", "file_owner_etc_gshadow", "mount_option_noexec_removable_partitions", "sysctl_net_ipv4_conf_all_rp_filter", "auditd_local_events", "coredump_disable_storage", "file_permissions_backup_etc_passwd", "service_autofs_disabled", "file_permissions_cron_weekly", "no_shelllogin_for_systemaccounts", "sysctl_net_ipv4_conf_default_accept_source_route", "directory_permissions_sshd_config_d", "package_cron_installed", "file_owner_cron_d", "postfix_prevent_unrestricted_relay", "sysctl_net_ipv4_icmp_ignore_bogus_error_responses", "file_groupowner_etc_group", "mount_option_noexec_remote_filesystems", "package_audit_installed", "sudo_restrict_privilege_elevation_to_authorized", "file_permissions_backup_etc_shadow", "sysctl_net_ipv4_conf_all_accept_redirects", "sysctl_net_ipv4_conf_default_accept_redirects", "file_groupowner_etc_gshadow", "sysctl_net_ipv4_conf_all_send_redirects", "file_owner_backup_etc_gshadow", "file_permissions_cron_daily", "file_permissions_home_directories", "package_gnutls-utils_installed", "network_sniffer_disabled", "network_configure_name_resolution", "file_permissions_cron_hourly", "file_permissions_sshd_private_key", "file_groupowner_sshd_drop_in_config", "accounts_user_interactive_home_directory_defined", "file_owner_cron_deny", "accounts_user_interactive_home_directory_exists", "kernel_module_usb-storage_disabled", "file_owner_cron_monthly", "sshd_x11_use_localhost", "file_groupowner_cron_daily", "partition_for_var", "chronyd_client_only", "file_permissions_etc_passwd", "sysctl_kernel_kptr_restrict", "service_kdump_disabled", "dconf_gnome_disable_user_list", "rsyslog_cron_logging", "mount_option_nosuid_removable_partitions", "dconf_db_up_to_date", "sshd_disable_empty_passwords", "service_rsyslog_enabled", "package_unbound_removed", "mount_option_home_nosuid", "mount_option_home_noexec", "sysctl_net_core_bpf_jit_harden", "mount_option_nodev_remote_filesystems", "file_groupowner_cron_hourly", "var_user_initialization_files_regex=all_dotfiles", "var_networkmanager_dns_mode=explicit_default"], "controls": []}, {"id": "SRG-OS-000072-GPOS-00040", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must require the change of at least 50 percent of the total number of characters when passwords are changed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_maxrepeat", "accounts_password_pam_minclass", "accounts_password_pam_enforce_root", "accounts_password_pam_maxclassrepeat", "accounts_password_pam_difok", "var_password_pam_difok=8", "var_password_pam_maxclassrepeat=4", "var_password_pam_maxrepeat=3", "var_password_pam_minclass=4"], "controls": []}, {"id": "SRG-OS-000480-GPOS-00229", "levels": ["high"], "notes": "", "title": "Ubuntu 22.04 must not allow an unattended or automatic logon to the system.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["disable_host_auth", "gnome_gdm_disable_automatic_login", "sshd_do_not_permit_user_env", "sshd_disable_empty_passwords"], "controls": []}, {"id": "SRG-OS-000107-GPOS-00054", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must use multifactor authentication for local access to privileged accounts.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_enable_pubkey_auth", "configure_opensc_card_drivers"], "controls": []}, {"id": "SRG-OS-000350-GPOS-00138", "levels": ["low"], "notes": "", "title": "Ubuntu 22.04 must provide a report generation capability that supports on-demand audit review and analysis.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled", "package_audit_installed"], "controls": []}, {"id": "SRG-OS-000471-GPOS-00215", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records for privileged activities or other system-level access.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sudoers_d", "audit_rules_dac_modification_fchmodat2", "audit_rules_execution_setfacl", "audit_rules_unsuccessful_file_modification_open_by_handle_at", "audit_rules_file_deletion_events_renameat2", "audit_rules_dac_modification_fchownat", "audit_rules_privileged_commands_chage", "audit_rules_dac_modification_lchown", "audit_rules_privileged_commands_umount", "audit_rules_unsuccessful_file_modification_truncate", "audit_rules_kernel_module_loading_delete", "audit_rules_dac_modification_setxattr", "audit_rules_execution_semanage", "audit_rules_privileged_commands_ssh_agent", "audit_rules_execution_chacl", "audit_rules_unsuccessful_file_modification_ftruncate", "audit_rules_privileged_commands_kmod", "audit_rules_media_export", "audit_rules_privileged_commands_gpasswd", "audit_rules_dac_modification_fchown", "audit_rules_usergroup_modification_shadow", "audit_rules_dac_modification_lsetxattr", "audit_rules_privileged_commands_sudo", "audit_rules_privileged_commands_unix_update", "audit_rules_privileged_commands_chsh", "audit_rules_file_deletion_events_renameat", "audit_rules_privileged_commands_userhelper", "audit_rules_privileged_commands_pam_timestamp_check", "audit_rules_unsuccessful_file_modification_openat", "audit_rules_execution_chcon", "audit_rules_file_deletion_events_unlink", "audit_rules_dac_modification_chmod", "audit_rules_dac_modification_fsetxattr", "audit_rules_privileged_commands_postqueue", "audit_rules_file_deletion_events_rmdir", "audit_rules_dac_modification_fchmodat", "audit_rules_file_deletion_events_rename", "audit_rules_privileged_commands_sudoedit", "audit_rules_execution_setfiles", "audit_rules_privileged_commands_usermod", "audit_rules_privileged_commands_newgrp", "audit_rules_dac_modification_umount2", "audit_rules_dac_modification_fchmod", "audit_rules_file_deletion_events_unlinkat", "audit_rules_execution_setsebool", "audit_rules_kernel_module_loading_init", "audit_rules_login_events_lastlog", "audit_rules_privileged_commands_su", "grub2_audit_argument", "audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_umount", "audit_rules_privileged_commands_ssh_keysign", "audit_rules_usergroup_modification_passwd", "audit_rules_dac_modification_chown", "audit_rules_usergroup_modification_opasswd", "audit_rules_sudoers", "audit_rules_dac_modification_fremovexattr", "audit_rules_unsuccessful_file_modification_open", "audit_rules_privileged_commands_unix_chkpwd", "audit_rules_privileged_commands_postdrop", "audit_rules_privileged_commands_passwd", "audit_rules_privileged_commands_crontab", "audit_rules_usergroup_modification_gshadow", "audit_rules_usergroup_modification_group", "audit_rules_kernel_module_loading_finit", "audit_rules_unsuccessful_file_modification_creat"], "controls": []}, {"id": "SRG-OS-000024-GPOS-00007", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access.", "description": null, "rationale": "The banner must be acknowledged by the user prior to allowing the user access to the operating system.\nThis provides assurance that the user has seen the message and accepted the conditions for access.\nIf the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law.\n\nTo establish acceptance of the application usage policy, a click-through banner at system logon is required.\nThe system must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating \"OK\".", "automated": "no", "status": "does not meet", "mitigation": "Ensure that the banner is prior to entering the user password to act as the \"OK\".\n\nAlthough the listed mitigation is supporting the security function, it is not sufficient to reduce the residual risk of this requirement.", "artifact_description": null, "status_justification": "Ubuntu 22.04 does not natively support a method of presenting an interactive acknowledgement of the login banner.", "fixtext": "This requirement is a permanent finding and cannot be fixed.\nAn appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.", "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000720-GPOS-00170", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must for password-based authentication, require immediate selection of a new password upon account recovery.", "description": null, "rationale": null, "automated": "no", "status": "does not meet", "mitigation": "Ensure system level controls are in place to restrict access to resources upon account reset.\n\nAlthough the listed mitigation is supporting the security function, it is not sufficient to reduce the residual risk of this requirement.", "artifact_description": null, "status_justification": "Ubuntu 22.04 does not natively support a method of immediately requiring a password reset should an account be reset during an active user session.\n\nProcesses for resetting user passwords should include produces to set the password expiry in the past so that users are prompted to change their password on next logon.", "fixtext": "This requirement is a permanent finding and cannot be fixed.\nAn appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.", "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000163-GPOS-00072", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_tmout", "sshd_set_keepalive", "sshd_set_idle_timeout", "logind_session_timeout", "var_accounts_tmout=15_min", "var_sshd_set_keepalive=1"], "controls": []}, {"id": "SRG-OS-000118-GPOS-00060", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_disable_post_pw_expiration"], "controls": []}, {"id": "SRG-OS-000184-GPOS-00078", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.", "description": null, "rationale": "Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources.\nOperating systems that fail suddenly and with no incorporated failure state planning may leave the system available but with a reduced security protection capability.\nPreserving operating system state information also facilitates system restart and return to the operational mode of the organization with less disruption to mission-essential processes.\n\nAbort refers to stopping a program or function before it has finished naturally.\nThe term abort refers to both requested and unexpected terminations.", "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": "Ubuntu 22.04 is secure in the event of a failure. Authentication and authorizations are still necessary to access the system.", "fixtext": "Ubuntu 22.04 inherently meets this requirement. No fix is required.", "check": "Ubuntu 22.04 supports this requirement and cannot be configured to be out of compliance.\nUbuntu 22.04 inherently meets this requirement.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000038-GPOS-00016", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must produce audit records containing information to establish when (date and time) the events occurred.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled", "package_audit_installed"], "controls": []}, {"id": "SRG-OS-000299-GPOS-00117", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must protect wireless access to and from the system using encryption.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["wireless_disable_interfaces"], "controls": []}, {"id": "SRG-OS-000327-GPOS-00127", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must audit the execution of privileged functions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_suid_privilege_function"], "controls": []}, {"id": "SRG-OS-000403-GPOS-00182", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must only allow the use of DoD PKI-established certificate authorities for authentication in the establishment of protected sessions to the operating system.", "description": "Ubuntu 22.04 must only allow the use of DoD PKI-established certificate authorities for authentication in the establishment of protected sessions to the operating system.", "rationale": "Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.\nThe DoD will only accept PKI-certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.", "automated": "no", "status": "does not meet", "mitigation": "This item can be mitigated by installing an additional packages/software that is not included in the default install of Ubuntu 22.04.\nAlthough the listed mitigation is supporting the security function, it is not sufficient to reduce the residual risk of this requirement.", "artifact_description": null, "status_justification": "This is a procedural-only requirement that is not enforced by the OS.", "fixtext": "This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.", "check": "Ubuntu 22.04 does not support this requirement. This is an applicable-does not meet finding.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000069-GPOS-00037", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce password complexity by requiring that at least one uppercase character be used.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_pwquality_password_auth", "accounts_password_pam_ucredit", "accounts_password_pam_enforce_root", "accounts_password_pam_pwquality_retry", "accounts_password_pam_pwquality_system_auth", "var_password_pam_retry=3", "var_password_pam_ucredit=1"], "controls": []}, {"id": "SRG-OS-000433-GPOS-00192", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must implement non-executable data to protect its memory from unauthorized code execution.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["bios_enable_execution_restrictions", "sysctl_kernel_exec_shield", "sysctl_kernel_kptr_restrict", "grub2_init_on_free"], "controls": []}, {"id": "SRG-OS-000337-GPOS-00129", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must provide the capability for assigned IMOs/ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled", "package_audit_installed"], "controls": []}, {"id": "SRG-OS-000395-GPOS-00175", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must verify remote disconnection at the termination of nonlocal maintenance and diagnostic sessions, when used for nonlocal maintenance sessions.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "When a process terminates, Linux kernel executes the kernel/exit.c:do_exit() function which indirectly calls fs/file.c:close_files(). The latter iterates over all file descriptors of the process and close them. Since a socket also receives a file descriptor, the kernel close those, as well.", "status_justification": "The use of the \"exit\" command will end any communication session on the system. This is part of the kernel and cannot be removed without recompiling.", "fixtext": "Ubuntu 22.04 inherently meets this requirement. No fix is required.", "check": "Ubuntu 22.04 supports this requirement and cannot be configured to be out of compliance. Ubuntu 22.04 inherently meets this requirement.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000269-GPOS-00103", "levels": ["medium"], "notes": "", "title": "In the event of a system failure, Ubuntu 22.04 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_systemd-journald_enabled"], "controls": []}, {"id": "SRG-OS-000078-GPOS-00046", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce a minimum 15-character password length.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_minlen", "accounts_password_pam_enforce_root", "var_password_pam_minlen=15"], "controls": []}, {"id": "SRG-OS-000074-GPOS-00042", "levels": ["high"], "notes": "", "title": "Ubuntu 22.04 must transmit only encrypted representations of passwords.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_tftp_removed", "package_vsftpd_removed", "package_telnet-server_removed"], "controls": []}, {"id": "SRG-OS-000066-GPOS-00034", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sssd_has_trust_anchor"], "controls": []}, {"id": "SRG-OS-000426-GPOS-00190", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must maintain the confidentiality and integrity of information during reception.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_sshd_enabled", "configure_bind_crypto_policy", "package_openssh-server_installed"], "controls": []}, {"id": "SRG-OS-000079-GPOS-00047", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.", "description": "Ubuntu 22.04 must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.", "rationale": "To prevent the compromise of authentication information, such as passwords during the authentication process, the feedback from Ubuntu 22.04 must not provide any information allowing an unauthorized user to compromise the authentication mechanism.\n\nObfuscation of user-provided information that is typed into the system is a method used when addressing this risk.\n\nFor example, displaying asterisks when a user types in a password is an example of obscuring feedback of authentication information.", "automated": "no", "status": "inherently met", "mitigation": "The \"passwd\", \"login\", and \"sudo\" do not display the passwords being typed.\n\nThe \"passwd.c\" from the \"passwd\" source code uses the \"getpass\" function, which is specific for retrieving passwords, thus does not provide a feedback to the terminal.\n\nThe \"tgetpass.c\" from the sudo source code uses \"tgetpass\" function, which has a similar behavior to \"getpass\", including not providing a terminal feedback for passwords.\n\nThe login uses pam_authenticate, which similarly does not provide a terminal feedback during password authentication.", "artifact_description": null, "status_justification": "The \"passwd\", \"login\", and \"sudo\" commands on the system does not print any characters that are entered as a password.", "fixtext": "The technology inherently meets this requirement. No fix is required.", "check": "Ubuntu 22.04 supports this requirement and cannot be configured to be out of compliance.\nUbuntu 22.04 inherently meets this requirement.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000138-GPOS-00069", "levels": ["medium"], "notes": "", "title": "Operating systems must prevent unauthorized and unintended information transfer via shared system resources.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_perf_event_paranoid", "dir_perms_world_writable_root_owned", "dir_perms_world_writable_sticky_bits", "sysctl_kernel_dmesg_restrict"], "controls": []}, {"id": "SRG-OS-000373-GPOS-00156", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must require users to reauthenticate for privilege escalation.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_remove_nopasswd", "sudo_remove_no_authenticate"], "controls": []}, {"id": "SRG-OS-000125-GPOS-00065", "levels": ["high"], "notes": "", "title": "Ubuntu 22.04 must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_enable_pam", "sysctl_crypto_fips_enabled"], "controls": []}, {"id": "SRG-OS-000474-GPOS-00219", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful accesses to objects occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_fchown", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_fsetxattr", "audit_rules_dac_modification_fchownat", "audit_rules_dac_modification_lsetxattr", "audit_rules_dac_modification_chown", "package_audit_installed", "audit_rules_dac_modification_fremovexattr", "audit_rules_dac_modification_lchown", "service_auditd_enabled"], "controls": []}, {"id": "SRG-OS-000250-GPOS-00093", "levels": ["high"], "notes": "", "title": "Ubuntu 22.04 must implement cryptography to protect the integrity of remote access sessions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_sshd_50_redhat_exists", "sshd_include_crypto_policy", "harden_sshd_ciphers_opensshserver_conf_crypto_policy", "harden_sshd_macs_opensshserver_conf_crypto_policy", "harden_sshd_ciphers_openssh_conf_crypto_policy", "harden_sshd_macs_openssh_conf_crypto_policy", "sshd_approved_ciphers=stig_rhel9", "sshd_approved_macs=stig_rhel9"], "controls": []}, {"id": "SRG-OS-000122-GPOS-00063", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must provide an audit reduction capability that supports on-demand reporting requirements.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled", "package_audit_installed"], "controls": []}, {"id": "SRG-OS-000329-GPOS-00128", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_passwords_pam_faillock_deny_root", "accounts_passwords_pam_faillock_deny", "accounts_passwords_pam_faillock_interval", "accounts_passwords_pam_faillock_unlock_time", "var_accounts_passwords_pam_faillock_deny=3", "var_accounts_passwords_pam_faillock_fail_interval=900", "var_accounts_passwords_pam_faillock_unlock_time=never"], "controls": []}, {"id": "SRG-OS-000312-GPOS-00124", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must allow operating system admins to change security attributes on users, the operating system, or the operating systems components.", "description": null, "rationale": "Administrators of Ubuntu 22.04 need to be able change attributes on users, the operating system, \nor Ubuntu 22.04 components in order secure the system and ensure that the system is setup\nto perform the mission.", "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "UID 0 is the root account as defined by POSIX standard. The root user has the ability to full administrator Ubuntu 22.04.", "status_justification": "Ubuntu 22.04 meets this requirement and it is not configurable.", "fixtext": "Ubuntu 22.04 inherently meets this requirement.\nNo fix is required.", "check": "Ubuntu 22.04 supports this requirement and cannot be configured to be out of compliance.\nUbuntu 22.04 inherently meets this requirement.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000470-GPOS-00214", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful logon attempts occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sudoers_d", "audit_rules_login_events_faillock", "audit_rules_login_events_lastlog", "audit_rules_login_events_tallylog", "audit_rules_usergroup_modification_shadow", "audit_rules_usergroup_modification_passwd", "audit_rules_usergroup_modification_opasswd", "audit_rules_sudoers", "audit_rules_usergroup_modification_group", "audit_rules_usergroup_modification_gshadow"], "controls": []}, {"id": "SRG-OS-000051-GPOS-00024", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must provide the capability to centrally review and analyze audit records from multiple components within the system.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_rsyslog_installed", "service_auditd_enabled", "package_audit_installed", "auditd_freq", "var_auditd_freq=100"], "controls": []}, {"id": "SRG-OS-000360-GPOS-00147", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce dual authorization for movement and/or deletion of all audit information, when such movement or deletion is not part of an authorized automatic process.", "description": null, "rationale": null, "automated": "no", "status": "does not meet", "mitigation": "The following items mitigate this risk by protecting the audit logs and tools from unauthorized access.\nSRG-OS-000206-GPOS-00084 or mitigate with third-party software.\nAlthough the listed mitigation is supporting the security function, it is not sufficient to reduce the residual risk of this requirement.", "artifact_description": null, "status_justification": "This is a procedural-only requirement that is not enforced by the OS.", "fixtext": "This requirement is a permanent finding and cannot be fixed.\nAn appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.", "check": "Ubuntu 22.04 does not support this requirement.\nThis is an applicable-does not meet finding.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000425-GPOS-00189", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must maintain the confidentiality and integrity of information during preparation for transmission.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_sshd_enabled", "package_openssh-server_installed"], "controls": []}, {"id": "SRG-OS-000070-GPOS-00038", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce password complexity by requiring that at least one lowercase character be used.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_lcredit", "accounts_password_pam_enforce_root", "var_password_pam_lcredit=1"], "controls": []}, {"id": "SRG-OS-000266-GPOS-00101", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce password complexity by requiring that at least one special character be used.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_ocredit", "accounts_password_pam_enforce_root", "var_password_pam_ocredit=1"], "controls": []}, {"id": "SRG-OS-000021-GPOS-00005", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_login_events_faillock", "accounts_passwords_pam_faillock_deny", "accounts_passwords_pam_faillock_audit", "accounts_passwords_pam_faillock_dir", "accounts_passwords_pam_faillock_deny_root", "account_password_pam_faillock_system_auth", "accounts_passwords_pam_faillock_interval", "account_password_selinux_faillock_dir", "account_password_pam_faillock_password_auth", "accounts_passwords_pam_faillock_unlock_time", "var_accounts_passwords_pam_faillock_deny=3", "var_accounts_passwords_pam_faillock_fail_interval=900", "var_accounts_passwords_pam_faillock_unlock_time=never"], "controls": []}, {"id": "SRG-OS-000040-GPOS-00018", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must produce audit records containing information to establish the source of the events.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled", "package_audit_installed"], "controls": []}, {"id": "SRG-OS-000349-GPOS-00137", "levels": ["low"], "notes": "", "title": "Ubuntu 22.04 must provide an audit reduction capability that supports after-the-fact investigations of security incidents.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled", "package_audit_installed"], "controls": []}, {"id": "SRG-OS-000342-GPOS-00133", "levels": ["low"], "notes": "", "title": "Ubuntu 22.04 must offload audit records onto a different system or media from the system being audited.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["rsyslog_encrypt_offload_actionsendstreamdriverauthmode", "rsyslog_encrypt_offload_actionsendstreamdrivermode", "rsyslog_remote_loghost", "auditd_name_format", "rsyslog_encrypt_offload_defaultnetstreamdriver", "package_audispd-plugins_installed", "auditd_overflow_action"], "controls": []}, {"id": "SRG-OS-000364-GPOS-00151", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce access restrictions.", "description": null, "rationale": "Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of the system.\n\nWhen dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the operating system can have significant effects on the overall security of the system.\n\nAccordingly, only qualified and authorized individuals should be allowed to obtain access to operating system components for the purposes of initiating changes, including upgrades and modifications.\n\nLogical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).", "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "The UNIX permissions construct separates user and privileged user (the operating system accounts) access.", "status_justification": "Ubuntu 22.04 is based on the Linux kernel. The Linux kernel enforces access restrictions as detailed here: https://www.linux.com/tutorials/overview-linux-kernel-security-features/.", "fixtext": "Ubuntu 22.04 inherently meets this requirement.\nNo fix is required.", "check": "Ubuntu 22.04 supports this requirement and cannot be configured to be out of compliance.\nUbuntu 22.04 inherently meets this requirement.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-OS-000480-GPOS-00232", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enable an application firewall, if available.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_firewalld_installed", "service_firewalld_enabled"], "controls": []}, {"id": "SRG-OS-000352-GPOS-00140", "levels": ["low"], "notes": "", "title": "Ubuntu 22.04 must provide a report generation capability that supports after-the-fact investigations of security incidents.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled", "package_audit_installed"], "controls": []}, {"id": "SRG-OS-000105-GPOS-00052", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must use multifactor authentication for network access to privileged accounts.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sssd_enable_smartcards", "sshd_enable_pubkey_auth", "install_smartcard_packages"], "controls": []}, {"id": "SRG-OS-000277-GPOS-00107", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must notify system administrators and ISSOs when accounts are removed.", "description": null, "rationale": null, "automated": "no", "status": "does not meet", "mitigation": "Mitigate with third-party software.\n\nAlthough the listed mitigation is supporting the security function, it is not sufficient to reduce the residual risk of this requirement.", "artifact_description": null, "status_justification": "Notification when accounts are created/modified/deleted must be provided by a third-party application that will communicate that an audit record of these actions has been created.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_usergroup_modification_passwd"], "controls": []}, {"id": "SRG-OS-000475-GPOS-00220", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records for all direct access to the information system.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled", "package_audit_installed"], "controls": []}, {"id": "SRG-OS-000004-GPOS-00004", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must audit all account creations.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sudoers_d", "audit_rules_usergroup_modification_shadow", "audit_rules_usergroup_modification_passwd", "audit_rules_usergroup_modification_opasswd", "audit_rules_usergroup_modification_group", "audit_rules_sudoers", "audit_rules_usergroup_modification_gshadow"], "controls": []}, {"id": "SRG-OS-000384-GPOS-00167", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sssd_has_trust_anchor"], "controls": []}, {"id": "SRG-OS-000461-GPOS-00205", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_unsuccessful_file_modification_ftruncate", "audit_rules_unsuccessful_file_modification_open_by_handle_at", "audit_rules_unsuccessful_file_modification_open", "audit_rules_unsuccessful_file_modification_truncate", "audit_rules_unsuccessful_file_modification_creat", "audit_rules_unsuccessful_file_modification_openat"], "controls": []}, {"id": "SRG-OS-000068-GPOS-00036", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must map the authenticated identity to the user or group account for PKI-based authentication.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sssd_enable_certmap"], "controls": []}, {"id": "SRG-OS-000073-GPOS-00041", "levels": ["high"], "notes": "", "title": "Ubuntu 22.04 must store only encrypted representations of passwords.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_password_hashing_algorithm_passwordauth", "set_password_hashing_algorithm_systemauth", "set_password_hashing_algorithm_logindefs", "set_password_hashing_min_rounds_logindefs", "set_password_hashing_algorithm_libuserconf", "var_password_hashing_algorithm_pam=sha512", "var_password_pam_unix_rounds=100000"], "controls": []}, {"id": "SRG-OS-000590-GPOS-00110", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must disable accounts when the accounts are no longer associated to a user.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_disable_post_pw_expiration"], "controls": []}, {"id": "SRG-OS-000366-GPOS-00153", "levels": ["high"], "notes": "", "title": "Ubuntu 22.04 must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_gpgcheck_never_disabled", "ensure_gpgcheck_globally_activated", "ensure_gpgcheck_local_packages", "package_subscription-manager_installed", "apt_conf_disallow_unauthenticated", "sysctl_kernel_kexec_load_disabled"], "controls": []}, {"id": "SRG-OS-000377-GPOS-00162", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must electronically verify Personal Identity Verification (PIV) credentials.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sssd_certificate_verification", "install_smartcard_packages", "var_sssd_certificate_verification_digest_function=sha512"], "controls": []}, {"id": "SRG-OS-000379-GPOS-00164", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.", "description": null, "rationale": "Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.\nBidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.\n\nBidirectional authentication solutions include, but are not limited to, IEEE 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos, and SSL mutual authentication.\n\nA local connection is any connection with a device communicating without the use of a network.\nA network connection is any connection with a device that communicates through a network (e.g., local area network, wide area network, or the Internet).\nA remote connection is any connection with a device communicating through an external network (e.g., the internet).\n\nBecause of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply this requirement to those limited number (and type) of devices that truly need to support this capability.", "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "This requirement is not valid for general-purpose operating systems and currently is impossible to implement in any operating system not designed for extreme multilevel protections.", "fixtext": "The requirement is NA. No fix is required.", "check": "This requirement is NA for Ubuntu 22.04.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}], "levels": [{"id": "high", "inherits_from": null}, {"id": "medium", "inherits_from": null}, {"id": "low", "inherits_from": null}]}