################################################################################
DOCUMENT         : Canonical_Ubuntu_20-04_LTS_STIG
VERSION          : 002.004.012
CHECKSUM         : a83ddd649b13c87ba99131a7d838ff75687adfecee8aa93891f3d15257c476c4
MANUAL QUESTIONS : 49

IMPORTANT: Make sure to save the completed version of this file to: 
<SCC Install>/Resources/Content/Manual_Questions/Completed_Files

This file contains all of the non-automated STIG requirements found in the STIG.
Results from this file will be combined with automated checks in SCC to provide
complete STIG compliance results.

This file will be programmaticaly imported, so do not modify anything in this file
except for placing an '[X]' to select a Single answer, and entering text comments.

The list of questions is printed in order of severity, listing CAT I (High), then CAT II, etc..

################################################################################

QUESTION         : 1 of 49
TITLE            : CAT I, V-238206, SV-238206r958518, SRG-OS-000134-GPOS-00068
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:2101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:2101
RULE             : The Ubuntu operating system must ensure only users who need access to security functions are part of sudo group.
QUESTION_TEXT    : Verify the sudo group has only members who should have access to security functions.  
 
$ grep sudo /etc/group 
 
sudo:x:27:foo 
 
If the sudo group contains users not needing access to security functions, this is a finding.

References:
CCI-001084
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 1 *******************************

QUESTION         : 2 of 49
TITLE            : CAT I, V-238215, SV-238215r958908, SRG-OS-000423-GPOS-00187
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:3901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:3901
RULE             : The Ubuntu operating system must use SSH to protect the confidentiality and integrity of transmitted information.
QUESTION_TEXT    : Verify the SSH package is installed with the following command: 
 
$ sudo dpkg -l | grep openssh 
ii  openssh-client                        1:7.6p1-4ubuntu0.1                 amd64        secure shell (SSH) client, for secure access to remote machines 
ii  openssh-server                        1:7.6p1-4ubuntu0.1                 amd64        secure shell (SSH) server, for secure access from remote machines 
ii  openssh-sftp-server                   1:7.6p1-4ubuntu0.1                 amd64        secure shell (SSH) sftp server module, for SFTP access from remote machines 
 
If the "openssh" server package is not installed, this is a finding. 
 
Verify the "sshd.service" is loaded and active with the following command: 
 
$ sudo systemctl status sshd.service | egrep -i "(active|loaded)" 
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) 
   Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1 weeks 3 days ago 
 
If "sshd.service" is not active or loaded, this is a finding.

References:
CCI-002418
CCI-002420
CCI-002422
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 2 *******************************

QUESTION         : 3 of 49
TITLE            : CAT I, V-238380, SV-238380r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:31501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:31501
RULE             : The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence.
QUESTION_TEXT    : Verify the Ubuntu operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.

Check that the "ctrl-alt-del.target" (otherwise also known as reboot.target) is not active with the following command:

$ sudo systemctl status ctrl-alt-del.target
ctrl-alt-del.target
Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.)
Active: inactive (dead)

If the "ctrl-alt-del.target" is not masked, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 3 *******************************

QUESTION         : 4 of 49
TITLE            : CAT I, V-274857, SV-274857r1101692, SRG-OS-000068-GPOS-00036
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:33901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:33901
RULE             : Ubuntu 20.04 LTS must map the authenticated identity to the user or group account for PKI-based authentication.
QUESTION_TEXT    : Verify that authenticated certificates are mapped to the appropriate user group in the "/etc/sssd/sssd.conf" file with the following command: 
 
$ grep -i ldap_user_certificate /etc/sssd/sssd.conf
ldap_user_certificate=userCertificate;binary

References:
CCI-000187
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 4 *******************************

QUESTION         : 5 of 49
TITLE            : CAT II, V-238196, SV-238196r958364, SRG-OS-000002-GPOS-00002
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:101
RULE             : The Ubuntu operating system must provision temporary user accounts with an expiration time of 72 hours or less.
QUESTION_TEXT    : Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or less. 
 
For every existing temporary account, run the following command to obtain its account expiration information: 
 
$ sudo chage -l system_account_name | grep expires 
 
Password expires : Aug 07, 2019 
Account expires : Aug 07, 2019 
 
Verify that each of these accounts has an expiration date set within 72 hours of account creation. 
 
If any temporary account does not expire within 72 hours of that account's creation, this is a finding.

References:
CCI-000016
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 5 *******************************

QUESTION         : 6 of 49
TITLE            : CAT II, V-238197, SV-238197r958390, SRG-OS-000023-GPOS-00006
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:301
RULE             : The Ubuntu operating system must enable the graphical user logon banner to display the Standard Mandatory DoD Notice and Consent Banner before granting local access to the system via a graphical user logon.
QUESTION_TEXT    : Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. 
 
Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. 
 
Check that the operating banner message for the graphical user logon is enabled with the following command: 
 
$ grep ^banner-message-enable /etc/gdm3/greeter.dconf-defaults 
 
banner-message-enable=true 
 
If the line is commented out or set to "false", this is a finding.

References:
CCI-000048
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 6 *******************************

QUESTION         : 7 of 49
TITLE            : CAT II, V-238205, SV-238205r958482, SRG-OS-000104-GPOS-00051
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:1901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:1901
RULE             : The Ubuntu operating system must uniquely identify interactive users.
QUESTION_TEXT    : Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive users with the following command: 
 
$ awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd 
 
If output is produced and the accounts listed are interactive user accounts, this is a finding.

References:
CCI-000764
CCI-000804
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 7 *******************************

QUESTION         : 8 of 49
TITLE            : CAT II, V-238207, SV-238207r1069086, SRG-OS-000279-GPOS-00109
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:2301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:2301
RULE             : The Ubuntu operating system must automatically terminate a user session after inactivity timeouts have expired.
QUESTION_TEXT    : Verify the operating system automatically terminates a user session after inactivity timeouts have expired. 
 
Check that the "TMOUT" environment variable is set in the "/etc/bash.bashrc" file or in any file inside the "/etc/profile.d/" directory by performing the following command: 
 
$ sudo grep -E "\bTMOUT=[0-9]+" /etc/bash.bashrc /etc/profile.d/* 
 
TMOUT=600 
 
If "TMOUT" is not set, or if the value is "0" or is commented out, this is a finding.

References:
CCI-002361
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 8 *******************************

QUESTION         : 9 of 49
TITLE            : CAT II, V-238236, SV-238236r958946, SRG-OS-000446-GPOS-00200
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:8101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:8101
RULE             : The Ubuntu operating system must be configured so that the script which runs each 30 days or less to check file integrity is the default one.
QUESTION_TEXT    : Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged. 
 
Download the original aide-common package in the /tmp directory: 
 
$ cd /tmp; apt download aide-common 
 
Fetch the SHA1 of the original script file: 
 
$ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO ./usr/share/aide/config/cron.daily/aide | sha1sum 
32958374f18871e3f7dda27a58d721f471843e26  - 
 
Compare with the SHA1 of the file in the daily or monthly cron directory: 
 
$ sha1sum /etc/cron.{daily,monthly}/aide 2>/dev/null 
32958374f18871e3f7dda27a58d721f471843e26  /etc/cron.daily/aide 
 
If there is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the daily or monthly cron directory does not match the SHA1 of the original, this is a finding.

References:
CCI-002699
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 9 *******************************

QUESTION         : 10 of 49
TITLE            : CAT II, V-238243, SV-238243r958424, SRG-OS-000046-GPOS-00022
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:9501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:9501
RULE             : The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
QUESTION_TEXT    : Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing failure with the following command: 
 
$ sudo grep '^action_mail_acct = root' /etc/audit/auditd.conf 
 
action_mail_acct = <administrator_account> 
 
If the value of the "action_mail_acct" keyword is not set to an accounts for security personnel, the "action_mail_acct" keyword is missing, or the returned line is commented out, this is a finding.

References:
CCI-000139
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 10 *******************************

QUESTION         : 11 of 49
TITLE            : CAT II, V-238245, SV-238245r958434, SRG-OS-000057-GPOS-00027
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:9901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:9901
RULE             : The Ubuntu operating system must be configured so that audit log files are not read or write-accessible by unauthorized users.
QUESTION_TEXT    : Verify that the audit log files have a mode of "0600" or less permissive. 
 
Determine where the audit logs are stored with the following command: 
 
$ sudo grep -iw log_file /etc/audit/auditd.conf 
log_file = /var/log/audit/audit.log 
 
Using the path of the directory containing the audit logs, determine if the audit log files have a mode of "0600" or less by using the following command: 
 
$ sudo stat -c "%n %a" /var/log/audit/* 
/var/log/audit/audit.log 600 
 
If the audit log files have a mode more permissive than "0600", this is a finding.

References:
CCI-000162
CCI-000163
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 11 *******************************

QUESTION         : 12 of 49
TITLE            : CAT II, V-238246, SV-238246r958434, SRG-OS-000057-GPOS-00027
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:10101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:10101
RULE             : The Ubuntu operating system must be configured to permit only authorized users ownership of the audit log files.
QUESTION_TEXT    : Verify the audit log files are owned by "root" account. 
 
Determine where the audit logs are stored with the following command: 
 
$ sudo grep -iw log_file /etc/audit/auditd.conf 
log_file = /var/log/audit/audit.log 
 
Using the path of the directory containing the audit logs, determine if the audit log files are owned by the "root" user by using the following command: 
 
$ sudo stat -c "%n %U" /var/log/audit/* 
/var/log/audit/audit.log root 
 
If the audit log files are owned by an user other than "root", this is a finding.

References:
CCI-000162
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 12 *******************************

QUESTION         : 13 of 49
TITLE            : CAT II, V-238247, SV-238247r958434, SRG-OS-000057-GPOS-00027
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:10301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:10301
RULE             : The Ubuntu operating system must permit only authorized groups ownership of the audit log files.
QUESTION_TEXT    : Verify the group owner is set to own newly created audit logs in the audit configuration file with the following command: 
$ sudo grep -iw log_group /etc/audit/auditd.conf 
log_group = root 

If the value of the "log_group" parameter is other than "root", this is a finding.

Determine where the audit logs are stored with the following command: 
$ sudo grep -iw log_file /etc/audit/auditd.conf 
log_file = /var/log/audit/audit.log 

Using the path of the directory containing the audit logs, determine if the audit log files are owned by the "root" group by using the following command: 
$ sudo stat -c "%n %G" /var/log/audit/* 
/var/log/audit/audit.log root 

If the audit log files are owned by a group other than "root", this is a finding.

References:
CCI-000162
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 13 *******************************

QUESTION         : 14 of 49
TITLE            : CAT II, V-238248, SV-238248r958438, SRG-OS-000059-GPOS-00029
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:10501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:10501
RULE             : The Ubuntu operating system must be configured so that the audit log directory is not write-accessible by unauthorized users.
QUESTION_TEXT    : Verify that the audit log directory has a mode of "0750" or less permissive. 
 
Determine where the audit logs are stored with the following command: 
 
$ sudo grep -iw ^log_file /etc/audit/auditd.conf 
log_file = /var/log/audit/audit.log 
 
Using the path of the directory containing the audit logs, determine if the directory has a mode of "0750" or less by using the following command: 
 
$ sudo stat -c "%n %a" /var/log/audit /var/log/audit/* 
/var/log/audit 750 
/var/log/audit/audit.log 600 
 
If the audit log directory has a mode more permissive than "0750", this is a finding.

References:
CCI-000164
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 14 *******************************

QUESTION         : 15 of 49
TITLE            : CAT II, V-238303, SV-238303r991567, SRG-OS-000278-GPOS-00108
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:18301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:18301
RULE             : The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools.
QUESTION_TEXT    : Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools. 
 
Check the selection lines that AIDE is configured to add/check with the following command: 
 
$ egrep '(\/sbin\/(audit|au))' /etc/aide/aide.conf 
 
/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 
/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 
/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 
/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 
/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 
/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512 
/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 
 
If any of the seven audit tools do not have appropriate selection lines, this is a finding.

References:
CCI-001496
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 15 *******************************

QUESTION         : 16 of 49
TITLE            : CAT II, V-238309, SV-238309r958846, SRG-OS-000392-GPOS-00172
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:19501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:19501
RULE             : The Ubuntu operating system must generate audit records for privileged activities, nonlocal maintenance, diagnostic sessions and other system-level access.
QUESTION_TEXT    : Verify the Ubuntu operating system audits activities performed during nonlocal maintenance and diagnostic sessions. 
 
Check the currently configured audit rules with the following command: 
 
$ sudo auditctl -l | grep sudo.log 
 
-w /var/log/sudo.log -p wa -k maintenance 
 
If the command does not return lines that match the example or the lines are commented out, this is a finding. 
 
Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.

References:
CCI-000172
CCI-002884
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 16 *******************************

QUESTION         : 17 of 49
TITLE            : CAT II, V-238324, SV-238324r1069955, SRG-OS-000032-GPOS-00013
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:21501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:21501
RULE             : The Ubuntu operating system must monitor remote access methods.
QUESTION_TEXT    : Verify the Ubuntu operating system monitors all remote access methods. 
 
Check that remote access methods are being logged by running the following command: 
 
$  grep -E -r '^(auth,authpriv\.\*|daemon\.\*)' /etc/rsyslog.* 
/etc/rsyslog.d/50-default.conf:auth,authpriv.*                        /var/log/auth.log 
/etc/rsyslog.d/50-default.conf:daemon.*                        /var/log/messages 
 
If "auth.*", "authpriv.*", or "daemon.*" are not configured to be logged in at least one of the config files, this is a finding.

References:
CCI-000067
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 17 *******************************

QUESTION         : 18 of 49
TITLE            : CAT II, V-238328, SV-238328r958480, SRG-OS-000096-GPOS-00050
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:22301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:22301
RULE             : The Ubuntu operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
QUESTION_TEXT    : Verify the Ubuntu operating system is configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. 
 
Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services by running the following command: 
 
$ sudo ufw show raw 
 
Chain OUTPUT (policy ACCEPT) 
target  prot opt sources    destination 
Chain INPUT (policy ACCEPT 1 packets, 40 bytes) 
    pkts      bytes target     prot opt in     out     source               destination 
 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) 
    pkts      bytes target     prot opt in     out     source               destination 
 
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) 
    pkts      bytes target     prot opt in     out     source               destination 
 
Ask the System Administrator
 for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA.  
 
If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. 
 
If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.

References:
CCI-000382
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 18 *******************************

QUESTION         : 19 of 49
TITLE            : CAT II, V-238329, SV-238329r1015153, SRG-OS-000109-GPOS-00056
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:22501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:22501
RULE             : The Ubuntu operating system must prevent direct login into the root account.
QUESTION_TEXT    : Verify the Ubuntu operating system prevents direct logins to the root account with the following command: 
 
$ sudo passwd -S root 
 
root L 04/23/2020 0 99999 7 -1 
 
If the output does not contain "L" in the second field to indicate the account is locked, this is a finding.

References:
CCI-000770
CCI-004045
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 19 *******************************

QUESTION         : 20 of 49
TITLE            : CAT II, V-238334, SV-238334r958550, SRG-OS-000184-GPOS-00078
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:23501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:23501
RULE             : The Ubuntu operating system must disable kernel core dumps  so that it can fail to a secure state if system initialization fails, shutdown fails or aborts fail.
QUESTION_TEXT    : Verify that kernel core dumps are disabled unless needed. 
 
Check if "kdump" service is active with the following command: 
 
$ systemctl is-active kdump.service 
inactive 
 
If the "kdump" service is active, ask the SA if the use of the service is required and documented with the ISSO. 
 
If the service is active and is not documented, this is a finding.

References:
CCI-001190
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 20 *******************************

QUESTION         : 21 of 49
TITLE            : CAT II, V-238335, SV-238335r958552, SRG-OS-000185-GPOS-00079
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:23701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:23701
RULE             : Ubuntu operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
QUESTION_TEXT    : If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable.
 
Verify the Ubuntu operating system prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption.
 
Determine the partition layout for the system with the following command:
 
#sudo fdisk -l
(..) 
Disk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors 
Units: sectors of 1 * 512 = 512 bytes 
Sector size (logical/physical): 512 bytes / 512 bytes 
I/O size (minimum/optimal): 512 bytes / 512 bytes 
Disklabel type: gpt 
Disk identifier: 83298450-B4E3-4B19-A9E4-7DF147A5FEFB 
 
Device       Start      End  Sectors Size Type 
/dev/vda1     2048     4095     2048   1M BIOS boot 
/dev/vda2     4096  2101247  2097152   1G Linux filesystem 
/dev/vda3  2101248 31455231 29353984  14G Linux filesystem 
(...) 
 
Verify the system partitions are all encrypted with the following command: 
 
# more /etc/crypttab 
 
Every persistent disk partition present must have an entry in the file.  
 
If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.

References:
CCI-001199
CCI-002475
CCI-002476
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 21 *******************************

QUESTION         : 22 of 49
TITLE            : CAT II, V-238344, SV-238344r991559, SRG-OS-000258-GPOS-00099
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:25301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:25301
RULE             : The Ubuntu operating system must have directories that contain system commands set to a mode of 0755 or less permissive.
QUESTION_TEXT    : Verify the system commands directories have mode 0755 or less permissive: 
 
/bin 
/sbin 
/usr/bin 
/usr/sbin 
/usr/local/bin 
/usr/local/sbin 
 
Check that the system command directories have mode 0755 or less permissive with the following command: 
 
$ find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c "%n %a" '{}' \; 
 
If any directories are found to be group-writable or world-writable, this is a finding.

References:
CCI-001495
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 22 *******************************

QUESTION         : 23 of 49
TITLE            : CAT II, V-238345, SV-238345r991559, SRG-OS-000258-GPOS-00099
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:25501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:25501
RULE             : The Ubuntu operating system must have directories that contain system commands owned by root.
QUESTION_TEXT    : Verify the system commands directories are owned by root: 
 
/bin 
/sbin 
/usr/bin 
/usr/sbin 
/usr/local/bin 
/usr/local/sbin 
 
Use the following command for the check: 
 
$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec stat -c "%n %U" '{}' \; 
 
If any system commands directories are returned, this is a finding.

References:
CCI-001495
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 23 *******************************

QUESTION         : 24 of 49
TITLE            : CAT II, V-238346, SV-238346r991559, SRG-OS-000258-GPOS-00099
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:25701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:25701
RULE             : The Ubuntu operating system must have directories that contain system commands group-owned by root.
QUESTION_TEXT    : Verify the system commands directories are group-owned by root: 
 
/bin 
/sbin 
/usr/bin 
/usr/sbin 
/usr/local/bin 
/usr/local/sbin 
 
Run the check with the following command: 
 
$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec stat -c "%n %G" '{}' \; 
 
If any system commands directories are returned that are not Set Group ID up on execution (SGID) files and owned by a privileged account, this is a finding.

References:
CCI-001495
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 24 *******************************

QUESTION         : 25 of 49
TITLE            : CAT II, V-238347, SV-238347r1106136, SRG-OS-000259-GPOS-00100
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:25901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:25901
RULE             : The Ubuntu operating system library files must have mode 0755 or less permissive.
QUESTION_TEXT    : Verify the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" have mode 0755 or less permissive.

Check that the systemwide shared library files have mode 0755 or less permissive with the following command:

$ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' -perm /022 -exec stat -c "%n %a" {} +

If any output is returned, this is a finding.

References:
CCI-001499
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 25 *******************************

QUESTION         : 26 of 49
TITLE            : CAT II, V-238348, SV-238348r991560, SRG-OS-000259-GPOS-00100
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:26101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:26101
RULE             : The Ubuntu operating system library directories must have mode 0755 or less permissive.
QUESTION_TEXT    : Verify the system-wide shared library directories "/lib", "/lib64", and "/usr/lib have mode 0755 or less permissive with the following command: 
 
$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec stat -c "%n %a" '{}' \; 
 
If any of the aforementioned directories are found to be group-writable or world-writable, this is a finding.

References:
CCI-001499
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 26 *******************************

QUESTION         : 27 of 49
TITLE            : CAT II, V-238349, SV-238349r1106138, SRG-OS-000259-GPOS-00100
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:26301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:26301
RULE             : The Ubuntu operating system library files must be owned by root.
QUESTION_TEXT    : Verify the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" are owned by root with the following command:

$ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -user root -exec stat -c "%n %U" {} +

If any output is returned, this is a finding.

References:
CCI-001499
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 27 *******************************

QUESTION         : 28 of 49
TITLE            : CAT II, V-238350, SV-238350r991560, SRG-OS-000259-GPOS-00100
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:26501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:26501
RULE             : The Ubuntu operating system library directories must be owned by root.
QUESTION_TEXT    : Verify the system-wide shared library directories "/lib", "/lib64", and "/usr/lib" are owned by root with the following command: 
 
$ sudo find /lib /usr/lib /lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \; 
 
If any system-wide library directory is returned, this is a finding.

References:
CCI-001499
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 28 *******************************

QUESTION         : 29 of 49
TITLE            : CAT II, V-238351, SV-238351r1106140, SRG-OS-000259-GPOS-00100
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:26701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:26701
RULE             : The Ubuntu operating system library files must be group-owned by root or a system account.
QUESTION_TEXT    : Verify the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" are group owned by root with the following command:

$ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -group root -exec stat -c "%n %G" {} +

If any output is returned, this is a finding.

References:
CCI-001499
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 29 *******************************

QUESTION         : 30 of 49
TITLE            : CAT II, V-238352, SV-238352r991560, SRG-OS-000259-GPOS-00100
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:26901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:26901
RULE             : The Ubuntu operating system library directories must be group-owned by root.
QUESTION_TEXT    : Verify the system-wide library directories "/lib", "/lib64", and "/usr/lib" are group-owned by root with the following command: 
 
$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \; 
 
If any system-wide shared library directory is returned, this is a finding.

References:
CCI-001499
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 30 *******************************

QUESTION         : 31 of 49
TITLE            : CAT II, V-238355, SV-238355r958672, SRG-OS-000297-GPOS-00115
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:27501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:27501
RULE             : The Ubuntu operating system must enable and run the uncomplicated firewall(ufw).
QUESTION_TEXT    : Verify the Uncomplicated Firewall is enabled on the system by running the following command: 
 
$ systemctl is-enabled ufw 
 
If the above command returns the status as "disabled", this is a finding. 
 
Verify the Uncomplicated Firewall is active on the system by running the following command: 
 
$ systemctl is-active ufw 
 
If the above command returns "inactive" or any kind of error, this is a finding. 
 
If the Uncomplicated Firewall is not installed, ask the System Administrator if another application firewall is installed.  
 
If no application firewall is installed, this is a finding.

References:
CCI-002314
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 31 *******************************

QUESTION         : 32 of 49
TITLE            : CAT II, V-238364, SV-238364r958868, SRG-OS-000403-GPOS-00182
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:28901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:28901
RULE             : The Ubuntu operating system must use DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
QUESTION_TEXT    : Verify the directory containing the root certificates for the Ubuntu operating system contains certificate files for DoD PKI-established certificate authorities by iterating over all files in the "/etc/ssl/certs" directory and checking if, at least one, has the subject matching "DOD ROOT CA".

If none is found, this is a finding.

References:
CCI-002470
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 32 *******************************

QUESTION         : 33 of 49
TITLE            : CAT II, V-238372, SV-238372r958948, SRG-OS-000447-GPOS-00201
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:30101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:30101
RULE             : The Ubuntu operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner. The file integrity tool must notify the System Administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered.
QUESTION_TEXT    : Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System Administrator
 when anomalies in the operation of any security functions are discovered with the following command: 
 
$ sudo grep SILENTREPORTS /etc/default/aide 
 
SILENTREPORTS=no 
 
If SILENTREPORTS is uncommented and set to "yes", this is a finding.

References:
CCI-002702
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 33 *******************************

QUESTION         : 34 of 49
TITLE            : CAT II, V-238374, SV-238374r991593, SRG-OS-000480-GPOS-00232
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:30501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:30501
RULE             : The Ubuntu operating system must have an application firewall enabled.
QUESTION_TEXT    : Verify the Uncomplicated Firewall is enabled on the system by running the following command: 
 
$ systemctl status ufw.service | grep -i "active:" 
 
Active: active (exited) since Mon 2016-10-17 12:30:29 CDT; 1s ago 
 
If the above command returns the status as "inactive", this is a finding. 
 
If the Uncomplicated Firewall is not installed, ask the System Administrator if another application firewall is installed. If no application firewall is installed, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 34 *******************************

QUESTION         : 35 of 49
TITLE            : CAT II, V-238377, SV-238377r991560, SRG-OS-000259-GPOS-00100
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:30901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:30901
RULE             : The Ubuntu operating system must have system commands owned by root or a system account.
QUESTION_TEXT    : Verify the system commands contained in the following directories are owned by root, or a required system account: 
 
/bin 
/sbin 
/usr/bin 
/usr/sbin 
/usr/local/bin 
/usr/local/sbin 
 
Use the following command for the check: 
 
$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c "%n %U" '{}' \; 
 
If any system commands are returned and are not owned by a required system account, this is a finding.

References:
CCI-001499
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 35 *******************************

QUESTION         : 36 of 49
TITLE            : CAT II, V-238378, SV-238378r991560, SRG-OS-000259-GPOS-00100
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:31101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:31101
RULE             : The Ubuntu operating system must have system commands group-owned by root or a system account.
QUESTION_TEXT    : Verify the system commands contained in the following directories are group-owned by root or a required system account: 
 
/bin 
/sbin 
/usr/bin 
/usr/sbin 
/usr/local/bin 
/usr/local/sbin 
 
Run the check with the following command: 
 
$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec stat -c "%n %G" '{}' \; 
 
If any system commands are returned that are not Set Group ID upon execution (SGID) files and group-owned by a required system account, this is a finding.

References:
CCI-001499
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 36 *******************************

QUESTION         : 37 of 49
TITLE            : CAT II, V-255912, SV-255912r991554, SRG-OS-000250-GPOS-00093
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:32501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:32501
RULE             : The Ubuntu operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.
QUESTION_TEXT    : Verify the SSH server is configured to use only FIPS-validated key exchange algorithms:

$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*kexalgorithms'

KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
 
If "KexAlgorithms" is not configured, is commented out, or does not contain only the algorithms "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" in exact order, this is a finding.

References:
CCI-000068
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 37 *******************************

QUESTION         : 38 of 49
TITLE            : CAT II, V-274853, SV-274853r1106127, SRG-OS-000705-GPOS-00150
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:33101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:33101
RULE             : Ubuntu 20.04 LTS must have the "SSSD" package installed.
QUESTION_TEXT    : Verify Ubuntu 20.04 LTS has the packages required for multifactor authentication installed with the following command:

$ dpkg -l | grep sssd
ii  sssd     2.9.4-1.1ubuntu6.1     amd64     System Security Services Daemon -- metapackage
ii  sssd-ad     2.9.4-1.1ubuntu6.1     amd64     System Security Services Daemon -- Active Directory back end
ii  sssd-ad-common     2.9.4-1.1ubuntu6.1     amd64     System Security Services Daemon -- PAC responder
ii  sssd-common     2.9.4-1.1ubuntu6.1     amd64     System Security Services Daemon -- common files
ii  sssd-ipa     2.9.4-1.1ubuntu6.1     amd64     System Security Services Daemon -- IPA back end
ii  sssd-krb5     2.9.4-1.1ubuntu6.1     amd64     System Security Services Daemon -- Kerberos back end
ii  sssd-krb5-common     2.9.4-1.1ubuntu6.1     amd64     System Security Services Daemon -- Kerberos helpers
ii  sssd-ldap     2.9.4-1.1ubuntu6.1     amd64     System Security Services Daemon -- LDAP back end
ii  sssd-proxy     2.9.4-1.1ubuntu6.1     amd64     System Security Services Daemon -- proxy back end

If the "sssd" package is not installed, this is a finding. The additional sssd components listed by the command may differ from configuration to configuration.  

Verify that "libpam-sss" (the PAM integration module for SSSD) is installed with the following command:

$ dpkg -l | grep libpam-sss
i  libpam-sss:amd64     2.9.4-1.1ubuntu6.1     amd64     Pam module for the System Security Services Daemon

Verify that "libnss-sss" (the NSS module for retrieving user and group information) is installed with the following command:

$ dpkg -l | grep libnss-sss
ii  libnss-sss:amd64     2.9.4-1.1ubuntu6.1      amd64     Nss library for the System Security Services Daemon

References:
CCI-004046
CCI-004047
CCI-000765
CCI-000766
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 38 *******************************

QUESTION         : 39 of 49
TITLE            : CAT II, V-274854, SV-274854r1106129, SRG-OS-000705-GPOS-00150
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:33301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:33301
RULE             : Ubuntu 20.04 LTS must use the "SSSD" package for multifactor authentication services.
QUESTION_TEXT    : Verify the "sssd.service" is enabled and active with the following commands: 
 
$ sudo systemctl is-enabled sssd
enabled

$ sudo systemctl is-active sssd
active

If "sssd.service" is not active or enabled, this is a finding.

References:
CCI-004046
CCI-004047
CCI-000765
CCI-000766
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 39 *******************************

QUESTION         : 40 of 49
TITLE            : CAT II, V-274855, SV-274855r1107182, SRG-OS-000066-GPOS-00034
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:33501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:33501
RULE             : Ubuntu 20.04 LTS must ensure SSSD performs certificate path validation, including revocation checking, against a trusted anchor for PKI-based authentication.
QUESTION_TEXT    : Verify Ubuntu 20.04 LTS, for PKI-based authentication, has valid certificates by constructing a certification path to an accepted trust anchor. 

Verify the pam service is listed under [sssd] with the following command:

$ sudo grep -A 1 '^\[sssd\]' /etc/sssd/sssd.conf
[sssd]
services = nss,pam,ssh

If "pam" is not listed in services, this is a finding.

Verify the pam service is set to use pam for smart card authentication in the [pam] section of /etc/sssd/sssd.conf with the following command:

$ sudo grep -A 1 '^\[pam]' /etc/sssd/sssd.conf
[pam]
pam_cert_auth = True

If "pam_cert_auth = True" is not returned, this is a finding.

Verify "ca" is enabled in "certificate_verification" with the following command: 
  
$ sudo grep certificate_verification /etc/sssd/sssd.conf
certificate_verification = ca_cert,ocsp
 
If "certificate_verification" is not set to "ca" or the line is commented out, this is a finding.

References:
CCI-000185
CCI-004909
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 40 *******************************

QUESTION         : 41 of 49
TITLE            : CAT II, V-274859, SV-274859r1101698, SRG-OS-000373-GPOS-00156
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:34301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:34301
RULE             : Ubuntu 20.04 LTS must require users to provide a password for privilege escalation.
QUESTION_TEXT    : Verify that "/etc/sudoers" has no occurrences of "NOPASSWD" with the following command:

$ sudo egrep -iR 'NOPASSWD' /etc/sudoers /etc/sudoers.d/

If any occurrences of "NOPASSWD" are returned from the command and have not been documented with the information system security officer (ISSO) as an organizationally defined administrative group using multifactor authentication (MFA), this is a finding.

References:
CCI-002038
CCI-004895
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 41 *******************************

QUESTION         : 42 of 49
TITLE            : CAT III, V-238234, SV-238234r1015152, SRG-OS-000077-GPOS-00045
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:7701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:7701
RULE             : The Ubuntu operating system must prohibit password reuse for a minimum of five generations.
QUESTION_TEXT    : Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five generations by running the following command:

$ grep -i remember /etc/pam.d/common-password

password [success=1 default=ignore] pam_unix.so obscure sha512 shadow remember=5 rounds=5000

If the "remember" parameter value is not greater than or equal to "5", is commented out, or is not set at all, this is a finding.

References:
CCI-000196
CCI-004062
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 42 *******************************

QUESTION         : 43 of 49
TITLE            : CAT III, V-238307, SV-238307r971542, SRG-OS-000343-GPOS-00134
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:19101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:19101
RULE             : The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
QUESTION_TEXT    : Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity with the following command: 
 
$ sudo grep ^space_left_action /etc/audit/auditd.conf 
 
space_left_action email 
 
$ sudo grep ^space_left /etc/audit/auditd.conf 
 
space_left 250000 
 
If the "space_left" parameter is missing, set to blanks, or set to a value less than 25% of the space free in the allocated audit record storage, this is a finding. 
 
If the "space_left_action" parameter is missing or set to blanks, this is a finding. 
 
If the "space_left_action" is set to "syslog", the system logs the event but does not generate a notification, and this is a finding. 
 
If the "space_left_action" is set to "exec", the system executes a designated script. If this script informs the SA of the event, this is not a finding. 
 
If the "space_left_action" is set to "email", check the value of the "action_mail_acct" parameter with the following command: 
 
$ sudo grep ^action_mail_acct /etc/audit/auditd.conf 
 
action_mail_acct root@localhost 
 
The "action_mail_acct" parameter, if missing, defaults to "root". If the "action_mail_acct parameter" is not set to the email address of the SA(s) and/or ISSO, this is a finding.   
 
Note: If the email address of the System Administrator
 is on a remote system, a mail package must be available.

References:
CCI-001855
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 43 *******************************

QUESTION         : 44 of 49
TITLE            : CAT III, V-238308, SV-238308r958788, SRG-OS-000359-GPOS-00146
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:19301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:19301
RULE             : The Ubuntu operating system must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
QUESTION_TEXT    : To verify the time zone is configured to use UTC or GMT, run the following command.  
 
$ timedatectl status | grep -i "time zone" 
Timezone: UTC (UTC, +0000) 
 
If "Timezone" is not set to UTC or GMT, this is a finding.

References:
CCI-001890
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 44 *******************************

QUESTION         : 45 of 49
TITLE            : CAT III, V-238321, SV-238321r959008, SRG-OS-000479-GPOS-00224
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:21101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:21101
RULE             : The Ubuntu operating system must have a crontab script running weekly to offload audit events of standalone systems.
QUESTION_TEXT    : Note: If this is an interconnected system, this is Not Applicable. 
 
Verify there is a script that offloads audit data and that script runs weekly. 
 
Check if there is a script in the "/etc/cron.weekly" directory that offloads audit data: 
 
# sudo ls /etc/cron.weekly 
 
audit-offload 
 
Check if the script inside the file does offloading of audit logs to external media. 
 
If the script file does not exist or does not offload audit logs, this is a finding.

References:
CCI-001851
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 45 *******************************

QUESTION         : 46 of 49
TITLE            : CAT III, V-238331, SV-238331r958508, SRG-OS-000123-GPOS-00064
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:22901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:22901
RULE             : The Ubuntu operating system must automatically expire temporary accounts within 72 hours.
QUESTION_TEXT    : Verify temporary accounts have been provisioned with an expiration date of 72 hours.

For every existing temporary account, run the following command to obtain its account expiration information:

     $ sudo chage -l <temporary_account_name> | grep -i "account expires"

Verify each of these accounts has an expiration date set within 72 hours.
If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.

References:
CCI-001682
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 46 *******************************

QUESTION         : 47 of 49
TITLE            : CAT III, V-238362, SV-238362r958828, SRG-OS-000383-GPOS-00166
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:28501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:28501
RULE             : The Ubuntu operating system must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.
QUESTION_TEXT    : If smart card authentication is not being used on the system, this s Not Applicable. 
 
Verify that PAM prohibits the use of cached authentications after one day with the following command: 
 
$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf 
 
offline_credentials_expiration = 1 
 
If "offline_credentials_expiration" is not set to a value of "1" in "/etc/sssd/sssd.conf" or in a file with a name ending in .conf in the "/etc/sssd/conf.d/" directory, this is a finding.

References:
CCI-002007
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 47 *******************************

QUESTION         : 48 of 49
TITLE            : CAT III, V-255913, SV-255913r958524, SRG-OS-000138-GPOS-00069
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:32701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:32701
RULE             : The Ubuntu operating system must restrict access to the kernel message buffer.
QUESTION_TEXT    : Verify the operating system is configured to restrict access to the kernel message buffer with the following commands:

     $ sudo sysctl kernel.dmesg_restrict
     kernel.dmesg_restrict = 1

If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding.

Check that the configuration files are present to enable this kernel parameter:

     $ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null
     /etc/sysctl.conf:kernel.dmesg_restrict = 1
     /etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1

If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding.

If conflicting results are returned, this is a finding.

References:
CCI-001090
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 48 *******************************

QUESTION         : 49 of 49
TITLE            : CAT III, V-274856, SV-274856r1106132, SRG-OS-000383-GPOS-00166
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:testaction:33701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2004:question:33701
RULE             : Ubuntu 20.04 LTS must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.
QUESTION_TEXT    : Note: If smart card authentication is not being used on the system, this is not applicable. 

Verify that PAM prohibits the use of cached authentications after one day with the following command:
 
$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf 
offline_credentials_expiration = 1 
 
If "offline_credentials_expiration" is not set to a value of "1" in "/etc/sssd/sssd.conf" or in a file with a name ending in .conf in the "/etc/sssd/conf.d/" directory, this is a finding.

References:
CCI-002007
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 49 *******************************

