################################################################################
DOCUMENT         : CAN_Ubuntu_18-04_STIG
VERSION          : 002.012.010
CHECKSUM         : 339c4824331b9e49f6412d669d0baf626c058927838a67e3e6bb5e3411a38e1a
MANUAL QUESTIONS : 51

IMPORTANT: Make sure to save the completed version of this file to: 
<SCC Install>/Resources/Content/Manual_Questions/Completed_Files

This file contains all of the non-automated STIG requirements found in the STIG.
Results from this file will be combined with automated checks in SCC to provide
complete STIG compliance results.

This file will be programmaticaly imported, so do not modify anything in this file
except for placing an '[X]' to select a Single answer, and entering text comments.

The list of questions is printed in order of severity, listing CAT I (High), then CAT II, etc..

################################################################################

QUESTION         : 1 of 51
TITLE            : CAT I, V-219169, SV-219169r958518, SRG-OS-000134-GPOS-00068
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:4501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:4501
RULE             : The Ubuntu operating system must be configured so that only users who need access to security functions are part of the sudo group.
QUESTION_TEXT    : Verify that the sudo group has only members who should have access to security functions. 

# grep sudo /etc/group

sudo:x:27:foo

If the sudo group contains users not needing access to security functions, this is a finding.

References:
SV-109669
V-100565
CCI-001084
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 1 *******************************

QUESTION         : 2 of 51
TITLE            : CAT I, V-219212, SV-219212r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:12901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:12901
RULE             : The Ubuntu Operating system must disable the x86 Ctrl-Alt-Delete key sequence.
QUESTION_TEXT    : Verify the Ubuntu operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.

Check that the "ctrl-alt-del.target" (otherwise also known as reboot.target) is not active with the following command:

$ sudo systemctl status ctrl-alt-del.target
ctrl-alt-del.target
Loaded: masked (/dev/null; bad)
Active: inactive (dead)

If the "ctrl-alt-del.target" is not masked, this is a finding.

References:
V-100651
SV-109755
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 2 *******************************

QUESTION         : 3 of 51
TITLE            : CAT I, V-219314, SV-219314r991591, SRG-OS-000480-GPOS-00229
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:26901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:26901
RULE             : The Ubuntu operating system must not allow unattended or automatic login via ssh.
QUESTION_TEXT    : Verify that unattended or automatic login via ssh is disabled.

Check that unattended or automatic login via ssh is disabled with the following command:

# egrep '(Permit(.*?)(Passwords|Environment))' /etc/ssh/sshd_config

PermitEmptyPasswords no
PermitUserEnvironment no

If "PermitEmptyPasswords" or "PermitUserEnvironment" keywords are not set to "no", are missing completely, or they are commented out, this is a finding.

References:
SV-109955
V-100851
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 3 *******************************

QUESTION         : 4 of 51
TITLE            : CAT I, V-251507, SV-251507r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:34301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:34301
RULE             : The Ubuntu operating system must not allow accounts configured with blank or null passwords.
QUESTION_TEXT    : To verify that null passwords cannot be used, run the following command: 

$ grep nullok /etc/pam.d/common-password

If this produces any output, it may be possible to log on with accounts with empty passwords.

If null passwords can be used, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 4 *******************************

QUESTION         : 5 of 51
TITLE            : CAT I, V-264388, SV-264388r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:35101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:35101
RULE             : The Ubuntu operating system must be a vendor supported release.
QUESTION_TEXT    : Verify the version of the Ubuntu operating system is vendor supported.

Check the version of the Ubuntu operating system with the following command:

# cat /etc/lsb-release

DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.1 LTS"

Validate that "Extended Security Maintenance" support has been purchased from the vendor.
If the operating system does not have a documented "Extended Security Maintenance" agreement in place, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 5 *******************************

QUESTION         : 6 of 51
TITLE            : CAT II, V-219150, SV-219150r958552, SRG-OS-000185-GPOS-00079
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:701
RULE             : Ubuntu operating systems handling data requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
QUESTION_TEXT    : If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable.

Verify the Ubuntu operating system prevents unauthorized disclosure or modification of all information requiring at rest protection by using disk encryption. 

Determine the partition layout for the system with the following command:

#sudo fdisk -l
(..)
Disk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 83298450-B4E3-4B19-A9E4-7DF147A5FEFB

Device Start End Sectors Size Type
/dev/vda1 2048 4095 2048 1M BIOS boot
/dev/vda2 4096 2101247 2097152 1G Linux filesystem
/dev/vda3 2101248 31455231 29353984 14G Linux filesystem
(...)

Verify that the system partitions are all encrypted with the following command:

# more /etc/crypttab

Every persistent disk partition present must have an entry in the file. If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.

References:
SV-109629
V-100525
CCI-001199
CCI-002475
CCI-002476
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 6 *******************************

QUESTION         : 7 of 51
TITLE            : CAT II, V-219159, SV-219159r982191, SRG-OS-000191-GPOS-00080
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:2501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:2501
RULE             : The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention (ENSLTP).
QUESTION_TEXT    : Check that the "mcafeetp" package has been installed:

# dpkg -l | grep -i mcafeetp

If the "mcafeetp" package is not installed, this is a finding.

Check that the daemon is running:

# /opt/McAfee/ens/tp/init/mfetpd-control.sh status

If the daemon is not running, this is a finding.

References:
SV-109649
V-100545
CCI-001233
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 7 *******************************

QUESTION         : 8 of 51
TITLE            : CAT II, V-219168, SV-219168r982205, SRG-OS-000109-GPOS-00056
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:4301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:4301
RULE             : The Ubuntu operating system must prevent direct login into the root account.
QUESTION_TEXT    : Verify the Ubuntu operating system prevents direct logins to the root account.

Check that the Ubuntu operating system prevents direct logins to the root account with the following command:

# sudo passwd -S root

root L 11/11/2017 0 99999 7 -1

If the output does not contain "L" in the second field to indicate the account is locked, this is a finding.

References:
SV-109667
V-100563
CCI-000770
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 8 *******************************

QUESTION         : 9 of 51
TITLE            : CAT II, V-219182, SV-219182r971535, SRG-OS-000120-GPOS-00061
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:6901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:6901
RULE             : The Ubuntu operating system must employ a FIPS 140-2 approved cryptographic hashing algorithms for all created and stored passwords.
QUESTION_TEXT    : Verify that encrypted passwords stored in /etc/shadow use a strong cryptographic hash.

Check that pam_unix.so auth is configured to use sha512 with the following command:

# grep password /etc/pam.d/common-password | grep pam_unix

password [success=1 default=ignore] pam_unix.so obscure sha512

If "sha512" is not an option of the output, or is commented out, this is a finding.

Check that ENCRYPT_METHOD is set to sha512 in /etc/login.defs:

# grep -i ENCRYPT_METHOD /etc/login.defs

ENCRYPT_METHOD SHA512

If the output does not contain "sha512", or it is commented out, this is a finding.

References:
SV-109695
V-100591
CCI-000803
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 9 *******************************

QUESTION         : 10 of 51
TITLE            : CAT II, V-219183, SV-219183r982193, SRG-OS-000380-GPOS-00165
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:7101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:7101
RULE             : The Ubuntu operating system must allow the use of a temporary password for system logons with an immediate change to a permanent password.
QUESTION_TEXT    : Verify a policy exists that ensures when a user account is created, it is created using a method that forces a user to change their password upon their next login.

If a policy does not exist, this is a finding.

References:
V-100593
SV-109697
CCI-002041
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 10 *******************************

QUESTION         : 11 of 51
TITLE            : CAT II, V-219198, SV-219198r991560, SRG-OS-000259-GPOS-00100
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:10101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:10101
RULE             : The Ubuntu operating system library files must have mode 0755 or less permissive.
QUESTION_TEXT    : Verify the system-wide shared library files contained in the directories "/lib", "/lib64" and "/usr/lib" have mode 0755 or less permissive.

Check that the system-wide shared library files have mode 0755 or less permissive with the following command:
$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec stat -c "%n %a" '{}' \;
/usr/lib64/pkcs11-spy.so

If any library files are found to be group-writable or world-writable, this is a finding.

References:
V-100623
SV-109727
CCI-001499
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 11 *******************************

QUESTION         : 12 of 51
TITLE            : CAT II, V-219200, SV-219200r991560, SRG-OS-000259-GPOS-00100
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:10501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:10501
RULE             : The Ubuntu operating system library files must be owned by root.
QUESTION_TEXT    : Verify the system-wide shared library files contained in the directories "/lib", "/lib64" and "/usr/lib" are owned by root.

Check that the system-wide shared library files are owned by root with the following command:

# sudo find /lib /usr/lib /lib64 ! -user root -type f -exec stat -c "%n %U" '{}' \;

If any system wide library file is returned, this is a finding.

References:
SV-109731
V-100627
CCI-001499
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 12 *******************************

QUESTION         : 13 of 51
TITLE            : CAT II, V-219202, SV-219202r991560, SRG-OS-000259-GPOS-00100
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:10901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:10901
RULE             : The Ubuntu operating system library files must be group-owned by root.
QUESTION_TEXT    : Verify the system-wide library files contained in the directories "/lib", "/lib64" and "/usr/lib" are group-owned by root.

Check that the system-wide library files are group-owned by root with the following command:
$ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c "%n %G" '{}' \;

If any system wide shared library file is returned, this is a finding.

References:
V-100631
SV-109735
CCI-001499
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 13 *******************************

QUESTION         : 14 of 51
TITLE            : CAT II, V-219216, SV-219216r991579, SRG-OS-000471-GPOS-00215
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:13701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:13701
RULE             : The Ubuntu operating system must generate audit records for privileged activities or other system-level access.
QUESTION_TEXT    : Verify the Ubuntu operating system audits privileged activities.

Check the currently configured audit rules with the following command:

# sudo auditctl -l | grep sudo.log

-w /var/log/sudo.log -p wa -k priv_actions

If the command does not return lines that match the example or the lines are commented out, this is a finding.

Notes: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.

References:
SV-109763
V-100659
CCI-000172
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 14 *******************************

QUESTION         : 15 of 51
TITLE            : CAT II, V-219226, SV-219226r958424, SRG-OS-000046-GPOS-00022
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:15701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:15701
RULE             : The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
QUESTION_TEXT    : Verify that the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) are notified in the event of an audit processing failure.

Check that the Ubuntu operating system notifies the SA and ISSO (at a minimum) win the event of an audit processing failure with the following command:

# sudo grep action_mail_acct = root /etc/audit/auditd.conf

action_mail_acct = root

If the value of the "action_mail_acct" keyword is not set to "root" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the returned line is commented out, this is a finding.

References:
V-100679
SV-109783
CCI-000139
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 15 *******************************

QUESTION         : 16 of 51
TITLE            : CAT II, V-219228, SV-219228r958436, SRG-OS-000058-GPOS-00028
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:16101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:16101
RULE             : The Ubuntu operating system must be configured so that audit log files cannot be read or write-accessible by unauthorized users.
QUESTION_TEXT    : Verify that the audit log files have a mode of "0600" or less permissive.

First determine where the audit logs are stored with the following command:

# sudo grep -iw log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

Using the path of the directory containing the audit logs, check if the audit log files have a mode of "0600" or less by using the following command:

# sudo stat -c "%n %a" /var/log/audit/*
/var/log/audit/audit.log 600

If the audit log files have a mode more permissive than "0600", this is a finding.

References:
SV-109787
V-100683
CCI-000162
CCI-000163
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 16 *******************************

QUESTION         : 17 of 51
TITLE            : CAT II, V-219229, SV-219229r958436, SRG-OS-000058-GPOS-00028
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:16301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:16301
RULE             : The Ubuntu operating system must permit only authorized accounts ownership of the audit log files.
QUESTION_TEXT    : Verify that the audit log files are owned by "root" account.

First determine where the audit logs are stored with the following command:

# sudo grep -iw log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

Using the path of the directory containing the audit logs, check if the audit log files are owned by the "root" user by using the following command:

# sudo stat -c "%n %U" /var/log/audit/*
/var/log/audit/audit.log root

If the audit log files are owned by an user other than "root", this is a finding.

References:
SV-109789
V-100685
CCI-000162
CCI-000163
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 17 *******************************

QUESTION         : 18 of 51
TITLE            : CAT II, V-219230, SV-219230r958436, SRG-OS-000058-GPOS-00028
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:16501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:16501
RULE             : The Ubuntu operating system must permit only authorized groups to own the audit log files.
QUESTION_TEXT    : Verify that the audit log files are owned by "root" group.

First determine where the audit logs are stored with the following command:

# sudo grep -iw log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

Using the path of the directory containing the audit logs, check if the audit log files are owned by the "root" group by using the following command:

# sudo stat -c "%n %G" /var/log/audit/*
/var/log/audit/audit.log root

If the audit log files are owned by a group other than "root", this is a finding.

References:
SV-109791
V-100687
CCI-000162
CCI-000163
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 18 *******************************

QUESTION         : 19 of 51
TITLE            : CAT II, V-219231, SV-219231r958438, SRG-OS-000059-GPOS-00029
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:16701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:16701
RULE             : The Ubuntu operating system must be configured so that the audit log directory is not write-accessible by unauthorized users.
QUESTION_TEXT    : Verify that the audit log directory has a mode of "0750" or less permissive.

First determine where the audit logs are stored with the following command:

# sudo grep -iw log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

Using the path of the directory containing the audit logs, check if the directory has a mode of "0750" or less by using the following command:

# sudo stat -c "%n %a" /var/log/audit
/var/log/audit 750

If the audit log directory has a mode more permissive than "0750", this is a finding.

References:
SV-109793
V-100689
CCI-000164
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 19 *******************************

QUESTION         : 20 of 51
TITLE            : CAT II, V-219232, SV-219232r958438, SRG-OS-000059-GPOS-00029
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:16901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:16901
RULE             : The Ubuntu operating system must allow only authorized accounts to own the audit log directory.
QUESTION_TEXT    : Verify that the audit log directory is owned by "root" account.

First determine where the audit logs are stored with the following command:

# sudo grep -iw log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

Using the path of the directory containing the audit logs, check if the directory is owned by the "root" user by using the following command:

# sudo stat -c "%n %U" /var/log/audit
/var/log/audit root

If the audit log directory is owned by an user other than "root", this is a finding.

References:
V-100691
SV-109795
CCI-000164
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 20 *******************************

QUESTION         : 21 of 51
TITLE            : CAT II, V-219233, SV-219233r958438, SRG-OS-000059-GPOS-00029
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:17101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:17101
RULE             : The Ubuntu operating system must ensure only authorized groups can own the audit log directory and its underlying files.
QUESTION_TEXT    : Verify that the audit log directory is owned by "root" group.

First determine where the audit logs are stored with the following command:

# sudo grep -iw log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

Using the path of the directory containing the audit logs, check if the directory is owned by the "root" group by using the following command:

# sudo stat -c "%n %G" /var/log/audit
/var/log/audit root

If the audit log directory is owned by a group other than "root", this is a finding.

References:
SV-109797
V-100693
CCI-000164
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 21 *******************************

QUESTION         : 22 of 51
TITLE            : CAT II, V-219303, SV-219303r958402, SRG-OS-000029-GPOS-00010
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:24901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:24901
RULE             : The Ubuntu operating system must initiate a session lock after a 15-minute period of inactivity for all connection types.
QUESTION_TEXT    : Verify the Ubuntu operating system initiates a session logout after a 15-minute period of inactivity. 

Check that the proper auto logout script exists with the following command:

# cat /etc/profile.d/autologout.sh
TMOUT=900
readonly TMOUT
export TMOUT

If the file "/etc/profile.d/autologout.sh" does not exist with the contents shown above, the value of "TMOUT" is greater than 900, or the timeout values are commented out, this is a finding.

References:
SV-109933
V-100829
CCI-000057
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 22 *******************************

QUESTION         : 23 of 51
TITLE            : CAT II, V-219306, SV-219306r958406, SRG-OS-000032-GPOS-00013
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:25301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:25301
RULE             : The Ubuntu operating system must monitor remote access methods.
QUESTION_TEXT    : Verify that the Ubuntu operating system monitors all remote access methods.

Check that remote access methods are being logged by running the following command:

$ grep -E -r '^(auth,authpriv\.\*|daemon\.\*)' /etc/rsyslog.*
/etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log
/etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages

If "auth.*", "authpriv.*" or "daemon.*" are not configured to be logged in at least one of the config files, this is a finding.

References:
SV-109939
V-100835
CCI-000067
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 23 *******************************

QUESTION         : 24 of 51
TITLE            : CAT II, V-219311, SV-219311r970703, SRG-OS-000163-GPOS-00072
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:26301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:26301
RULE             : The Ubuntu operating system must automatically terminate all network connections associated with SSH traffic at the end of the session or after 10 minutes of inactivity.
QUESTION_TEXT    : Verify that all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity.

Check that the "ClientAliveInterval" variable is set to a value of "600" or less by performing the following command:

# sudo grep -i clientalive /etc/ssh/sshd_config

ClientAliveInterval 600

If "ClientAliveInterval" does not exist, is not set to a value of "600" or less in "/etc/ssh/sshd_config", or is commented out, this is a finding.

References:
V-100845
SV-109949
CCI-001133
CCI-002361
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 24 *******************************

QUESTION         : 25 of 51
TITLE            : CAT II, V-219317, SV-219317r958484, SRG-OS-000105-GPOS-00052
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:27501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:27501
RULE             : The Ubuntu operating system must implement smart card logins for multifactor authentication for access to accounts.
QUESTION_TEXT    : Verify the Ubuntu operating system uses multifactor authentication for local access to accounts.

Check that the "pam_pkcs11.so" option is configured in the "/etc/pam.d/common-auth" file with the following command:

# grep pam_pkcs11.so /etc/pam.d/common-auth
auth [success=2 default=ignore] pam_pkcs11.so

If "pam_pkcs11.so" is not set in "/etc/pam.d/common-auth", this is a finding.

References:
V-100857
SV-109961
CCI-000765
CCI-000766
CCI-000767
CCI-000768
CCI-001954
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 25 *******************************

QUESTION         : 26 of 51
TITLE            : CAT II, V-219321, SV-219321r958868, SRG-OS-000403-GPOS-00182
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:28301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:28301
RULE             : The Ubuntu operating system must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
QUESTION_TEXT    : Verify the directory containing the root certificates for the Ubuntu operating system only contains certificate files for DoD PKI-established certificate authorities by iterating over all files in the '/etc/ssl/certs' directory and checking if, at least one, has the subject matching "DOD ROOT CA".

If none is found, this is a finding.

References:
V-100865
SV-109969
CCI-002470
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 26 *******************************

QUESTION         : 27 of 51
TITLE            : CAT II, V-219324, SV-219324r958808, SRG-OS-000370-GPOS-00155
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:28901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:28901
RULE             : The Apparmor module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.
QUESTION_TEXT    : Verify that the Ubuntu operating system is configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and access to user home directories.

Check that "Apparmor" is configured to employ application whitelisting and home directory access control with the following command:

# sudo apparmor_status

apparmor module is loaded.
17 profiles are loaded.
17 profiles are in enforce mode.
 /sbin/dhclient
 /usr/bin/lxc-start
 ...
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

If the defined profiles do not match the organization's list of authorized software, this is a finding.

References:
V-100871
SV-109975
CCI-001774
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 27 *******************************

QUESTION         : 28 of 51
TITLE            : CAT II, V-219325, SV-219325r958482, SRG-OS-000104-GPOS-00051
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:29101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:29101
RULE             : The Ubuntu operating system must uniquely identify interactive users.
QUESTION_TEXT    : Verify that the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive users.

Check that the Ubuntu operating system contains no duplicate UIDs for interactive users with the following command:

# awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd

If output is produced, and the accounts listed are interactive user accounts, this is a finding.

References:
SV-109977
V-100873
CCI-000764
CCI-000804
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 28 *******************************

QUESTION         : 29 of 51
TITLE            : CAT II, V-219326, SV-219326r982189, SRG-OS-000118-GPOS-00060
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:29301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:29301
RULE             : The Ubuntu operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
QUESTION_TEXT    : Verify the account identifiers (individuals, groups, roles, and devices) are disabled after 35 days of inactivity with the following command:

Check the account inactivity value by performing the following command:

# sudo grep INACTIVE /etc/default/useradd

INACTIVE=35

If "INACTIVE" is not set to a value 0<[VALUE]<=35, or is commented out, this is a finding.

References:
SV-109979
V-100875
CCI-000795
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 29 *******************************

QUESTION         : 30 of 51
TITLE            : CAT II, V-219329, SV-219329r958364, SRG-OS-000002-GPOS-00002
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:29901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:29901
RULE             : The Ubuntu operating system must provision temporary user accounts with an expiration time of 72 hours or less.
QUESTION_TEXT    : Verify the Ubuntu operating system expires temporary user accounts within 72 hours or less.

For every existing temporary account, run the following command to obtain its account expiration information.

# sudo chage -l system_account_name | grep expires

Password expires : Aug 07, 2019
Account expires : Aug 07, 2019

Verify each of these accounts has an expiration date set within 72 hours of accounts' creation.
If any temporary account does not expire within 72 hours of that account's creation, this is a finding.

References:
SV-109985
V-100881
CCI-000016
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 30 *******************************

QUESTION         : 31 of 51
TITLE            : CAT II, V-219334, SV-219334r958480, SRG-OS-000096-GPOS-00050
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:30901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:30901
RULE             : The Ubuntu operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
QUESTION_TEXT    : Verify the Ubuntu operating system is configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.

Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services by running the following commands:
$ sudo ufw show before-rules
$ sudo ufw show user-rules
$ sudo ufw show after-rules

Ask the system administrator for the site or program PPSM Component Local Services Assessment (CLSA). Verify the services allowed by the firewall match the PPSM CLSA. 

If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding.

If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.

References:
V-100891
SV-109995
CCI-000382
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 31 *******************************

QUESTION         : 32 of 51
TITLE            : CAT II, V-219335, SV-219335r958550, SRG-OS-000184-GPOS-00078
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:31101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:31101
RULE             : Kernel core dumps must be disabled unless needed.
QUESTION_TEXT    : Verify that kernel core dumps are disabled unless needed.

Check if "kdump" service is active with the following command:

# systemctl is-active kdump.service
inactive

If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO).

If the service is active and is not documented, this is a finding.

References:
SV-109997
V-100893
CCI-001190
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 32 *******************************

QUESTION         : 33 of 51
TITLE            : CAT II, V-219336, SV-219336r991567, SRG-OS-000278-GPOS-00108
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:31301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:31301
RULE             : The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools.
QUESTION_TEXT    : Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools.

Check the selection lines that aide is configured to add/check with the following command:

# egrep '(\/sbin\/(audit|au))' /etc/aide/aide.conf

/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512

If any of the seven audit tools does not have an appropriate selection line, this is a finding.

References:
V-100895
SV-109999
CCI-001496
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 33 *******************************

QUESTION         : 34 of 51
TITLE            : CAT II, V-219337, SV-219337r958672, SRG-OS-000297-GPOS-00115
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:31501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:31501
RULE             : The Ubuntu operating system must enable and run the uncomplicated firewall(ufw).
QUESTION_TEXT    : Verify the Uncomplicated Firewall is enabled on the system by running the following command:

# systemctl is-enabled ufw

If the above command returns the status as "disabled", this is a finding.

Verify the Uncomplicated Firewall is active on the system by running the following command:

# sudo systemctl is-active ufw

If the above command returns 'inactive' or any kind of error, this is a finding.

If the Uncomplicated Firewall is not installed ask the System Administrator if another application firewall is installed. 

If no application firewall is installed this is a finding.

References:
SV-110001
V-100897
CCI-000366
CCI-002314
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 34 *******************************

QUESTION         : 35 of 51
TITLE            : CAT II, V-219338, SV-219338r958794, SRG-OS-000363-GPOS-00150
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:31701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:31701
RULE             : The Ubuntu operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner. The file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered.
QUESTION_TEXT    : Verify that Advanced Intrusion Detection Environment (AIDE) notifies the system administrator when anomalies in the operation of any security functions are discovered.

Check that AIDE notifies the system administrator when anomalies in the operation of any security functions are discovered with the following command:

#sudo grep SILENTREPORTS /etc/default/aide

SILENTREPORTS=no

If SILENTREPORTS is uncommented and set to yes, this is a finding.

References:
SV-110003
V-100899
CCI-001744
CCI-002702
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 35 *******************************

QUESTION         : 36 of 51
TITLE            : CAT II, V-219344, SV-219344r958946, SRG-OS-000446-GPOS-00200
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:32901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:32901
RULE             : The Ubuntu operating system must be configured so that a file integrity tool verifies the correct operation of security functions every 30 days.
QUESTION_TEXT    : Verify that Advanced Intrusion Detection Environment (AIDE) performs a verification of the operation of security functions every 30 days.

Note: A file integrity tool other than AIDE may be used, but the tool must be executed at least once per week.

Check that AIDE is being executed every 30 days or less with the following command:

# ls -al /etc/cron.daily/aide

-rwxr-xr-x 1 root root 26049 Oct 24 2014 /etc/cron.daily/aide

If the "/etc/cron.daily/aide" file does not exist or a cron job is not configured to run at least every 30 days, this is a finding.

References:
SV-110013
V-100909
CCI-002699
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 36 *******************************

QUESTION         : 37 of 51
TITLE            : CAT II, V-233779, SV-233779r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:33101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:33101
RULE             : The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
QUESTION_TEXT    : Verify that X11Forwarding is disabled with the following command:

# grep -i x11forwarding /etc/ssh/sshd_config | grep -v "^#"

X11Forwarding no

If the "X11Forwarding" keyword is set to "yes" and is not documented with the Information System Security Officer (ISSO) as an operational requirement or is missing, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 37 *******************************

QUESTION         : 38 of 51
TITLE            : CAT II, V-233780, SV-233780r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:33301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:33301
RULE             : The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
QUESTION_TEXT    : Verify the SSH daemon prevents remote hosts from connecting to the proxy display.

Check the SSH X11UseLocalhost setting with the following command:

# sudo grep -i x11uselocalhost /etc/ssh/sshd_config
X11UseLocalhost yes

If the "X11UseLocalhost" keyword is set to "no", is missing, or is commented out, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 38 *******************************

QUESTION         : 39 of 51
TITLE            : CAT II, V-237768, SV-237768r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:33501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:33501
RULE             : All local interactive user home directories defined in the /etc/passwd file must exist.
QUESTION_TEXT    : Verify the assigned home directory of all local interactive users on the Ubuntu operating system exists.

Check the home directory assignment for all local interactive non-privileged users with the following command:

$ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd

smithj 1001 /home/smithj

Note: This may miss interactive users that have been assigned a privileged User ID (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.

Check that all referenced home directories exist with the following command:

$ sudo pwck -r

user 'smithj': directory '/home/smithj' does not exist

If any home directories referenced in "/etc/passwd" are returned as not defined, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 39 *******************************

QUESTION         : 40 of 51
TITLE            : CAT II, V-237769, SV-237769r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:33701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:33701
RULE             : All local interactive user home directories must have mode 0750 or less permissive.
QUESTION_TEXT    : Verify the assigned home directory of all local interactive users has a mode of "0750" or less permissive with the following command:

Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.

$ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)

drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj

If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 40 *******************************

QUESTION         : 41 of 51
TITLE            : CAT II, V-237770, SV-237770r991589, SRG-OS-000480-GPOS-00227
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:33901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:33901
RULE             : All local interactive user home directories must be group-owned by the home directory owners primary group.
QUESTION_TEXT    : Verify the assigned home directory of all local interactive users is group-owned by that user’s primary Group Identifier (GID).

Check the home directory assignment for all non-privileged users on the system with the following command:

Note: This may miss local interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory "/home/smithj" is used as an example.

$ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)

drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj

Check the user's primary group with the following command:

$ sudo grep admin /etc/group
admin:x:250:smithj,jonesj,jacksons

If the user home directory referenced in "/etc/passwd" is not group-owned by that user’s primary GID, this is a finding.


References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 41 *******************************

QUESTION         : 42 of 51
TITLE            : CAT II, V-255906, SV-255906r991554, SRG-OS-000250-GPOS-00093
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:34701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:34701
RULE             : The Ubuntu operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.
QUESTION_TEXT    : Verify that the SSH server is configured to use only FIPS-validated key exchange algorithms:

     $ sudo grep -i kexalgorithms /etc/ssh/sshd_config
     KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
 
If "KexAlgorithms" is not configured, is commented out, or does not contain only the algorithms "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" in exact order, this is a finding.

References:
CCI-000068
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 42 *******************************

QUESTION         : 43 of 51
TITLE            : CAT III, V-219152, SV-219152r971542, SRG-OS-000343-GPOS-00134
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:1101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:1101
RULE             : The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
QUESTION_TEXT    : Verify the Ubuntu operating system notifies the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.

Check that the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity with the following command:

# sudo grep ^space_left_action /etc/audit/auditd.conf

space_left_action email

# sudo grep ^space_left /etc/audit/auditd.conf

space_left 250000

If the "space_left" parameter is missing, set to blanks or set to a value less than 25% of the space free in the allocated audit record storage, this is a finding.

If the "space_left_action" parameter is missing or set to blanks, this is a finding.

If the "space_left_action" is set to "syslog", the system logs the event, but does not generate a notification, so this is a finding.

If the "space_left_action" is set to "exec", the system executes a designated script. If this script informs the SA of the event, this is not a finding.

If the "space_left_action" is set to "email" check the value of the "action_mail_acct" parameter with the following command:

# sudo grep action_mail_acct /etc/audit/auditd.conf

action_mail_acct root@localhost

The "action_mail_acct" parameter, if missing, defaults to "root". If the "action_mail_acct parameter" is not set to the e-mail address of the system administrator(s) and/or ISSO, this is a finding. 

Note: If the email address of the system administrator is on a remote system a mail package must be available.

References:
SV-109633
V-100529
CCI-001855
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 43 *******************************

QUESTION         : 44 of 51
TITLE            : CAT III, V-219153, SV-219153r959008, SRG-OS-000479-GPOS-00224
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:1301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:1301
RULE             : The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system in real time, if the system is interconnected.
QUESTION_TEXT    : Verify the audit event multiplexor is configured to off-load audit records to a different system or storage media from the system being audited.

Check that audisp-remote plugin is installed:

# sudo dpkg -s audispd-plugins

If status is "not installed", this is a finding.

Check that the records are being off-loaded to a remote server with the following command:

# sudo grep -i active /etc/audisp/plugins.d/au-remote.conf

active = yes

If "active" is not set to "yes", or the line is commented out, this is a finding.

Check that audisp-remote plugin is configured to send audit logs to a different system:

# sudo grep -i ^remote_server /etc/audisp/audisp-remote.conf 

remote_server = 192.168.122.126

If the remote_server parameter is not set or is set with a local address, or is set with invalid address, this is a finding.

References:
V-100531
SV-109635
CCI-001851
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 44 *******************************

QUESTION         : 45 of 51
TITLE            : CAT III, V-219154, SV-219154r959008, SRG-OS-000479-GPOS-00224
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:1501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:1501
RULE             : The Ubuntu operating system must have a crontab script running weekly to off-load audit events of standalone systems.
QUESTION_TEXT    : Verify there is a script which off-loads audit data and if that script runs weekly.

Check if there is a script in the /etc/cron.weekly directory which off-loads audit data:

# sudo ls /etc/cron.weekly

audit-offload

Check if the script inside the file does offloading of audit logs to an external media.

If the script file does not exist or if the script file doesn't offload audit logs, this is a finding.

References:
SV-109637
V-100533
CCI-001851
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 45 *******************************

QUESTION         : 46 of 51
TITLE            : CAT III, V-219163, SV-219163r958828, SRG-OS-000383-GPOS-00166
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:3301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:3301
RULE             : The Ubuntu operating system must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.
QUESTION_TEXT    : If smart card authentication is not being used on the system this item is Not Applicable.

Verify that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.

Check that PAM prohibits the use of cached authentications after one day with the following command:

# sudo grep offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf

offline_credentials_expiration = 1

If "offline_credentials_expiration" is not set to a value of "1", in /etc/sssd/sssd.conf or in a file with a name ending in .conf in the /etc/sssd/conf.d/ directory, this is a finding.

References:
V-100553
SV-109657
CCI-002007
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 46 *******************************

QUESTION         : 47 of 51
TITLE            : CAT III, V-219180, SV-219180r982201, SRG-OS-000077-GPOS-00045
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:6501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:6501
RULE             : The Ubuntu operating system must prohibit password reuse for a minimum of five generations.
QUESTION_TEXT    : Verify that the Ubuntu operating system prevents passwords from being reused for a minimum of five generations by running the following command:

# grep -i remember /etc/pam.d/common-password

password [success=1 default=ignore] pam_unix.so sha512 shadow remember=5 rounds=5000

If the "remember" parameter value is not greater than or equal to 5, commented out, or not set at all this is a finding.

References:
V-100587
SV-109691
CCI-000200
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 47 *******************************

QUESTION         : 48 of 51
TITLE            : CAT III, V-219322, SV-219322r958702, SRG-OS-000312-GPOS-00122
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:28501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:28501
RULE             : Pam_Apparmor must be configured to allow system administrators to pass information to any other Ubuntu operating system administrator or user, change security attributes, and to confine all non-privileged users from executing functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
QUESTION_TEXT    : Verify that the Ubuntu operating system is configured to allow system administrators to pass information to any other Ubuntu operating system administrator or user.

Check that "Pam_Apparmor" is installed on the system with the following command:

# dpkg -l | grep -i apparmor

ii libpam-apparmor 2.10.95-0Ubuntu2.6 

If the "Pam_Apparmor" package is not installed, this is a finding.

Check that the "AppArmor" daemon is running with the following command:

# systemctl status apparmor.service | grep -i active

If something other than "Active: active" is returned, this is a finding.

Note: Pam_Apparmor must have properly configured profiles. All configurations will be based on the actual system setup and organization. See the "Pam_Apparmor" documentation for more information on configuring profiles.

References:
V-100867
SV-109971
CCI-002165
CCI-002235
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 48 *******************************

QUESTION         : 49 of 51
TITLE            : CAT III, V-219327, SV-219327r958508, SRG-OS-000123-GPOS-00064
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:29501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:29501
RULE             : The Ubuntu operating system must automatically expire temporary accounts within 72 hours.
QUESTION_TEXT    : Verify temporary accounts have been provisioned with an expiration date of 72 hours.

For every existing temporary account, run the following command to obtain its account expiration information:

     $ sudo chage -l <temporary_account_name> | grep -i "account expires"

Verify each of these accounts has an expiration date set within 72 hours.
If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.

References:
SV-109981
V-100877
CCI-001682
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 49 *******************************

QUESTION         : 50 of 51
TITLE            : CAT III, V-219333, SV-219333r958788, SRG-OS-000359-GPOS-00146
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:30701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:30701
RULE             : The Ubuntu operating system must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
QUESTION_TEXT    : The time zone must be configured to use Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). To verify run the following command. 

# sudo timedatectl status | grep -i "time zone"
Timezone: UTC (UTC, +0000)

If "Timezone" is not set to UTC or GMT, this is a finding.

References:
SV-109993
V-100889
CCI-001890
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 50 *******************************

QUESTION         : 51 of 51
TITLE            : CAT III, V-255907, SV-255907r958524, SRG-OS-000138-GPOS-00069
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:testaction:34901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu1804:question:34901
RULE             : The Ubuntu operating system must restrict access to the kernel message buffer.
QUESTION_TEXT    : Verify the operating system is configured to restrict access to the kernel message buffer with the following commands:

     $ sudo sysctl kernel.dmesg_restrict
     kernel.dmesg_restrict = 1

If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding.

Check that the configuration files are present to enable this kernel parameter:

     $ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null
     /etc/sysctl.conf:kernel.dmesg_restrict = 1
     /etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1

If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding.

If conflicting results are returned, this is a finding.

References:
CCI-001090
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 51 *******************************

