################################################################################
DOCUMENT         : CAN_Ubuntu_22-04_LTS_STIG
VERSION          : 002.003.004
CHECKSUM         : 17365490e4d7b626fc2da41fb9db9a7bbe31db76e73993ac7605aae1390fd26a
MANUAL QUESTIONS : 13

IMPORTANT: Make sure to save the completed version of this file to: 
<SCC Install>/Resources/Content/Manual_Questions/Completed_Files

This file contains all of the non-automated STIG requirements found in the STIG.
Results from this file will be combined with automated checks in SCC to provide
complete STIG compliance results.

This file will be programmaticaly imported, so do not modify anything in this file
except for placing an '[X]' to select a Single answer, and entering text comments.

The list of questions is printed in order of severity, listing CAT I (High), then CAT II, etc..

################################################################################

QUESTION         : 1 of 13
TITLE            : CAT I, V-260559, SV-260559r958518, SRG-OS-000134-GPOS-00068
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:testaction:17701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:question:17701
RULE             : Ubuntu 22.04 LTS must ensure only users who need access to security functions are part of sudo group.
QUESTION_TEXT    : Verify the sudo group has only members who require access to security functions by using the following command:   
  
     $ grep sudo /etc/group  
     sudo:x:27:<username> 
  
If the sudo group contains users not needing access to security functions, this is a finding.

References:
CCI-001084
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 1 *******************************

QUESTION         : 2 of 13
TITLE            : CAT II, V-260484, SV-260484r958552, SRG-OS-000185-GPOS-00079
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:testaction:3101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:question:3101
RULE             : Ubuntu 22.04 LTS must implement cryptographic mechanisms to prevent unauthorized disclosure and modification of all information that requires protection at rest.
QUESTION_TEXT    : Verify Ubuntu 22.04 LTS prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption.   
 
Note: If there is a documented and approved reason for not having data-at-rest encryption, this requirement is not applicable. 
  
Determine the partition layout for the system by using the following command:  
  
     $ sudo fdisk -l 
 
     ... 
     Device               Start               End        Sectors       Size  Type 
     /dev/sda1         2048      2203647       2201600          1G  EFI System 
     /dev/sda2  2203648      6397951       4194304          2G  Linux filesystem 
     /dev/sda3  6397952  536868863  530470912  252.9G  Linux filesystem 
     ... 
  
Verify the system partitions are all encrypted by using the following command:  
 
     # more /etc/crypttab 
 
Every persistent disk partition present must have an entry in the file.   
  
If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.

References:
CCI-001199
CCI-002475
CCI-002476
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 2 *******************************

QUESTION         : 3 of 13
TITLE            : CAT II, V-260518, SV-260518r958480, SRG-OS-000096-GPOS-00050
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:testaction:9901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:question:9901
RULE             : Ubuntu 22.04 LTS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
QUESTION_TEXT    : Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services by using the following command: 
  
     $ sudo ufw show raw 
     Chain INPUT (policy ACCEPT 0 packets, 0 bytes)  
          pkts      bytes target     prot opt in     out     source               destination  
  
     Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)  
         pkts      bytes target     prot opt in     out     source               destination  
  
     Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)  
         pkts      bytes target     prot opt in     out     source               destination  
  
Ask the system administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA.   
  
If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding.  
  
If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.

References:
CCI-000382
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 3 *******************************

QUESTION         : 4 of 13
TITLE            : CAT II, V-260548, SV-260548r958364, SRG-OS-000002-GPOS-00002
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:testaction:15701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:question:15701
RULE             : Ubuntu 22.04 LTS must automatically expire temporary accounts within 72 hours.
QUESTION_TEXT    : Verify temporary accounts have been provisioned with an expiration date of 72 hours by using the following command: 
 
     $ sudo chage -l <temporary_account_name> | grep -E '(Password|Account) expires' 
     Password expires     : Apr 1, 2024  
     Account expires        : Apr 1, 2024  
 
Verify each of these accounts has an expiration date set within 72 hours. 
 
If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.

References:
CCI-000016
CCI-001682
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 4 *******************************

QUESTION         : 5 of 13
TITLE            : CAT II, V-260580, SV-260580r958868, SRG-OS-000403-GPOS-00182
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:testaction:21701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:question:21701
RULE             : Ubuntu 22.04 LTS must use DOD PKI-established certificate authorities for verification of the establishment of protected sessions.
QUESTION_TEXT    : Verify the directory containing the root certificates for Ubuntu 22.04 LTS contains certificate files for DOD PKI-established certificate authorities by iterating over all files in the "/etc/ssl/certs" directory and checking if, at least one, has the subject matching "DOD ROOT CA". 
 
     $ ls /etc/ssl/certs | grep -i DOD 
     DOD_PKE_CA_chain.pem 
 
If no DOD root certificate is found, this is a finding. 
 
Verify that all root certificates present on the system have been approved by the AO. 
 
     $ ls /etc/ssl/certs 
 
If a certificate is present that is not approved by the AO, this is a finding.

References:
CCI-002470
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 5 *******************************

QUESTION         : 6 of 13
TITLE            : CAT II, V-260585, SV-260585r958946, SRG-OS-000446-GPOS-00200
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:testaction:22701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:question:22701
RULE             : Ubuntu 22.04 LTS must be configured so that the script that runs each 30 days or less to check file integrity is the default.
QUESTION_TEXT    : Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged.  
  
Download the original aide-common package in the /tmp directory:  
  
     $ cd /tmp; apt download aide-common 
  
Fetch the SHA1 of the original script file: 
  
     $ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | tar -xO ./usr/share/aide/config/cron.daily/aide | sha1sum 
     b71bb2cafaedf15ec3ac2f566f209d3260a37af0  -  
  
Compare with the SHA1 of the file in the daily or monthly cron directory:  
  
     $ sha1sum /etc/cron.{daily,monthly}/aide 2>/dev/null 
     b71bb2cafaedf15ec3ac2f566f209d3260a37af0  /etc/cron.daily/aide 
  
If there is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the daily or monthly cron directory does not match the SHA1 of the original, this is a finding.

References:
CCI-002699
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 6 *******************************

QUESTION         : 7 of 13
TITLE            : CAT II, V-274864, SV-274864r1107268, SRG-OS-000396-GPOS-00176
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:testaction:36701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:question:36701
RULE             : Ubuntu 22.04 LTS must have the "SSSD" package installed.
QUESTION_TEXT    : Verify Ubuntu 22.04 LTS has the packages required for multifactor authentication installed with the following command:

$ dpkg -l | grep sssd
ii  sssd     2.9.4-1.1ubuntu6.1     amd64     System Security Services Daemon -- metapackage
ii  sssd-ad     2.9.4-1.1ubuntu6.1     amd64     System Security Services Daemon -- Active Directory back end
ii  sssd-ad-common     2.9.4-1.1ubuntu6.1     amd64     System Security Services Daemon -- PAC responder
ii  sssd-common     2.9.4-1.1ubuntu6.1     amd64     System Security Services Daemon -- common files
ii  sssd-ipa     2.9.4-1.1ubuntu6.1     amd64     System Security Services Daemon -- IPA back end
ii  sssd-krb5     2.9.4-1.1ubuntu6.1     amd64     System Security Services Daemon -- Kerberos back end
ii  sssd-krb5-common     2.9.4-1.1ubuntu6.1     amd64     System Security Services Daemon -- Kerberos helpers
ii  sssd-ldap     2.9.4-1.1ubuntu6.1     amd64     System Security Services Daemon -- LDAP back end
ii  sssd-proxy     2.9.4-1.1ubuntu6.1     amd64     System Security Services Daemon -- proxy back end

If the "sssd" package is not installed, this is a finding. The additional sssd components listed by the command may differ from configuration to configuration.  

Verify that "libpam-sss" (the PAM integration module for SSSD) is installed with the following command:

$ dpkg -l | grep libpam-sss
i  libpam-sss:amd64     2.9.4-1.1ubuntu6.1     amd64     Pam module for the System Security Services Daemon

Verify that "libnss-sss" (the NSS module for retrieving user and group information) is installed with the following command:

$ dpkg -l | grep libnss-sss
ii  libnss-sss:amd64     2.9.4-1.1ubuntu6.1      amd64     Nss library for the System Security Services Daemon

References:
CCI-004046
CCI-004047
CCI-000765
CCI-000766
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 7 *******************************

QUESTION         : 8 of 13
TITLE            : CAT II, V-274865, SV-274865r1101731, SRG-OS-000396-GPOS-00176
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:testaction:36901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:question:36901
RULE             : Ubuntu 22.04 LTS must map the authenticated identity to the user or group account for PKI-based authentication.
QUESTION_TEXT    : Verify that authenticated certificates are mapped to the appropriate user group in the "/etc/sssd/sssd.conf" file with the following command: 
 
$ grep -i ldap_user_certificate /etc/sssd/sssd.conf
ldap_user_certificate=userCertificate;binary

References:
CCI-000187
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 8 *******************************

QUESTION         : 9 of 13
TITLE            : CAT II, V-274866, SV-274866r1101739, SRG-OS-000396-GPOS-00176
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:testaction:37101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:question:37101
RULE             : Ubuntu 22.04 LTS must use the "SSSD" package for multifactor authentication services.
QUESTION_TEXT    : Verify the "sssd.service" is enabled and active with the following commands: 
 
$ sudo systemctl is-enabled sssd
enabled

$ sudo systemctl is-active sssd
active

If "sssd.service" is not active or enabled, this is a finding.

References:
CCI-004046
CCI-004047
CCI-000765
CCI-000766
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 9 *******************************

QUESTION         : 10 of 13
TITLE            : CAT II, V-274867, SV-274867r1107270, SRG-OS-000396-GPOS-00176
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:testaction:37301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:question:37301
RULE             : Ubuntu 22.04 LTS must ensure SSSD performs certificate path validation, including revocation checking, against a trusted anchor for PKI-based authentication.
QUESTION_TEXT    : Verify Ubuntu 22.04 LTS, for PKI-based authentication, has valid certificates by constructing a certification path to an accepted trust anchor. 

Verify the pam service is listed under [sssd] with the following command:

$ sudo grep -A 1 '^\[sssd\]' /etc/sssd/sssd.conf
[sssd]
services = nss,pam,ssh

If "pam" is not listed in services, this is a finding.

Verify the pam service is set to use pam for smart card authentication in the [pam] section of /etc/sssd/sssd.conf with the following command:

$ sudo grep -A 1 '^\[pam]' /etc/sssd/sssd.conf
[pam]
pam_cert_auth = True

If "pam_cert_auth = True" is not returned, this is a finding.

Verify "ca" is enabled in "certificate_verification" with the following command: 
  
$ sudo grep certificate_verification /etc/sssd/sssd.conf
certificate_verification = ca_cert,ocsp
 
If "certificate_verification" is not set to "ca" or the line is commented out, this is a finding.

References:
CCI-000185
CCI-004909
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 10 *******************************

QUESTION         : 11 of 13
TITLE            : CAT III, V-260587, SV-260587r959008, SRG-OS-000479-GPOS-00224
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:testaction:23101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:question:23101
RULE             : Ubuntu 22.04 LTS must have a crontab script running weekly to offload audit events of standalone systems.
QUESTION_TEXT    : Verify there is a script that offloads audit data and that script runs weekly by using the following command: 
 
Note: If the system is not connected to a network, this requirement is not applicable. 
  
     $ ls /etc/cron.weekly 
     <audit_offload_script_name> 
  
Check if the script inside the file does offloading of audit logs to external media.  
  
If the script file does not exist or does not offload audit logs, this is a finding.

References:
CCI-001851
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 11 *******************************

QUESTION         : 12 of 13
TITLE            : CAT III, V-260593, SV-260593r958424, SRG-OS-000046-GPOS-00022
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:testaction:24301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:question:24301
RULE             : Ubuntu 22.04 LTS must alert the information system security officer (ISSO) and system administrator (SA) in the event of an audit processing failure.
QUESTION_TEXT    : Verify that the SA and ISSO are notified in the event of an audit processing failure by using the following command: 
 
Note: An email package must be installed on the system for email notifications to be sent. 
  
     $ sudo grep -i action_mail_acct /etc/audit/auditd.conf 
     action_mail_acct = <administrator_email_account> 
  
If "action_mail_acct" is not set to the email address of the SA and/or ISSO, is commented out, or is missing, this is a finding.

References:
CCI-000139
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 12 *******************************

QUESTION         : 13 of 13
TITLE            : CAT III, V-274863, SV-274863r1107271, SRG-OS-000396-GPOS-00176
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:testaction:36501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2204os:question:36501
RULE             : Ubuntu 22.04 LTS must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.
QUESTION_TEXT    : Note: If smart card authentication is not being used on the system, this is not applicable. 

Verify that PAM prohibits the use of cached authentications after one day with the following command:
 
$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf 
offline_credentials_expiration = 1 
 
If "offline_credentials_expiration" is not set to a value of "1" in "/etc/sssd/sssd.conf" or in a file with a name ending in .conf in the "/etc/sssd/conf.d/" directory, this is a finding.

References:
CCI-002007
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 13 *******************************

