################################################################################
DOCUMENT         : CAN_Ubuntu_24-04_STIG
VERSION          : 001.001.001
CHECKSUM         : ed6b48112198808f56748f123be7d9c0722251869a8ad16f765ec5f4a1dba11c
MANUAL QUESTIONS : 15

IMPORTANT: Make sure to save the completed version of this file to: 
<SCC Install>/Resources/Content/Manual_Questions/Completed_Files

This file contains all of the non-automated STIG requirements found in the STIG.
Results from this file will be combined with automated checks in SCC to provide
complete STIG compliance results.

This file will be programmaticaly imported, so do not modify anything in this file
except for placing an '[X]' to select a Single answer, and entering text comments.

The list of questions is printed in order of severity, listing CAT I (High), then CAT II, etc..

################################################################################

QUESTION         : 1 of 15
TITLE            : CAT I, V-270748, SV-270748r1066733, SRG-OS-000134-GPOS-00068
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:testaction:20701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:question:20701
RULE             : Ubuntu 24.04 LTS must ensure only users who need access to security functions are part of sudo group.
QUESTION_TEXT    : Verify the sudo group has only members who require access to security functions with the following command:  
 
$ grep sudo /etc/group
sudo:x:27:foo 
 
If the sudo group contains users not needing access to security functions, this is a finding.

References:
CCI-001084
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 1 *******************************

QUESTION         : 2 of 15
TITLE            : CAT II, V-270651, SV-270651r1068395, SRG-OS-000446-GPOS-00200
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:testaction:1301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:question:1301
RULE             : Ubuntu 24.04 LTS must be configured so that the script which runs each 30 days or less to check file integrity is the default one.
QUESTION_TEXT    : Note: If AIDE is not installed, this finding is not applicable.

Check the AIDE configuration file integrity installed on the system (the default configuration file is located at /etc/aide/aide.conf or in /etc/aide/aide.conf.d/) with the following command:
$ sudo sha256sum /etc/aide/aide.conf
f3bbea2552f2c5b475627850d8a5fba1659df6466986d5a18948d9821ecbe491  /etc/aide/aide.conf

Download the original aide-common package in the /tmp directory: 
$ cd /tmp; apt download aide-common 

Generate the checksum from the aide.conf file in the downloaded .deb package:
$ sudo dpkg-deb --fsys-tarfile /tmp/aide-common_0.18.6-2build2_all.deb | tar -xO ./usr/share/aide/config/aide/aide.conf | sha256sum
f3bbea2552f2c5b475627850d8a5fba1659df6466986d5a18948d9821ecbe491  -

If the checksums of the system file (/etc/aide/aide.conf) and the extracted file do not match, this is a finding.

To verify the frequency of the file integrity checks, inspect the contents of the scheduled jobs as follows:

Checking scheduled cron jobs:
$ grep -r aide /etc/cron* /etc/crontab
/etc/cron.daily/dailyaidecheck:SCRIPT="/usr/share/aide/bin/dailyaidecheck"

Checking the systemd timer (this will show when the next scheduled run occurs and the last time the AIDE check was triggered):
$ sudo systemctl list-timers | grep aide
Thu 2024-10-31 02:01:58 EDT           10h Wed 2024-10-30 13:47:41 EDT            - dailyaidecheck.timer           dailyaidecheck.service

The contents of these files can be inspected with the following commands:
$ sudo systemctl cat dailyaidecheck.timer
$ sudo systemctl cat dailyaidecheck.service

If there is no AIDE script file in the cron directories or in the systemd timer, this is a finding.

References:
CCI-002699
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 2 *******************************

QUESTION         : 3 of 15
TITLE            : CAT II, V-270679, SV-270679r1107295, SRG-OS-000028-GPOS-00009
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:testaction:6901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:question:6901
RULE             : Ubuntu 24.04 LTS must prevent a user from overriding the disabling of the graphical user interface automount function.
QUESTION_TEXT    : Note: This requirement assumes the use of the Ubuntu 24.04 LTS default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

Verify Ubuntu 24.04 LTS disables the ability of the user to override the graphical user interface automount setting.

Determine which profile the system database is using with the following command:

$ sudo grep system-db /etc/dconf/profile/user

system-db:local

Check that the automount setting is locked from nonprivileged user modification with the following command:

Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.

$ grep 'automount-open' /etc/dconf/db/local.d/locks/* 

/org/gnome/desktop/media-handling/automount-open

If the command does not return at least the example result, this is a finding.

References:
CCI-000056
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 3 *******************************

QUESTION         : 4 of 15
TITLE            : CAT II, V-270682, SV-270682r1066535, SRG-OS-000002-GPOS-00002
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:testaction:7501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:question:7501
RULE             : Ubuntu 24.04 LTS must automatically remove or disable emergency accounts after 72 hours.
QUESTION_TEXT    : Verify temporary accounts have been provisioned with an expiration date of 72 hours with the following command:

$ sudo chage -l <temporary_account_name> | grep -i "account expires"

Verify each of these accounts has an expiration date set within 72 hours.

If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.

References:
CCI-000016
CCI-001682
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 4 *******************************

QUESTION         : 5 of 15
TITLE            : CAT II, V-270694, SV-270694r1066571, SRG-OS-000024-GPOS-00007
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:testaction:9901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:question:9901
RULE             : Ubuntu 24.04 LTS must be configured to enforce the acknowledgement of the Standard Mandatory DOD Notice and Consent Banner for all SSH connections.
QUESTION_TEXT    : Verify Ubuntu 24.04 LTS is configured to prompt a user to acknowledge the Standard Mandatory DOD Notice and Consent Banner before granting access with the following command:

$ less /etc/profile.d/ssh_confirm.sh
#!/bin/bash

if [ -n "$SSH_CLIENT" ] || [ -n "$SSH_TTY" ]; then
        while true; do
                read -p " 


You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

Do you agree? [y/N] " yn
                case $yn in
                        [Yy]* ) break ;;
                        [Nn]* ) exit 1 ;;
                esac
        done
fi

If the output does not match the text above, this is a finding.

References:
CCI-000050
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 5 *******************************

QUESTION         : 6 of 15
TITLE            : CAT II, V-270719, SV-270719r1067172, SRG-OS-000096-GPOS-00050
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:testaction:14901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:question:14901
RULE             : Ubuntu 24.04 LTS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL) and vulnerability assessments.
QUESTION_TEXT    : Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services with the following command:
 
$ sudo ufw show raw 
Chain OUTPUT (policy ACCEPT) 
target  prot opt sources    destination 
Chain INPUT (policy ACCEPT 1 packets, 40 bytes) 
    pkts      bytes target     prot opt in     out     source               destination 
 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) 
    pkts      bytes target     prot opt in     out     source               destination 
 
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) 
    pkts      bytes target     prot opt in     out     source               destination 
 
Ask the system administrator for the site or program PPSM Components Local Services Assessment (CLSA). Verify the services allowed by the firewall match the PPSM CLSA.  
 
If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. 
 
If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.

References:
CCI-000382
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 6 *******************************

QUESTION         : 7 of 15
TITLE            : CAT II, V-270735, SV-270735r1066694, SRG-OS-000066-GPOS-00034
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:testaction:18101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:question:18101
RULE             : Ubuntu 24.04 LTS, for PKI-based authentication, SSSD must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
QUESTION_TEXT    : Verify Ubuntu 24.04 LTS, for PKI-based authentication, has valid certificates by constructing a certification path to an accepted trust anchor. 

Ensure the pam service is listed under [sssd] with the following command:

$ sudo grep -A 1 '^\[sssd\]' /etc/sssd/sssd.conf
[sssd]
services = nss,pam,ssh

If "pam" is not listed in services, this is a finding.

Additionally, ensure the pam service is set to use pam for smart card authentication in the [pam] section of /etc/sssd/sssd.conf with the following command:

$ sudo grep -A 1 '^\[pam]' /etc/sssd/sssd.conf
[pam]
pam_cert_auth = True

If "pam_cert_auth = True" is not returned, this is a finding.

Ensure "ca" is enabled in "certificate_verification" with the following command: 
  
$ sudo grep certificate_verification /etc/sssd/sssd.conf
certificate_verification = ca_cert,ocsp
 
If "certificate_verification" is not set to "ca" or the line is commented out, this is a finding.

References:
CCI-000185
CCI-004909
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 7 *******************************

QUESTION         : 8 of 15
TITLE            : CAT II, V-270745, SV-270745r1066724, SRG-OS-000403-GPOS-00182
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:testaction:20101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:question:20101
RULE             : Ubuntu 24.04 LTS must use DOD PKI-established certificate authorities (CAs) for verification of the establishment of protected sessions.
QUESTION_TEXT    : Verify the directory containing the root certificates for Ubuntu 24.04 LTS contains certificate files for DOD PKI-established CAs by iterating over all files in the "/etc/ssl/certs" directory and checking if, at least one, has the subject matching "DOD ROOT CA".

$ grep -ir DOD /etc/ssl/certs
DOD_PKE_CA_chain.pem

If no root certificate is found, this is a finding.

References:
CCI-002470
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 8 *******************************

QUESTION         : 9 of 15
TITLE            : CAT II, V-270747, SV-270747r1066730, SRG-OS-000185-GPOS-00079
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:testaction:20501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:question:20501
RULE             : Ubuntu 24.04 LTS handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
QUESTION_TEXT    : Note: If there is a documented and approved mission requirement for data-at-rest to not be encrypted, this requirement is not applicable. 
 
Verify Ubuntu 24.04 LTS prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption.  

Determine the partition layout for the system with the following command: 
 
$ sudo fdisk -l 
(..) 
Disk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors 
Units: sectors of 1 * 512 = 512 bytes 
Sector size (logical/physical): 512 bytes / 512 bytes 
I/O size (minimum/optimal): 512 bytes / 512 bytes 
Disklabel type: gpt 
Disk identifier: 83298450-B4E3-4B19-A9E4-7DF147A5FEFB 
 
Device       Start      End  Sectors Size Type 
/dev/vda1     2048     4095     2048   1M BIOS boot 
/dev/vda2     4096  2101247  2097152   1G Linux filesystem 
/dev/vda3  2101248 31455231 29353984  14G Linux filesystem 
(...) 
 
Verify the system partitions are all encrypted with the following command: 
 
$ more /etc/crypttab
 
Every persistent disk partition present must have an entry in the file.  
 
If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.

References:
CCI-001199
CCI-002475
CCI-002476
CCI-004910
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 9 *******************************

QUESTION         : 10 of 15
TITLE            : CAT II, V-274871, SV-274871r1107302, SRG-OS-000031-GPOS-00012
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:testaction:38301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:question:38301
RULE             : Ubuntu 24.04 LTS must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
QUESTION_TEXT    : Note: This requirement assumes the use of the Ubuntu 24.04 LTS default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

To verify the screensaver is configured to be blank, run the following command:

$ gsettings writable org.gnome.desktop.screensaver picture-uri
 
false
 
If "picture-uri" is writable and the result is "true", this is a finding.

References:
CCI-000060
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 10 *******************************

QUESTION         : 11 of 15
TITLE            : CAT II, V-274872, SV-274872r1107297, SRG-OS-000114-GPOS-00059
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:testaction:38501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:question:38501
RULE             : Ubuntu 24.04 LTS must prevent a user from overriding the disabling of the graphical user interface autorun function.
QUESTION_TEXT    : Note: This requirement assumes the use of the Ubuntu 24.04 LTS default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

Verify Ubuntu 24.04 LTS disables ability of the user to override the graphical user interface autorun setting.

Determine which profile the system database is using with the following command:

$ gsettings writable org.gnome.desktop.media-handling autorun-never
 
false
 
If "autorun-never" is writable, the result is "true". If this is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

References:
CCI-000778
CCI-001958
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 11 *******************************

QUESTION         : 12 of 15
TITLE            : CAT II, V-274873, SV-274873r1107300, SRG-OS-000028-GPOS-00009
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:testaction:38701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:question:38701
RULE             : Ubuntu 24.04 LTS must prevent a user from overriding the disabling of the graphical user smart card removal action.
QUESTION_TEXT    : Note: This requirement assumes the use of the Ubuntu 24.04 LTS default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.

Verify Ubuntu 24.04 LTS disables the ability of the user to override the smart card removal action setting.

$ gsettings writable org.gnome.settings-daemon.peripherals.smartcard removal-action
 
false
 
If "removal-action" is writable and the result is "true", this is a finding.

References:
CCI-000056
CCI-000057
CCI-000058
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 12 *******************************

QUESTION         : 13 of 15
TITLE            : CAT III, V-270817, SV-270817r1066940, SRG-OS-000479-GPOS-00224
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:testaction:34501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:question:34501
RULE             : Ubuntu 24.04 LTS must have a crontab script running weekly to offload audit events of standalone systems.
QUESTION_TEXT    : Note: If this is an interconnected system, this is not applicable.
 
Verify there is a script that offloads audit data and that script runs weekly with the following command:

$ ls /etc/cron.weekly 
audit-offload 
 
Check if the script inside the file offloads audit logs to external media. 
 
If the script file does not exist or does not offload audit logs, this is a finding.

References:
CCI-001851
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 13 *******************************

QUESTION         : 14 of 15
TITLE            : CAT III, V-270818, SV-270818r1066943, SRG-OS-000343-GPOS-00134
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:testaction:34701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:question:34701
RULE             : Ubuntu 24.04 LTS must immediately notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
QUESTION_TEXT    : Verify Ubuntu 24.04 LTS notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command: 
 
Note: If the space_left_action is set to "email", an email package must be available.

$ sudo grep ^space_left_action /etc/audit/auditd.conf
space_left_action email 
 
$ sudo grep ^space_left /etc/audit/auditd.conf
space_left 250000 
 
If the "space_left" parameter is set to "syslog", is missing, set to blanks, or set to a value less than 25 percent of the space free in the allocated audit record storage, this is a finding. 
 
If the "space_left_action" parameter is missing or set to blanks, this is a finding. 

If the "space_left_action" is set to "email", check the value of the "action_mail_acct" parameter with the following command: 
 
$ sudo grep ^action_mail_acct /etc/audit/auditd.conf
action_mail_acct root@localhost 
 
The "action_mail_acct" parameter, if missing, defaults to "root". If the "action_mail_acct parameter" is not set to the email address of the SA(s) and/or ISSO, this is a finding.   
 
If the "space_left_action" is set to "exec", the system executes a designated script. If this script informs the SA of the event, this is not a finding. 

References:
CCI-001855
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 14 *******************************

QUESTION         : 15 of 15
TITLE            : CAT III, V-270819, SV-270819r1068390, SRG-OS-000046-GPOS-00022
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:testaction:34901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ubuntu2404os:question:34901
RULE             : Ubuntu 24.04 LTS must alert the system administrator (SA) and information system security officer (ISSO) (at a minimum) in the event of an audit processing failure.
QUESTION_TEXT    : Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing failure with the following command: 
 
$ sudo grep '^action_mail_acct' /etc/audit/auditd.conf
action_mail_acct = <administrator_account> 
 
If the value of the "action_mail_acct" keyword is not set to an account for security personnel, the returned line is commented out, or the keyword is missing, this is a finding.

References:
CCI-000139
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 15 *******************************

