Product:
BigFix Compliance
Title:
Updated DISA STIG Checklist for Ubuntu 22.04 LTS Server.
Security Benchmark:
DISA Canonical Ubuntu 22.04 LTS STIG SCAP Benchmark V2R5
Published Sites:
DISA STIG Checklist for Ubuntu 22.04 LTS Server, site version 5
(The site version is provided for air-gap customers.)
Details:
Total New Fixlets: 6
Total Updated Fixlets: 2
Total Deleted Fixlets: 0
Total Fixlets in Site: 181
New Fixlets:
The operating system must restrict privilege elevation to authorized personnel.
Ubuntu 22.04 LTS must audit any script or executable called by cron as root or by any privileged user.
Ubuntu 22.04 LTS must have the “SSSD” package installed.
Ubuntu 22.04 LTS must map the authenticated identity to the user or group account for PKI-based authentication (B).
Ubuntu 22.04 LTS must use the “SSSD” package for multifactor authentication services.
Ubuntu 22.04 LTS must ensure SSSD performs certificate path validation, including revocation checking, against a trusted anchor for PKI-based authentication.
Updated Fixlets:
Ubuntu 22.04 LTS must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.
Ubuntu 22.04 LTS must store only encrypted representations of passwords.
Additional details:
● Both analysis and remediation checks are included
● Some of the checks allow you to use the parameterized setting to enable customization for compliance evaluation. Note that parameterization and remediation actions require the creation of a custom site.
Improved few checks by adding the pending restart feature to them. The pending restart feature works in the following ways:
● The action results will show “Pending Restart” instead of “Fixed” for those checks which requires OS reboot.
● The check will show relevant for those endpoints until they are rebooted.
● Post reboot of the endpoint the action results will show as “Fixed” and the check will be compliant.
Actions to take:
-
To subscribe to the above site, you can use the License Overview Dashboard to enable and gather the site. Note that you must be entitled to the BigFix Compliance product, and you must be using BigFix version 10.0 and later.
-
If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see https://help.hcltechsw.com/bigfix/10.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html
More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:
- BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
- BigFix Compliance SCM Checklists:
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en-us#!/wiki/BigFix%20Wiki/page/SCM%20Checklists
We hope you find this latest release of SCM content useful and effective. Thank you!
– The BigFix Compliance team