Product:
BigFix Compliance
Title:
Updated DISA Checklist for Ubuntu 20.04.
Security Benchmark:
Canonical Ubuntu 20.04 LTS STIG, v2r4
Published Sites:
DISA STIG Checklist for Ubuntu 20.04 LTS Server, site version 6
(The site version is provided for air-gap customers.)
Details:
· Total New Fixlets: 8
· Total Updated Fixlets: 1
· Total Deleted Fixlets: 0
· Total Fixlets in Site: 171
New Fixlets:
· Ubuntu 20.04 LTS must audit any script or executable called by cron as root or by any privileged user.
· Ubuntu 20.04 LTS must have the “SSSD” package installed.
· Ubuntu 20.04 LTS must use the “SSSD” package for multifactor authentication services.
· Ubuntu 20.04 LTS must ensure SSSD performs certificate path validation, including revocation checking, against a trusted anchor for PKI-based authentication.
· Ubuntu 20.04 LTS must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.
· Ubuntu 20.04 LTS must map the authenticated identity to the user or group account for PKI-based authentication.
· Ubuntu 20.04 LTS must restrict privilege elevation to authorized personnel.
· Ubuntu 20.04 LTS must require users to provide a password for privilege escalation.
Updated Fixlets:
· The Ubuntu operating system must require users to reauthenticate for privilege escalation or when changing roles.
Actions to take:
· Both analysis and remediation checks are included
· Some of the checks allow you to use the parameterized setting to enable customization for compliance evaluation. Note that parameterization and remediation actions require the creation of a custom site.
· Improved a few checks by adding the pending restart feature to them. The pending restart feature works in the following ways:
· The action results will show “Pending Restart” instead of “Fixed” for those checks which require OS reboot.
· The check will show relevant for those endpoints until they are rebooted.
· Post reboot of the endpoint the action results will show as “Fixed” and the check will be compliant.
More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:
-
BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance -
BigFix Compliance SCM Checklists:
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en-us#!/wiki/BigFix%20Wiki/page/SCM%20Checklists
We hope you find this latest release of SCM content useful and effective. Thank you!
– The BigFix Compliance team