Product:
BigFix Compliance
Title:
Updated DISA Checklist for Ubuntu 24.04.
Security Benchmark:
Canonical Ubuntu 24.04 LTS STIG, v1r2
Published Sites:
DISA STIG Checklist for Ubuntu 24.04 LTS Server, site version 3
(The site version is provided for air-gap customers.)
Details:
· Total New Fixlets: 6
· Total Updated Fixlets: 11
· Total Deleted Fixlets: 0
· Total Fixlets in Site: 188
New Fixlets:
· Ubuntu 24.04 LTS must prevent a user from overriding the disabling of the graphical user interface autorun function.
· Ubuntu 24.04 LTS must prevent a user from overriding the disabling of the graphical user smart card removal action.
· Ubuntu 24.04 LTS must conceal, via the session lock, information previously visible on the display with a publicly viewable image
· Ubuntu 24.04 LTS must audit any script or executable called by cron as root or by any privileged user.
· Ubuntu 24.04 LTS must restrict privilege elevation to authorized personnel.
· Ubuntu 24.04 LTS must require users to provide a password for privilege escalation.
Updated Fixlets:
· Ubuntu 24.04 LTS must limit the number of concurrent sessions to 10 for all accounts and/or account types.
· Ubuntu 24.04 LTS must initiate a graphical session lock after 10 minutes of inactivity.
· Ubuntu 24.04 LTS library files must have mode 0755 or less permissive.
· Ubuntu 24.04 LTS must prevent a user from overriding the disabling of the graphical user interface automount function
· Ubuntu 24.04 LTS library files must be owned by root.
· Ubuntu 24.04 LTS library files must be group-owned by root or a system account.
· Ubuntu 24.04 LTS library directories must be owned by root.
· Ubuntu 24.04 LTS must require users to reauthenticate for privilege escalation or when changing roles.
· Ubuntu 24.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.
· Ubuntu 24.04 LTS must store only encrypted representations of passwords
· Ubuntu 24.04 LTS must disable kernel core dumps.
Actions to take:
· Both analysis and remediation checks are included
· Some of the checks allow you to use the parameterized setting to enable customization for compliance evaluation. Note that parameterization and remediation actions require the creation of a custom site.
· Improved a few checks by adding the pending restart feature to them. The pending restart feature works in the following ways:
· The action results will show “Pending Restart” instead of “Fixed” for those checks which require OS reboot.
· The check will show relevant for those endpoints until they are rebooted.
· Post reboot of the endpoint the action results will show as “Fixed” and the check will be compliant.
More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:
-
BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance -
BigFix Compliance SCM Checklists:
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en-us#!/wiki/BigFix%20Wiki/page/SCM%20Checklists
We hope you find this latest release of SCM content useful and effective. Thank you!
– The BigFix Compliance team