Product:
BigFix Compliance
Title:
Updated DISA Checklist for Ubuntu 24.04.
Security Benchmark:
Canonical Ubuntu 24.04 LTS STIG, v1r2
Published Sites:
DISA STIG Checklist for Ubuntu 24.04 LTS Server, site version 3
(The site version is provided for air-gap customers.)
Details:
Total New Fixlets: 6
Total Updated Fixlets: 11
Total Deleted Fixlets: 0
Total Fixlets in Site: 188
New Fixlets:
Ubuntu 24.04 LTS must prevent a user from overriding the disabling of the graphical user interface autorun function.
Ubuntu 24.04 LTS must prevent a user from overriding the disabling of the graphical user smart card removal action.
Ubuntu 24.04 LTS must conceal, via the session lock, information previously visible on the display with a publicly viewable image
Ubuntu 24.04 LTS must audit any script or executable called by cron as root or by any privileged user.
Ubuntu 24.04 LTS must restrict privilege elevation to authorized personnel.
Ubuntu 24.04 LTS must require users to provide a password for privilege escalation.
Updated Fixlets:
Ubuntu 24.04 LTS must limit the number of concurrent sessions to 10 for all accounts and/or account types.
Ubuntu 24.04 LTS must initiate a graphical session lock after 10 minutes of inactivity.
Ubuntu 24.04 LTS library files must have mode 0755 or less permissive.
Ubuntu 24.04 LTS must prevent a user from overriding the disabling of the graphical user interface automount function
Ubuntu 24.04 LTS library files must be owned by root.
Ubuntu 24.04 LTS library files must be group-owned by root or a system account.
Ubuntu 24.04 LTS library directories must be owned by root.
Ubuntu 24.04 LTS must require users to reauthenticate for privilege escalation or when changing roles.
Ubuntu 24.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.
Ubuntu 24.04 LTS must store only encrypted representations of passwords
Ubuntu 24.04 LTS must disable kernel core dumps.
Actions to take:
Both analysis and remediation checks are included
Some of the checks allow you to use the parameterized setting to enable customization for compliance evaluation. Note that parameterization and remediation actions require the creation of a custom site.
Improved a few checks by adding the pending restart feature to them. The pending restart feature works in the following ways:
The action results will show “Pending Restart” instead of “Fixed” for those checks which require OS reboot.
The check will show relevant for those endpoints until they are rebooted.
Post reboot of the endpoint the action results will show as “Fixed” and the check will be compliant.
More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:
- BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance - BigFix Compliance SCM Checklists:
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en-us#!/wiki/BigFix%20Wiki/page/SCM%20Checklists
We hope you find this latest release of SCM content useful and effective. Thank you!
– The BigFix Compliance team