TickYouOff
Sign in
Back
🔒

Canonical Ubuntu 20.04 LTS STIG Checklist

Medium 17 items · 2 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist translates the Canonical Ubuntu 20.04 LTS STIG (Ver 2, Rel 5) into practical, actionable steps for general users and administrators. Use it to harden a managed Ubuntu 20.04 system, improve compliance, and reduce attack surface.

Source: https://ncp.nist.gov/checklist/992

Progress
0 / 17
  1. Update system packages — Install all available package updates and security patches.
  2. Enable automatic security updates — Configure unattended-upgrades to auto-install security updates.
  3. Verify time synchronization — Ensure chrony or ntp is configured and syncing system time.
  4. Configure the firewall (ufw) — Set default deny inbound, allow only required ports and enable logging.
  5. Harden SSH configuration — Apply STIG-oriented SSH settings to reduce remote access risks.
  6. Disable root login over SSH — Prevent direct root SSH access; require sudo from normal accounts.
  7. Disable password authentication and use SSH keys — Allow only public-key authentication for interactive SSH logins.
  8. Limit SSH access and enable rate-limiting — Restrict allowed IPs, use AllowUsers/AllowGroups and rate-limit attempts.
  9. Install and enable auditd — Enable system auditing to record security-relevant events.
  10. Configure audit rules for sensitive files and actions — Audit changes to /etc, user admin actions, and login events.
  11. Enable and enforce AppArmor profiles — Ensure AppArmor is active and critical services have enforced profiles.
  12. Disable unused services and remove unnecessary packages — Stop and remove services/packages that are not required for operation.
  13. Set secure permissions on /etc/passwd and /etc/shadow — Verify ownership and mode to prevent unauthorized access.
  14. Install and configure AIDE or other file-integrity monitoring — Initialize a baseline and schedule regular integrity checks.
  15. Apply sysctl network hardening — Disable IP forwarding, enable rp_filter and tcp_syncookies, and tighten net settings.
  16. Restrict cron and at usage; review scheduled jobs — Lock down /etc/cron.allow, /etc/cron.d, and remove unauthorized jobs.
  17. Review and enforce least-privilege for user accounts — Remove inactive accounts, restrict sudoers, and audit privileged users.
Sign in to save
📝 My Notes