TickYouOff
Sign in
Back
🔒

Ubuntu 24.04 STIG Compliance

Medium 15 items · 4 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist summarizes key hardening tasks from the Canonical Ubuntu 24.04 LTS STIG (Ver 1, Rel 4). It’s for system administrators or anyone responsible for securing Ubuntu 24.04 servers in managed environments.

Source: https://ncp.nist.gov/checklist/1274

Progress
0 / 15
  1. Apply latest Ubuntu 24.04 security updates — Run apt update && apt upgrade; reboot if required.
  2. Enable unattended-upgrades for security packages — Install and configure unattended-upgrades to auto-install security updates.
  3. Configure UFW firewall — Install UFW, set default policies, and enable the firewall.
  4. Deny incoming connections by default in UFW — Set ufw default deny incoming to reduce exposure.
  5. Allow SSH and necessary service ports in UFW — Open only required ports (use service names or explicit ports).
  6. Harden SSH configuration — Edit /etc/ssh/sshd_config to enforce secure defaults.
  7. Disable SSH root login — Set PermitRootLogin no and restart sshd.
  8. Enforce SSH key-based authentication and disable passwords — Set PasswordAuthentication no and allow only authorized keys.
  9. Create and enforce strong password and account lockout policies — Use PAM rules, password complexity, expiration, and account lockout.
  10. Remove or disable unnecessary packages and services — Audit installed packages and stop/remove unused daemons.
  11. Install and configure auditd for system auditing — Enable auditd, persistent logs, and baseline audit rules.
  12. Enable and verify Secure Boot and kernel module restrictions — Ensure Secure Boot enabled where supported; restrict unsigned modules.
  13. Configure sysctl network protections — Set rp_filter, disable IP forwarding if not needed, and harden ICMP settings.
  14. Limit sudo access and implement least-privilege — Review /etc/sudoers, remove NOPASSWD entries, use /etc/sudoers.d.
  15. Verify permissions on critical system files and directories — Check /etc, /var, and home directories for improper ownership or modes.
Sign in to save
📝 My Notes