TickYouOff
Sign in
Back
🔒

Ubuntu 20.04 STIG Checklist

Hard 18 items · 4 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist helps system administrators and security-conscious users harden Ubuntu 20.04 LTS to DISA STIG recommendations. It covers package updates, SSH hardening, auditing, AppArmor, firewall, SCAP scanning, and documentation. Use it when preparing systems for higher-security environments or DoD compatibility checks.

Source: https://ncp.nist.gov/checklist/992

Progress
0 / 18
  1. Update system packages — Run apt update and apt full-upgrade; reboot if kernel or critical packages updated.
  2. Enable unattended security updates — Install and configure unattended-upgrades to apply security updates automatically.
  3. Remove unused packages and services — Audit installed packages and purge unneeded software and daemons.
  4. Configure UFW firewall and enable default deny incoming — Enable ufw, set default deny incoming, allow only required ports (e.g., SSH).
  5. Configure SSH settings — Harden SSH configuration to reduce remote access risk.
  6. Disable SSH root login — Set PermitRootLogin no in /etc/ssh/sshd_config and restart sshd.
  7. Restrict SSH to protocol 2 and strong ciphers — Disable SSH v1, enable key auth, and configure modern ciphers/KEX suites.
  8. Enforce password policies: complexity and expiration — Configure PAM and login.defs for complexity, history, and maximum age.
  9. Harden sudoers: remove NOPASSWD and limit admin access — Review /etc/sudoers and /etc/sudoers.d to restrict privilege escalation.
  10. Enable and configure auditd for system auditing — Install auditd, enable persistent logging, and add rules for auth, ssh, and sudo.
  11. Enable AppArmor and ensure profiles enforced — Ensure AppArmor service is active and critical profiles are in enforce mode.
  12. Harden sysctl networking settings — Set net.ipv4.ip_forward=0, rp_filter, and other recommended kernel network sysctls.
  13. Disable unused filesystem modules — Blacklist modules like cramfs and squashfs to reduce attack surface.
  14. Set secure permissions on /etc and sensitive files — Ensure /etc permissions and restrict access to passwd, shadow, keys, and certs.
  15. Configure NTP/chrony and enforce time sync — Install and configure chrony or ntp, enable service and pin trusted servers.
  16. Download and apply Canonical Ubuntu 20.04 STIG SCAP content — Retrieve DISA/Canonical XCCDF and SCAP content for 20.04 to reference benchmarks.
  17. Install and run a vulnerability scanner (SCAP/OVAL) — Scan the host against the STIG benchmark to find deviations and remediate findings.
  18. Document changes and create rollback plan — Log all configuration changes, backups, and rollback steps for each hardening action.
Sign in to save
📝 My Notes