TickYouOff
Sign in
Back
🔒

Canonical Ubuntu 22.04 LTS STIG Checklist

Medium 18 items · 4 hours
testuser's avatar
testuser Published 3 weeks ago
Security

This checklist distills key security hardening tasks from the Canonical Ubuntu 22.04 LTS STIG for general administrators and auditors. Use it to apply core STIG controls, run SCAP/XCCDF scans, and document compliance on managed Ubuntu systems.

Source: https://ncp.nist.gov/checklist/1235

Progress
0 / 18
  1. Update package lists — Run apt update to refresh package metadata.
  2. Upgrade installed packages — Run apt upgrade -y to install available updates.
  3. Apply kernel and firmware updates — Install kernel/firmware updates and reboot if required.
  4. Enable unattended security updates — Install and configure unattended-upgrades for security patches.
  5. Run SCAP/XCCDF benchmark scan and save report — Use DISA SCAP content to generate and archive a compliance report.
  6. Harden SSH configuration — Edit /etc/ssh/sshd_config to restrict access and stronger settings.
  7. Disable root login over SSH — Set PermitRootLogin no in sshd_config and restart sshd.
  8. Require SSH keys and disable password auth — Set PasswordAuthentication no and use authorized_keys only.
  9. Restrict SSH access and limit users — Use AllowUsers/AllowGroups or firewall rules to limit login sources.
  10. Configure and enable UFW firewall — Allow required ports, deny by default, then enable and log.
  11. Install and enable auditd — Install auditd, enable service, and load baseline rules.
  12. Configure log rotation and remote syslog — Ensure logs rotate and forward to a central collector if available.
  13. Set password policy and PAM rules — Enforce complexity, aging, and lockout via /etc/pam.d and login.defs.
  14. Lock and remove inactive user accounts — Disable or remove accounts inactive for a defined period (e.g., 90 days).
  15. Enable AppArmor and enforce profiles — Ensure AppArmor is active and critical profiles are in enforce mode.
  16. Configure kernel sysctl hardening — Apply recommended sysctl settings (e.g., rp_filter, disable IP forwarding).
  17. Install and configure Fail2Ban — Block repeated authentication failures to reduce brute-force attacks.
  18. Remove unused packages and disable unnecessary services — Uninstall unneeded packages and stop/disable idle services.
Sign in to save
📝 My Notes