TickYouOff
Sign in
Back
🔒

Canonical Ubuntu 22.04 LTS STIG — Ver 2, Rel 6

Hard 16 items · 2 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist translates the Canonical Ubuntu 22.04 LTS STIG (Ver 2, Rel 6) into practical hardening steps for system administrators and security teams. Use it to bring Ubuntu 22.04 systems toward DISA STIG compliance and to track remediation progress.

Source: https://ncp.nist.gov/checklist/1235

Progress
0 / 16
  1. Update package lists and apply all security updates — Run apt update and install available security patches to reduce known vulnerabilities.
  2. Enable unattended security upgrades — Install and configure unattended-upgrades to automatically apply security updates.
  3. Remove unused packages and snaps — Purge software you don't need to shrink attack surface and limit automatic services.
  4. Disable and mask unnecessary services — Disable services like avahi or cups if not required using systemctl disable --now.
  5. Harden SSH configuration — Apply STIG-recommended SSH settings to limit remote access risks.
  6. Disable root login via SSH — Set PermitRootLogin no in /etc/ssh/sshd_config and restart sshd.
  7. Disable password authentication and require keys — Set PasswordAuthentication no and use key-based auth only.
  8. Configure and enable UFW firewall — Set default deny incoming, allow outgoing, and enable UFW.
  9. Install and configure fail2ban or rate-limiting — Protect SSH and other services from brute-force login attempts.
  10. Enforce strong password and account policies — Configure PAM, minimum length, complexity, and password aging policies.
  11. Enable and configure auditd logging — Record security-relevant events and ensure log retention meets policy.
  12. Apply AppArmor profiles and enforce critical profiles — Ensure AppArmor is enabled and essential profiles are in enforce mode.
  13. Set secure kernel sysctl values — Harden network and kernel settings (e.g., disable IP forwarding if unused).
  14. Find and fix world-writable files and insecure permissions — Locate and correct files with overly permissive ownership/permissions.
  15. Disable IPv6 if not required by environment — Turn off IPv6 system-wide when not in use to reduce attack vectors.
  16. Download and validate DISA SCAP/XCCDF content and run benchmark — Use DISA SCAP/XCCDF content to scan and report STIG compliance status.
Sign in to save
📝 My Notes