TickYouOff
Sign in
Back
🔒

Canonical Ubuntu 24.04 LTS STIG Compliance Checklist

Medium 16 items · 2 hours
testuser's avatar
testuser Published 4 weeks ago
Security

This checklist helps administrators and auditors prepare an Ubuntu 24.04 Server for DISA STIG compliance. It covers downloading official resources, applying baselines, hardening common services, and documenting exceptions for managed environments.

Source: https://ncp.nist.gov/checklist/1274

Progress
0 / 16
  1. Download STIG content and supporting resources — Gather official DISA STIG and related benchmark files before remediation.
  2. Download SCAP 1.3 content for Ubuntu 24.04 — Get the official SCAP 1.3 benchmark for automated scanning and remediation.
  3. Download Standalone XCCDF benchmark and Ansible/Chef variants — Fetch XCCDF and configuration management artifacts for manual or automated use.
  4. Download automated SCC/SCC content for supported architectures — Obtain SCC bundles for AMD64 and ARM64 targets if available.
  5. Verify system matches target CPE (Ubuntu 24.04 LTS) — Confirm OS version and build to ensure the STIG is applicable.
  6. Update system packages and apply latest security patches — Run package updates and reboot if kernel or critical packages changed.
  7. Apply STIG baseline or automated remediation — Use SCAP/SCC/XCCDF or configuration management to apply recommended settings.
  8. Harden SSH configuration — Disable root login, enforce Protocol 2, limit auth methods and strong ciphers.
  9. Enforce password and account policies — Set complexity, expiration, lockout, and minimum password length policies.
  10. Enable and configure the host firewall — Restrict inbound services to required ports and implement default-deny rules.
  11. Enable and configure auditing and logging (auditd) — Enable audit rules, set log retention, and forward logs to a central server if used.
  12. Harden kernel parameters (sysctl) — Apply recommended network and filesystem kernel hardening values.
  13. Disable unnecessary services and remove unused packages — Stop and disable services not required for the system role.
  14. Verify file and directory permissions for sensitive files — Check ownership and permissions for /etc/passwd, /etc/shadow, and key config files.
  15. Document exceptions and obtain approvals for deviations — Record reasons, compensating controls, and approval for any non-compliant items.
  16. Send comments or change requests to DISA — Email proposed STIG changes to [email protected].
Sign in to save
📝 My Notes