[BESAdmin-Announcements] Updated DISA STIG Checklist for Ubuntu 24.04 LTS Server, published 2025-10-16

Announcements for BES Administrators besadmin-announcements at bigmail.bigfix.com
Mon Oct 27 07:20:55 PDT 2025 

*Product:*
BigFix Compliance

*Title:*
Updated DISA Checklist for Ubuntu 24.04.

*Security Benchmark:*
Canonical Ubuntu 24.04 LTS STIG, v1r2

*Published Sites:*
DISA STIG Checklist for Ubuntu 24.04 LTS Server, site version 3
(The site version is provided for air-gap customers.)

*Details:*

·        *Total New Fixlets: 6*

·        *Total Updated Fixlets: 11*

·        *Total Deleted Fixlets: 0*

·        *Total Fixlets in Site: 188*

*New Fixlets:*

·        Ubuntu 24.04 LTS must prevent a user from overriding the disabling
of the graphical user interface autorun function.

·        Ubuntu 24.04 LTS must prevent a user from overriding the disabling
of the graphical user smart card removal action.

·        Ubuntu 24.04 LTS must conceal, via the session lock, information
previously visible on the display with a publicly viewable image

·        Ubuntu 24.04 LTS must audit any script or executable called by
cron as root or by any privileged user.

·        Ubuntu 24.04 LTS must restrict privilege elevation to authorized
personnel.

·        Ubuntu 24.04 LTS must require users to provide a password for
privilege escalation.

*Updated Fixlets:*

·        Ubuntu 24.04 LTS must limit the number of concurrent sessions to
10 for all accounts and/or account types.

·        Ubuntu 24.04 LTS must initiate a graphical session lock after 10
minutes of inactivity.

·        Ubuntu 24.04 LTS library files must have mode 0755 or less
permissive.

·        Ubuntu 24.04 LTS must prevent a user from overriding the disabling
of the graphical user interface automount function

·        Ubuntu 24.04 LTS library files must be owned by root.

·        Ubuntu 24.04 LTS library files must be group-owned by root or a
system account.

·        Ubuntu 24.04 LTS library directories must be owned by root.

·        Ubuntu 24.04 LTS must require users to reauthenticate for
privilege escalation or when changing roles.

·        Ubuntu 24.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence
if a graphical user interface is installed.

·        Ubuntu 24.04 LTS must store only encrypted representations of
passwords

·        Ubuntu 24.04 LTS must disable kernel core dumps.

*Actions to take:*

·        Both analysis and remediation checks are included

·        Some of the checks allow you to use the parameterized setting to
enable customization for compliance evaluation. Note that parameterization
and remediation actions require the creation of a custom site.

·        Improved a few checks by adding the pending restart feature to
them. The pending restart feature works in the following ways:

·        The action results will show “Pending Restart” instead of “Fixed”
for those checks which require OS reboot.

·        The check will show relevant for those endpoints until they are
rebooted.

·        Post reboot of the endpoint the action results will show as
“Fixed” and the check will be compliant.

*More information:*
To know more about the BigFix Compliance SCM checklists, please see the
following resources:

   - BigFix Forum:
   https://forum.bigfix.com/c/release-announcements/compliance
   <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforum.bigfix.com%2Fc%2Frelease-announcements%2Fcompliance&data=05%7C01%7Cshriramesachin.gulab%40hcl.com%7Cb3aebf7519664028dc8b08da89dfe49e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637973891946148511%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CgFoLnn2SUQDa8gV7EoPigfKH4hQk0a1GNq3swG2m8U%3D&reserved=0>
   - BigFix Compliance SCM Checklists:

   https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en-us#!/wiki/BigFix%20Wiki/page/SCM%20Checklists
   <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbigfix-wiki.hcltechsw.com%2Fwikis%2Fhome%3Flang%3Den-us%23!%2Fwiki%2FBigFix%2520Wiki%2Fpage%2FSCM%2520Checklists&data=05%7C01%7Cshriramesachin.gulab%40hcl.com%7Cb3aebf7519664028dc8b08da89dfe49e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637973891946148511%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=uwTwmlSHfUoigLq95hv%2B%2F%2FmvBfoqab7OlPyaYKJEFgI%3D&reserved=0>

We hope you find this latest release of SCM content useful and effective.
Thank you!

– The BigFix Compliance team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20251027/02c3e5e0/attachment.html>

More information about the Besadmin-announcements mailing list