[BESAdmin-Announcements] BigFix Compliance: Updated DISA STIG Checklist for Ubuntu 24.04 LTS Server, published 2026-01-16

Fri Jan 16 07:58:10 PST 2026

*Product:*

BigFix Compliance

*Title:*
Updated DISA STIG Checklist for Ubuntu 24.04 LTS Server

*Security Benchmark:*
DISA Canonical Ubuntu 24.04 LTS STIG SCAP Benchmark, v1r3

*Published Sites:*
DISA STIG Checklist for Ubuntu 24.04 LTS Server, site version 5
(The site version is provided for air-gap customers.)

*Details:*

●       Total New Fixlets: 1

●       Total Updated Fixlets: 7

●       Total Deleted Fixlets: 0

●       Total Fixlets in Site: 189

*New Fixlets:*

●      Ubuntu 24.04 LTS must be a vendor-supported release.

*Updated Items :*

●      Ubuntu 24.04 LTS must not allow accounts configured in Pluggable
Authentication Modules (PAM) with blank or null passwords.

●      Ubuntu 24.04 LTS must disable automatic mounting of Universal Serial
Bus (USB) mass storage driver.

●      Ubuntu 24.04 LTS must generate error messages that provide
information necessary for corrective actions without revealing information
that could be exploited by adversaries.

●      Ubuntu 24.04 LTS must configure audit tools with a mode of "0755" or
less permissive.

●      Ubuntu 24.04 LTS must configure audit tools to be owned by root.

●      Ubuntu 24.04 LTS must configure the audit tools to be group owned by
root.

●      Ubuntu 24.04 LTS must use cryptographic mechanisms to protect the
integrity of audit tools.

*Additional details:*

●      Both analysis and remediation checks are included.

●      Some of the checks allow you to use the parameterized setting to
enable customization for compliance evaluation. Note that parameterization
and remediation actions require the creation of a custom site.

●      Improved a few checks by adding the pending restart feature to them.
The pending restart feature works in the following ways:

●      The action results will show “Pending Restart” instead of “Fixed”
for those checks which require OS reboot.

●       The check will show relevant for those endpoints until they are
rebooted.

●      Post reboot of the endpoint the action results will show as “Fixed”
and the check will be compliant.

*Actions to take:*

●      To subscribe to the above site, you can use the License Overview
Dashboard to enable and gather the site. Note that you must be entitled to
the BigFix Compliance product and you must be using BigFix version 11.0.3
and later.

●       If you use custom sites, update your custom sites accordingly to
use the latest content. You can synchronize your content by using the
Synchronize Custom Checks wizard. For more information, see Using the
Synchronize Custom Checks wizard
<https://help.hcltechsw.com/bigfix/11.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html>

*More information:*
To know more about the BigFix Compliance SCM checklists, please see the
following resources:

●      BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance

●      BigFix Compliance SCM Checklists:
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en-us#!/wiki/BigFix%20Wiki/page/SCM%20Checklists

We hope you find this latest release of SCM content useful and effective.
Thank you!

*– The BigFix Compliance team*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20260116/7c19f7e1/attachment.html>