[BESAdmin-Announcements] BigFix Compliance: Updated DISA STIG Checklist for Ubuntu 22.04 LTS Server, published 2026-06-05
Announcements for BES Administrators
besadmin-announcements at bigmail.bigfix.com
Mon Jun 8 07:55:00 PDT 2026
*Product:*
BigFix Compliance
*Title:*
Updated DISA STIG Checklist for Ubuntu 22.04 LTS Server.
*Security Benchmark:*
DISA Canonical Ubuntu 22.04 LTS STIG SCAP Benchmark V2R8
*Published Sites:*
DISA STIG Checklist for Ubuntu 22.04 LTS Server, site version 7
(The site version is provided for air-gap customers.)
*Details:*
● *Total New Fixlets: 1*
● *Total Updated Fixlets: 17*
● *Total Deleted Fixlets: 1*
● *Total Fixlets in Site: 183*
*New Fixlets:*
● Ubuntu 22.04 LTS must not have the nfs-kernel-server package
installed.
*Updated Fixlets:*
● Ubuntu 22.04 LTS must configure the directories used by the system
journal to be owned by "root".
● Ubuntu 22.04 LTS must configure the directories used by the system
journal to be group-owned by "systemd-journal".
● Ubuntu 22.04 LTS must configure the files used by the system journal
to be owned by "root".
● Ubuntu 22.04 LTS must configure the files used by the system journal
to be group-owned by "systemd-journal"
● Ubuntu 22.04 LTS must have an application firewall enabled
● Ubuntu 22.04 LTS must display the Standard Mandatory DOD Notice and
Consent Banner before granting any local or remote connection to the system.
● Ubuntu 22.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence
if a graphical user interface is installed.
● Ubuntu 22.04 LTS must be a vendor-supported release.
● Ubuntu 22.04 LTS must initiate session audits at system startup.
● Ubuntu 22.04 LTS must disable kernel core dumps so that it can fail
to a secure state if system initialization fails, shutdown fails or aborts
fail.
● Ubuntu 22.04 LTS must have the "SSSD" package installed.
● Ubuntu 22.04 LTS must configure the SSH daemon to use
FIPS 140-3-approved ciphers to prevent the unauthorized disclosure of
information and/or detect changes to information during transmission.
● Ubuntu 22.04 LTS must require users to reauthenticate for privilege
escalation or when changing roles.
● The operating system must require users to provide a password for
privilege escalation.
● Ubuntu 22.04 LTS must be configured such that Pluggable
Authentication Module (PAM) prohibits the use of cached authentications
after one day
● Ubuntu 22.04 LTS must configure AIDE to perform file integrity
checking on the file system
● Ubuntu 22.04 LTS must audit any script or executable called by cron
as root or by any privileged user.
*Deleted Fixlets:*
● Ubuntu 22.04 LTS must be configured such that Pluggable
Authentication Module (PAM) prohibits the use of cached authentications
after one day.
*Additional details:*
● Both analysis and remediation checks are included
● Some of the checks allow you to use the parameterized setting to enable
customization for compliance evaluation. Note that parameterization and
remediation actions require the creation of a custom site.
Improved few checks by adding the pending restart feature to them. The
pending restart feature works in the following ways:
● The action results will show “Pending Restart” instead of “Fixed” for
those checks which requires OS reboot.
● The check will show relevant for those endpoints until they are rebooted.
● Post reboot of the endpoint the action results will show as “Fixed” and
the check will be compliant.
*Actions to take:*
● To subscribe to the above site, you can use the License Overview
Dashboard to enable and gather the site. Note that you must be entitled to
the BigFix Compliance product and you must be using BigFix version 10.0.7
and later.
●If you use custom sites, update your custom sites accordingly to use the
latest content. You can synchronize your content by using the Synchronize
Custom Checks wizard. For more information, see Using the Synchronize
Custom Checks wizard
<https://help.hcltechsw.com/bigfix/11.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html>
*More information:*
To know more about the BigFix Compliance SCM checklists, please see the
following resources:
● BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
● BigFix Compliance SCM Checklists:
Welcome to Wikis
<https://bigfix-wiki.hcltechsw.com/wikis/home?lang=enus#!/wiki/BigFix%20Wiki/page/SCM%20Checklists>
We hope you find this latest release of SCM content useful and effective.
Thank you!
*– The BigFix Compliance team*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20260608/21fb09fd/attachment.html>
More information about the Besadmin-announcements
mailing list