Advanced USG customisation for DISA-STIG on Ubuntu 22.04

Some rules can be fine-tuned by changing their variables. However, the STIG benchmark provides some variables with phony parameters which must be customised so the hardening scripts can be properly applied and the audit can properly check them.

For additional information on variables, check the usg-variables(7) man page.

Rules that must be customised

The list of variables below contains a brief explanation of the variables which must be customised and what rules they are related to.

Rule id: var_audispd_remote_server

Title: Remote server for audispd to send audit records
Description: The setting for remote_server in /etc/audisp/audisp-remote.conf

Rules limitations

A few rules provided by the STIG profile require manual inspection and fix.

Rule id: auditd_offload_logs

Title: Offload audit Logs to External Media
Description: Offloading is a common process in information systems with limited audit storage capacity. NOTE: This script is not provided by default as different consumers have different needs.

Check if there is a script in the “/etc/cron.weekly” directory that offloads audit data:

# sudo ls /etc/cron.weekly

Rule id: auditd_audispd_configure_sufficiently_large_partition

Title: Configure a Sufficiently Large Partition for Audit Logs
Description: The rule requires a sufficiently large partition for storing at least one week’s worth of audit logs. As this is highly dependent on the end-user’s environment, the check and remediation for the rule are not implemented and must be performed manually.

Rule id: is_fips_mode_enabled

Title: Verify /proc/sys/crypto/fips_enabled exists
Description: This rule will verify if the system is in FIPS mode. A manual fix is required in case it is not. For more informations on how to run the system in FIPS-140 mode, please see

Rule id: install_endpoint_security_software

Title: Install an Endpoint Security Software
Description: This rule requires a third-party software to be installed. A manual fix is required if the software is not available.

Rule id: smartcard_pam_enabled

Title: Enable Smart Card Logins in PAM
Description: This rule requires that the module is added to the PAM authentication stack. Due to potential complexity of PAM configurations, and risk of lock-out, the automated remediation has been disabled.

Add the following to the top of the stack in /etc/pam.d/common-auth, replacing N with the correct number of jumps:

 auth     [success=N default=ignore]


 auth     [success=3 default=ignore]
 auth     [success=2 default=ignore] nullok
 auth     [success=1 default=ignore] use_first_pass

Rule id: grub2_password

Title: Set Boot Loader Password in grub2
Description: To prevent hard-coded passwords, automated remediation of this rule is not available. Remediation must be automated as a component of machine provisioning, or performed manually.

  1. Generate the password:
  $ grub-mkpasswd-pbkdf2
  1. Add the following lines to /etc/grub.d/40_custom:
  set superusers="root"
  password_pbkdf2 root GENERATED_PASSWORD
  1. Update grub
  $ sudo update-grub

Rule id: check_ufw_active

Title: Verify ufw Active
Description: The UFW firewall should be enabled and active. The rule does not enable the firewall automatically to avoid lock-out.

To remediate, run:

  $ ufw enable

Rule id: ufw_rate_limit

Title: ufw Must rate-limit network interfaces
Description: This rule requires that UFW is enabled and configured to rate-limit all services. The firewall is not configured and enabled automatically to avoid lock-out.

To remediate, determine all listening services and set the rate-limit:

  $ ss -l46ut
  $ ufw limit SERVICE_NAME

Rule id: encrypt_partitions

Title: Encrypt Partitions
Description: The system should be configured to prevent unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption.

The rule presently does not perform this check and it must be done manually.

Rule id: account_temp_expire_date

Title: Assign Expiration Date to Temporary Accounts
Description: This rule is not automated as temporary accounts cannot be differentiated from regular accounts.

Rule id: temp_passwords_immediate_change

Title: Policy Requires Immediate Change of Temporary Passwords
Description: This rule is not automated as temporary accounts cannot be differentiated from regular accounts.

Rule id: sudo_group_restricted

Title: Ensure sudo group has only necessary members
Description: This rule is not automated because sudo users are unique to the end-user’s environment.

Verify only authorized users are in the sudo group:

  $ grep sudo /etc/group

Rule id: ufw_only_required_services

Title: Only Allow Authorized Network Services in ufw
Description: This rule is not automated because the list of authorized network services is unique to the end-user’s environment.

Rule id: only_allow_dod_certs

Title: Only Allow DoD PKI-established CAs
Description: The rule is not automated. It requires that all certifications found in /etc/ssl/certs are approved by the AO.