STIG Profile Migration Guide
This guide details the modifications introduced between the STIG V2R3 and STIG V2R8 profiles for Ubuntu 22.04 USG. It is designed to assist administrators who have implemented earlier Ubuntu 22.04 STIG versions (ranging from V1R1 to V2R3) in evaluating the differences prior to transitioning to the latest profile.
Due to breaking changes, the USG STIG V2R8 profile is being distributed through a distinct release channel. Current environments will remain unchanged until an administrator proactively initiates the migration and chooses the updated profile.
Please note that existing tailoring files cannot be used with this version. If your current tailoring files were built using the stig, disa_stig, or stig-v2r3 profile IDs, you must generate new ones, assess the specific changes outlined in this document, and adjust settings to meet your organizational needs.
To generate a new tailoring file, ensure that your USG is up-to-date:
apt update && apt upgrade usg
usg --version
# (should be 22.04.19 or later)
Then run:
usg generate-tailoring stig-v2r8 tailoring-v2r8.xml
Rule changes
A total of 209 rules are affected by this update:
- 18 additions: Entirely new rules introduced.
- 2 removals: Rules that have been phased out.
- 27 significant modifications: Changes that alter enforcement logic and necessitate manual review.
- 162 minor updates: Low-impact refinements, such as improved applicability checks or formatting, which do not require administrative action.
1. New Rules (18)
These rules did not exist in the previous datastream. They will be evaluated (and where applicable, remediated) on the next scan unless tailored out.
| STIG ID | Rule ID | Title | Action / Notes |
|---|---|---|---|
| UBTU-22-611055 | accounts_password_pam_unix_rounds_password_auth |
Set number of Password Hashing Rounds – password-auth | Configures SHA rounds via pam-configs.. Review the var_password_pam_unix_rounds variable value. |
| UBTU-22-654041 | audit_rules_etc_cron_d |
Ensure auditd Collects Changes to Cron Jobs – /etc/cron.d | New audit watch on /etc/cron.d (key: cronjobs). Check for overlap with existing cron audit rules. |
| UBTU-22-654041 | audit_rules_var_spool_cron |
Ensure auditd Collects Changes to Cron Jobs – /var/spool/cron | Companion watch on /var/spool/cron (key: cronjobs). |
| UBTU-22-211000 | installed_OS_is_vendor_supported |
The Installed Operating System Is Vendor Supported | Check-only – no automated remediation. Systems on unsupported releases will fail. |
| UBTU-22-215040 | package_nfs-common_removed |
Uninstall nfs-common Package | Removes the NFS client package. Tailor out if NFS client mounts are required. |
| UBTU-22-215040 | package_nfs-kernel-server_removed |
Uninstall nfs-kernel-server Package | Removes the NFS server package. Tailor out if the system exports NFS shares. |
| UBTU-22-254010 | package_nss_sss_installed |
Install nss-sss Package | Installs libnss-sss for NSS lookups via SSSD. Tailor out if SSSD is not used. |
| UBTU-22-254010 | package_pam_sss_installed |
Install pam-sss Package | Installs libpam-sss for PAM via SSSD. Tailor out if SSSD is not used. |
| UBTU-22-254010 | package_sssd_installed |
Install the SSSD Package | Installs sssd (only if sssd-common is present). Tailor out if SSSD is not used. |
| UBTU-22-254015 | service_sssd_enabled |
Enable the SSSD Service | Unmasks, starts, and enables sssd.service. Tailor out if SSSD is not part of your authentication architecture. |
| UBTU-22-611055 | set_password_hashing_algorithm_auth_stig |
Set Password Hashing Algorithm for PAM | Replaces the removed set_password_hashing_algorithm_systemauth. Uses pam-configs to configure sha512 on pam_unix.so. Verify compatibility if you previously relied on direct common-password edits. |
| UBTU-22-254020 | sssd_certification_path_trust_anchor |
Certificate trust path in SSSD | Sets ca_cert and certificate_verification in sssd.conf. Adjust the CA path if needed; tailor out if SSSD is not used. |
| UBTU-22-254020 | sssd_enable_pam_services |
Configure PAM in SSSD Services | Adds pam to the services line in [sssd]. Required for SSSD-based PAM authentication. |
| UBTU-22-254020 | sssd_enable_smartcards |
Enable Smartcards in SSSD | Sets pam_cert_auth=True in SSSD. Tailor out if smartcard/PKI authentication is not used, to avoid authentication disruption. |
| UBTU-22-254030 | sssd_enable_user_cert |
Enable Certificates Mapping in SSSD | Validates PKI-based identity mapping in SSSD. Tailor out if PKI is not deployed. |
| UBTU-22-432010 | sudo_remove_no_authenticate |
Ensure Users Re-Authenticate for Privilege Escalation – sudo !authenticate | Replaces part of the removed sudo_require_authentication. Comments out !authenticate directives in sudoers. Review for intentional !authenticate entries before applying. |
| UBTU-22-432011 | sudo_remove_nopasswd |
Ensure Users Re-Authenticate for Privilege Escalation – sudo NOPASSWD | Replaces part of the removed sudo_require_authentication. Comments out NOPASSWD entries. Review for intentional NOPASSWD entries. |
| UBTU-22-654224 | sudo_restrict_privilege_elevation_to_authorized |
Restrict privilege elevation to authorised personnel | Check-only – no automated remediation. Checks for ‘ALL’ in sudoers. |
2. Removed Rules (2)
These rules are no longer in the datastream. Remove any references to them from tailoring files.
| STIG ID | Rule ID | Title | Replaced By |
|---|---|---|---|
| UBTU-22-611055 | set_password_hashing_algorithm_systemauth |
Set PAM Password Hashing Algorithm – system-auth | set_password_hashing_algorithm_auth_stig (new, pam-configs method) |
| UBTU-22-432010 | sudo_require_authentication |
Ensure Users Re-Authenticate for Privilege Escalation – sudo | Split into sudo_remove_no_authenticate + sudo_remove_nopasswd |
3. Modified Rules – Action Required (27)
These modifications change enforcement behaviour, remediation logic, variable names, or audit rule identifiers in ways that may require administrator intervention.
| STIG ID | Rule ID | Title | What Changed |
|---|---|---|---|
| UBTU-22-411045 | accounts_passwords_pam_faillock_audit |
Account Lockouts Must Be Logged | Major rewrite. Switched from direct PAM line insertion to pam-configs (cac_faillock, cac_faillock_notify) with pam-auth-update. Custom direct PAM faillock edits must be migrated. |
| UBTU-22-411045 | accounts_passwords_pam_faillock_silent |
Do Not Show System Messages When Unsuccessful Logon Attempts Occur | Same major rewrite as faillock_audit. The silent option is now written to faillock.conf instead of being appended to PAM lines. Ensure no conflicting direct PAM faillock configurations exist. |
| UBTU-22-654205 | audit_rules_session_events_utmp |
Record Attempts to Alter Process and Session Initiation Information utmp | Audit watch path changed. Existing rules referencing the old path will not be matched, potentially creating duplicates. Verify and clean up stale entries. |
| UBTU-22-654190 | audit_rules_var_log_journal |
Ensure auditd Collects records for /var/log/journal | Audit key changed from audit_rules_var_log_journal to systemd_journal; rules file renamed accordingly. |
| UBTU-22-654235 | audit_sudo_log_events |
Record Attempts to perform maintenance activities | Audit key changed from logins to maintenance; rules file renamed from logins.rules to maintenance.rules. |
| UBTU-22-255020 | banner_etc_issue_net |
Modify the System Login Banner for Remote Connections | Variable renamed from login_banner_text to remote_login_banner_text. |
| UBTU-22-214015 | clean_components_post_updating |
Ensure apt_get Removes Previous Package Versions | Complete rewrite. Now unconditionally comments out existing Unattended-Upgrade::Remove-Unused-Dependencies and Remove-Unused-Kernel-Packages lines, then appends fresh values to 50unattended-upgrades. Repeated runs may create duplicate entries. Review 50unattended-upgrades after remediation. |
| UBTU-22-232055 | file_groupownership_system_commands_dirs |
Verify system commands are group owned by root or a system account | Enforcement relaxed: only corrects files with GID >= 1000. Files owned by system groups (e.g. bin, daemon) are now left unchanged. |
| UBTU-22-232110 | file_ownership_audit_binaries |
Verify audit tools are owned by root | Binary list changed: audispd removed; augenrules, audisp-syslog, audisp-remote, audispd-zos-remote added. |
| UBTU-22-232050 | file_ownership_binary_dirs |
Verify System Executables Have Root Ownership | New shell remediation (previously had none). Runs find + chown root on files with UID >= 1000 across system bin/sbin directories. Enabling this rule will now actively remediate. |
| UBTU-22-232070 | file_ownership_library_dirs |
Verify Shared Library Files Have Root Ownership | Regex narrowed from all files to *.so* only. Non-library files in lib/lib64 are no longer corrected. |
| UBTU-22-232035 | file_permissions_audit_binaries |
Verify audit tools Have Mode 0755 or less | Same binary list change as file_ownership_audit_binaries. Verify listed binaries match your deployment. |
| UBTU-22-653065 | file_permissions_etc_audit_rulesd |
Verify Permissions on /etc/audit/rules.d/*.rules | Permission mask broadened: now also strips group-read (0640 to 0600). Verify no processes depend on group-read access to audit rule files. |
| UBTU-22-232020 | file_permissions_library_dirs |
Verify Shared Library Files Have Restrictive Permissions | Regex narrowed to *.so* only. Non-shared-library files are no longer checked. |
| UBTU-22-291010 | kernel_module_usb-storage_disabled |
Disable Modprobe Loading of USB Storage Driver | Module install redirect changed from true (exit 0) to false (exit 1). modprobe usb-storage will now return a non-zero exit code. Applications or scripts checking the exit code may behave differently. |
| UBTU-22-611060 | no_empty_passwords |
Prevent Login to Accounts With Empty Password | Complete rewrite. Old: sed on common-password. New: uses pam-auth-update framework via a cac_unix pam-config with elevated priority. Validate PAM configuration thoroughly after applying. |
| UBTU-22-215015 | package_chrony_installed |
The Chrony package is installed | Now uses var_timesync_service variable to conditionally install. Set this variable in tailoring to ensure the intended package is installed. |
| UBTU-22-215020 | package_timesyncd_removed |
Remove the systemd_timesyncd Service | Now conditional on var_timesync_service. Removal only proceeds if the selected service is not systemd-timesyncd. |
| UBTU-22-251010 | package_ufw_installed |
Install ufw Package | Now uses var_network_filtering_service variable. Set in tailoring to ensure the correct firewall is installed. |
| UBTU-22-232075 | root_permissions_syslibrary_files |
Verify system-wide library files are group-owned by root | Regex narrowed to *.so* only. Non-library files are no longer corrected. |
| UBTU-22-251020 | service_ufw_enabled |
Verify ufw Enabled | Replaced with var_network_filtering_service variable-driven approach. Set the variable to ufw in tailoring to maintain previous behaviour. |
| UBTU-22-612020 | smartcard_pam_enabled |
Enable Smart Card Logins in PAM | New shell remediation. Creates /usr/share/pam-configs/cac_pkcs11 and runs pam-auth-update, adding pam_pkcs11.so to PAM auth. Deselect this rule if smartcard authentication is not used. |
| UBTU-22-255050 | sshd_use_approved_ciphers_ordered_stig |
Use Only FIPS 140-2 Validated Ciphers | Cipher list now hardcoded: aes256-ctr,aes256-gcm@openssh.com,aes128-ctr,aes128-gcm@openssh.com. Config file management rewritten with chmod 0600. Verify the cipher list matches your requirements. |
| UBTU-22-255055 | sshd_use_approved_macs_ordered_stig |
Use Only FIPS 140-2 Validated MACs | MACs list now hardcoded: hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com. Same config management changes as ciphers. |
| UBTU-22-213010 | sysctl_kernel_dmesg_restrict |
Restrict Access to Kernel Message Buffer | Sysctl conflict-resolution search path changed from /usr/lib/sysctl.d/*.conf to /etc/sysctl.conf. Conflicting settings in sysctl.d are no longer commented out. Verify no conflicts remain in unsearched paths. |
| UBTU-22-213020 | sysctl_kernel_randomize_va_space |
Enable Randomised Layout of Virtual Address Space | Same sysctl search-path scope change as kernel.dmesg_restrict. |
| UBTU-22-253010 | sysctl_net_ipv4_tcp_syncookies |
Enable TCP Syncookies | Same sysctl search-path scope change. A SYSCONFIG_FILE variable was also introduced. |