Meet DISA-STIG compliance requirements for Ubuntu 22.04 LTS with USG

DISA, the Defense Information Systems Agency, recently published their Security Technical Implementation Guide (STIG) for Ubuntu 22.04 LTS in April 2024. We’re pleased to now release the Ubuntu Security Guide profile to enable customers to automatically harden and audit their Ubuntu 22.04 LTS systems for the STIG.

What is a STIG?

A STIG is a set of guidelines for how to configure an application or system in order to harden it. Hardening means reducing the system’s attack surface: removing unnecessary software packages, locking down default values to the tightest possible settings and configuring the system to run only what you explicitly require. System hardening guidelines also seek to lessen collateral damage in the event of a compromise.

The STIGs have been primarily developed for use within the US Department of Defense. However, because they are based on universally-recognised security principles, they can be used by anyone who wants a robust system hardening framework. As a result, STIGs are being more widely adopted across the US government and numerous industries, such as financial services and online gaming.

The Ubuntu Security Guide

There are over 300 individual rules within the Ubuntu STIG, and this makes it prohibitively time-consuming for anyone to implement it from scratch. We’ve made the Ubuntu Security Guide (USG) tool to automate both the hardening, or remediation, as well as the auditing aspects of the STIG, in order to really simplify and streamline the hardening process.

Available with Ubuntu Pro

USG is included with Ubuntu Pro, the enterprise-ready security and compliance subscription that sits on top of regular Ubuntu. You can enable and install USG with these commands:

$ sudo pro enable usg

$ sudo apt install usg 

The DISA-STIG profile is included in the latest version of USG: 22.04.7.

Auditing

To check the status of your system and see how it stacks up against the STIG, run USG in audit mode:

$ sudo usg audit disa_stig

Remediation

Then, to fix any issues that the audit highlighted and bring the system into compliance with the STIG, run USG in fix mode:

$ sudo usg fix disa_stig

Customisations required

Every IT deployment is different, and each system has its own purpose. As such, the STIG is a guide that provides a baseline set of general recommendations and best practices that can be broadly applied. It does mean that there will likely be some of the rules within the STIG profile that don’t align with your own mission and system setup. This is fine – the STIG is a guideline, and you can tailor it to your specific needs.

To generate a tailoring file for customisation, run:

$ sudo usg generate-tailoring disa_stig mytailoringfile.xml

Edit the tailoring file to select which rules to enable or customise, then use the tailoring file to audit or fix the system:

$ sudo usg audit --tailoring-file mytailoringfile.xml

Find detailed information in the “man page”

Several rules within the STIG profile need to be adjusted according to your individual setup. These include details of remote logging and auditing servers, Grub passwords, third-party security software and various other customisations. We’ve provided detailed help and information in the “man page”:

$ man usg-disa-stig

FIPS cryptography required

One of the requirements for STIG compliance is for the system to use NIST-validated cryptographic modules that have been FIPS 140 accredited. The Ubuntu 22.04 LTS crypto modules are currently still awaiting approval from NIST’s CMVP. The modules are available for customers to test and preview, and CMVP have commenced an Interim Validation scheme to try and certify FIPS 140-3 modules more quickly. The USG tool is not directly connected to the NIST certification process however, so please use judgement when deciding what level of NIST certification you require for these modules.

Conclusion

This release of the DISA-STIG profile for USG will enable customers to quickly deploy and harden Ubuntu 22.04 LTS (Jammy Jellyfish) to the STIG benchmark. As USG is included with Ubuntu Pro, you will need to get a Pro subscription. Pro also includes the FIPS crypto modules. If you’d like to learn more about USG or Ubuntu Pro, please contact us.

Additional Resources

Talk to us today

Interested in running Ubuntu in your organisation?

Newsletter signup

Get the latest Ubuntu news and updates in your inbox.

By submitting this form, I confirm that I have read and agree to Canonical's Privacy Policy.

Related posts

Meet our Public Sector team at Technet Augusta 2024

We’re excited to announce our participation in Technet Augusta 2024 from 19 to 22 August.

Meet the Canonical Federal and DOD team at Alamo Ace 2023

Find us at the booth #54 or join a special joint session on November 14th at 2:15 PM.

Managing security vulnerabilities and compliance for U.S. Government with Ubuntu Pro

Maintaining a compliant IT ecosystem is a major undertaking, as each regulation brings a host of specialized requirements. And dealing with the never-ending...