Categories: BlogCanonicalUbuntu

Meet DISA-STIG compliance requirements for Ubuntu 22.04 LTS with USG

Meet disa-stig compliance requirements for ubuntu 22. 04 lts with usg 2

DISA, the Defense Information Systems Agency, recently published their Security Technical Implementation Guide (STIG) for Ubuntu 22.04 LTS in April 2024. We’re pleased to now release the Ubuntu Security Guide profile to enable customers to automatically harden and audit their Ubuntu 22.04 LTS systems for the STIG.

Sponsored
class=”wp-block-heading”>What is a STIG?

A STIG is a set of guidelines for how to configure an application or system in order to harden it. Hardening means reducing the system’s attack surface: removing unnecessary software packages, locking down default values to the tightest possible settings and configuring the system to run only what you explicitly require. System hardening guidelines also seek to lessen collateral damage in the event of a compromise.

The STIGs have been primarily developed for use within the US Department of Defense. However, because they are based on universally-recognised security principles, they can be used by anyone who wants a robust system hardening framework. As a result, STIGs are being more widely adopted across the US government and numerous industries, such as financial services and online gaming.

The Ubuntu Security Guide

There are over 300 individual rules within the Ubuntu STIG, and this makes it prohibitively time-consuming for anyone to implement it from scratch. We’ve made the Ubuntu Security Guide (USG) tool to automate both the hardening, or remediation, as well as the auditing aspects of the STIG, in order to really simplify and streamline the hardening process.

Available with Ubuntu Pro

USG is included with Ubuntu Pro, the enterprise-ready security and compliance subscription that sits on top of regular Ubuntu. You can enable and install USG with these commands:

$ sudo pro enable usg

$ sudo apt install usg 

The DISA-STIG profile is included in the latest version of USG: 22.04.7.

Auditing

To check the status of your system and see how it stacks up against the STIG, run USG in audit mode:

$ sudo usg audit disa_stig

Remediation

Then, to fix any issues that the audit highlighted and bring the system into compliance with the STIG, run USG in fix mode:

Sponsored

$ sudo usg fix disa_stig

Customisations required

Every IT deployment is different, and each system has its own purpose. As such, the STIG is a guide that provides a baseline set of general recommendations and best practices that can be broadly applied. It does mean that there will likely be some of the rules within the STIG profile that don’t align with your own mission and system setup. This is fine – the STIG is a guideline, and you can tailor it to your specific needs.

To generate a tailoring file for customisation, run:

$ sudo usg generate-tailoring disa_stig mytailoringfile.xml

Edit the tailoring file to select which rules to enable or customise, then use the tailoring file to audit or fix the system:

$ sudo usg audit --tailoring-file mytailoringfile.xml

Find detailed information in the “man page”

Several rules within the STIG profile need to be adjusted according to your individual setup. These include details of remote logging and auditing servers, Grub passwords, third-party security software and various other customisations. We’ve provided detailed help and information in the “man page”:

$ man usg-disa-stig

FIPS cryptography required

One of the requirements for STIG compliance is for the system to use NIST-validated cryptographic modules that have been FIPS 140 accredited. The Ubuntu 22.04 LTS crypto modules are currently still awaiting approval from NIST’s CMVP. The modules are available for customers to test and preview, and CMVP have commenced an Interim Validation scheme to try and certify FIPS 140-3 modules more quickly. The USG tool is not directly connected to the NIST certification process however, so please use judgement when deciding what level of NIST certification you require for these modules.

Conclusion

This release of the DISA-STIG profile for USG will enable customers to quickly deploy and harden Ubuntu 22.04 LTS (Jammy Jellyfish) to the STIG benchmark. As USG is included with Ubuntu Pro, you will need to get a Pro subscription. Pro also includes the FIPS crypto modules. If you’d like to learn more about USG or Ubuntu Pro, please contact us.

Additional Resources

Ubuntu Server Admin

Recent Posts

Building RAG with enterprise open source AI infrastructure

One of the most critical gaps in traditional Large Language Models (LLMs) is that they…

18 hours ago

Life at Canonical: Victoria Antipova’s perspective as a new joiner in Product Marketing

Canonical is continuously hiring new talent. Being a remote- first company, Canonical’s new joiners receive…

2 days ago

What is patching automation?

What is patching automation? With increasing numbers of vulnerabilities, there is a growing risk of…

3 days ago

A beginner’s tutorial for your first Machine Learning project using Charmed Kubeflow

Wouldn’t it be wonderful to wake up one day with a desire to explore AI…

4 days ago

Ubuntu brings comprehensive support to Azure Cobalt 100 VMs

Ubuntu and Ubuntu Pro supports Microsoft’s Azure Cobalt 100 Virtual Machines (VMs), powered by their…

4 days ago

Ubuntu Weekly Newsletter Issue 870

Welcome to the Ubuntu Weekly Newsletter, Issue 870 for the week of December 8 –…

4 days ago