Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting our team. We will be in touch shortly.Close

  1. Blog
  2. Article

Henry Coggill
on 24 June 2024

Meet DISA-STIG compliance requirements for Ubuntu 22.04 LTS with USG


DISA, the Defense Information Systems Agency, recently published their Security Technical Implementation Guide (STIG) for Ubuntu 22.04 LTS in April 2024. We’re pleased to now release the Ubuntu Security Guide profile to enable customers to automatically harden and audit their Ubuntu 22.04 LTS systems for the STIG.

What is a STIG?

A STIG is a set of guidelines for how to configure an application or system in order to harden it. Hardening means reducing the system’s attack surface: removing unnecessary software packages, locking down default values to the tightest possible settings and configuring the system to run only what you explicitly require. System hardening guidelines also seek to lessen collateral damage in the event of a compromise.

The STIGs have been primarily developed for use within the US Department of Defense. However, because they are based on universally-recognised security principles, they can be used by anyone who wants a robust system hardening framework. As a result, STIGs are being more widely adopted across the US government and numerous industries, such as financial services and online gaming.

The Ubuntu Security Guide

There are over 300 individual rules within the Ubuntu STIG, and this makes it prohibitively time-consuming for anyone to implement it from scratch. We’ve made the Ubuntu Security Guide (USG) tool to automate both the hardening, or remediation, as well as the auditing aspects of the STIG, in order to really simplify and streamline the hardening process.

Available with Ubuntu Pro

USG is included with Ubuntu Pro, the enterprise-ready security and compliance subscription that sits on top of regular Ubuntu. You can enable and install USG with these commands:

$ sudo pro enable usg

$ sudo apt install usg 

The DISA-STIG profile is included in the latest version of USG: 22.04.7.

Auditing

To check the status of your system and see how it stacks up against the STIG, run USG in audit mode:

$ sudo usg audit disa_stig

Remediation

Then, to fix any issues that the audit highlighted and bring the system into compliance with the STIG, run USG in fix mode:

$ sudo usg fix disa_stig

Customisations required

Every IT deployment is different, and each system has its own purpose. As such, the STIG is a guide that provides a baseline set of general recommendations and best practices that can be broadly applied. It does mean that there will likely be some of the rules within the STIG profile that don’t align with your own mission and system setup. This is fine – the STIG is a guideline, and you can tailor it to your specific needs.

To generate a tailoring file for customisation, run:

$ sudo usg generate-tailoring disa_stig mytailoringfile.xml

Edit the tailoring file to select which rules to enable or customise, then use the tailoring file to audit or fix the system:

$ sudo usg audit --tailoring-file mytailoringfile.xml

Find detailed information in the “man page”

Several rules within the STIG profile need to be adjusted according to your individual setup. These include details of remote logging and auditing servers, Grub passwords, third-party security software and various other customisations. We’ve provided detailed help and information in the “man page”:

$ man usg-disa-stig

FIPS cryptography required

One of the requirements for STIG compliance is for the system to use NIST-validated cryptographic modules that have been FIPS 140 accredited. The Ubuntu 22.04 LTS crypto modules are currently still awaiting approval from NIST’s CMVP. The modules are available for customers to test and preview, and CMVP have commenced an Interim Validation scheme to try and certify FIPS 140-3 modules more quickly. The USG tool is not directly connected to the NIST certification process however, so please use judgement when deciding what level of NIST certification you require for these modules.

Conclusion

This release of the DISA-STIG profile for USG will enable customers to quickly deploy and harden Ubuntu 22.04 LTS (Jammy Jellyfish) to the STIG benchmark. As USG is included with Ubuntu Pro, you will need to get a Pro subscription. Pro also includes the FIPS crypto modules. If you’d like to learn more about USG or Ubuntu Pro, please contact us.

Additional Resources

Related posts


Marina Khachatryan
2 November 2023

Meet the Canonical Federal and DOD team at Alamo Ace 2023

DISA STIG Article

Find us at the booth #54 or join a special joint session on November 14th at 2:15 PM. ...


Henry Coggill
29 June 2023

Managing security vulnerabilities and compliance for U.S. Government with Ubuntu Pro

Hardening Article

Maintaining a compliant IT ecosystem is a major undertaking, as each regulation brings a host of specialized requirements. And dealing with the never-ending stream of security vulnerabilities that require patching only adds to this task. ...


Massimiliano Gori
22 April 2023

US Public Sector regulatory compliance with Ubuntu Pro and AWS GovCloud

Security Article

Ubuntu Pro is available for AWS GovCloud, where it combines comprehensive open-source security with the aforementioned AWS compliance features. ...