Henry Coggill
on 24 June 2024
DISA, the Defense Information Systems Agency, recently published their Security Technical Implementation Guide (STIG) for Ubuntu 22.04 LTS in April 2024. We’re pleased to now release the Ubuntu Security Guide profile to enable customers to automatically harden and audit their Ubuntu 22.04 LTS systems for the STIG.
What is a STIG?
A STIG is a set of guidelines for how to configure an application or system in order to harden it. Hardening means reducing the system’s attack surface: removing unnecessary software packages, locking down default values to the tightest possible settings and configuring the system to run only what you explicitly require. System hardening guidelines also seek to lessen collateral damage in the event of a compromise.
The STIGs have been primarily developed for use within the US Department of Defense. However, because they are based on universally-recognised security principles, they can be used by anyone who wants a robust system hardening framework. As a result, STIGs are being more widely adopted across the US government and numerous industries, such as financial services and online gaming.
The Ubuntu Security Guide
There are over 300 individual rules within the Ubuntu STIG, and this makes it prohibitively time-consuming for anyone to implement it from scratch. We’ve made the Ubuntu Security Guide (USG) tool to automate both the hardening, or remediation, as well as the auditing aspects of the STIG, in order to really simplify and streamline the hardening process.
Available with Ubuntu Pro
USG is included with Ubuntu Pro, the enterprise-ready security and compliance subscription that sits on top of regular Ubuntu. You can enable and install USG with these commands:
$ sudo pro enable usg
$ sudo apt install usg
The DISA-STIG profile is included in the latest version of USG: 22.04.7.
Auditing
To check the status of your system and see how it stacks up against the STIG, run USG in audit mode:
$ sudo usg audit disa_stig
Remediation
Then, to fix any issues that the audit highlighted and bring the system into compliance with the STIG, run USG in fix mode:
$ sudo usg fix disa_stig
Customisations required
Every IT deployment is different, and each system has its own purpose. As such, the STIG is a guide that provides a baseline set of general recommendations and best practices that can be broadly applied. It does mean that there will likely be some of the rules within the STIG profile that don’t align with your own mission and system setup. This is fine – the STIG is a guideline, and you can tailor it to your specific needs.
To generate a tailoring file for customisation, run:
$ sudo usg generate-tailoring disa_stig mytailoringfile.xml
Edit the tailoring file to select which rules to enable or customise, then use the tailoring file to audit or fix the system:
$ sudo usg audit --tailoring-file mytailoringfile.xml
Find detailed information in the “man page”
Several rules within the STIG profile need to be adjusted according to your individual setup. These include details of remote logging and auditing servers, Grub passwords, third-party security software and various other customisations. We’ve provided detailed help and information in the “man page”:
$ man usg-disa-stig
FIPS cryptography required
One of the requirements for STIG compliance is for the system to use NIST-validated cryptographic modules that have been FIPS 140 accredited. The Ubuntu 22.04 LTS crypto modules are currently still awaiting approval from NIST’s CMVP. The modules are available for customers to test and preview, and CMVP have commenced an Interim Validation scheme to try and certify FIPS 140-3 modules more quickly. The USG tool is not directly connected to the NIST certification process however, so please use judgement when deciding what level of NIST certification you require for these modules.
Conclusion
This release of the DISA-STIG profile for USG will enable customers to quickly deploy and harden Ubuntu 22.04 LTS (Jammy Jellyfish) to the STIG benchmark. As USG is included with Ubuntu Pro, you will need to get a Pro subscription. Pro also includes the FIPS crypto modules. If you’d like to learn more about USG or Ubuntu Pro, please contact us.