Security Technical Implementation Guides (STIG) are developed by the Defense Information System Agency (DISA) for the U.S. Department of Defense (DoD). Ubuntu 22.04 (Jammy Jellyfish) has undergone evaluation by DISA; they have published the first version of the STIG, and we have incorporated it into the Ubuntu Security Guide (USG).
The Ubuntu Security Guide is a tool that is available with an Ubuntu Pro subscription - Pro is a subscription that sits on top of regular Ubuntu and provides extra security and compliance features; Pro is free for personal use on up to five machines. USG simplifies the process of bringing a system into compliance with standards such as DISA-STIG, and also allows you to run an audit to check the status of your system’s compliance.
Installation
These are the steps to install USG on Ubuntu 22.04 and audit the system for DISA-STIG compliance, which is available with usg package version 22.04.7 and higher:
Update the system
sudo apt update && sudo apt -y upgrade
Attach a Pro token (if not already attached)
Sign up for a free Ubuntu Pro token here.
sudo pro attach <token>
Enable and install USG
Check that the usg package is version 22.04.7 or higher:
sudo pro enable usg
sudo apt install usg
dpkg -s usg
Read the man pages
man usg-disa-stig
Create a tailoring file
sudo usg generate-tailoring disa_stig stig_custom.xml
Edit the tailoring file
The tailoring file lists all the rules within the STIG profile, and provides some level of customisation. You can enable or disable a specific rule by setting selected="true" or selected="false".
Install FIPS modules
One of the STIG requirements is to use NIST-validated cryptographic modules. Canonical provides these as part of Ubuntu Pro, but the NIST certification is handled by CMVP, a government entity: the certification process is time-consuming and not connected with either Canonical or DISA. This means that you need to perform your own checks on the current validity of the Ubuntu cryptographic module certificates. As of June 2024, the Ubuntu 22.04 modules are still awaiting NIST validation; we make the modules available for preview and testing you need to perform your own risk assessment of whether or not to use the pre-certified modules.
We strongly recommend that everyone makes use of the FIPS modules with security updates, available with the fips-updates option within the Pro client. The strict preview modules do not receive any security updates once they are submitted to NIST for certification, which means that they might contain security vulnerabilities.
sudo pro enable fips-updates
Installing FIPS modules involves loading a new kernel, so the system will have to be rebooted afterwards.
Fix the system
Now you can use the customised tailoring file to apply the STIG remediations:
sudo usg fix --tailoring-file stig_custom.xml
Run an audit
To check the compliance status of the system, again use the tailoring file with USG in audit mode:
sudo usg audit --tailoring-file stig_custom.xml
The output files, both XML & HTML, will be available in /var/lib/usg. They are owned by the root user for security reasons. The HTML file can be opened in any web browser.