DISA-STIG on Ubuntu 22.04

Security Technical Implementation Guides (STIG) are developed by the Defense Information System Agency (DISA) for the U.S. Department of Defense (DoD). Ubuntu 22.04 (Jammy Jellyfish) has undergone evaluation by DISA; they have published the first version of the STIG, and we have incorporated it into the Ubuntu Security Guide (USG).

The Ubuntu Security Guide is a tool that is available with an Ubuntu Pro subscription - Pro is a subscription that sits on top of regular Ubuntu and provides extra security and compliance features; Pro is free for personal use on up to five machines. USG simplifies the process of bringing a system into compliance with standards such as DISA-STIG, and also allows you to run an audit to check the status of your system’s compliance.


These are the steps to install USG on Ubuntu 22.04 and audit the system for DISA-STIG compliance, which is available with usg package version 22.04.7 and higher:

Update the system

sudo apt update && sudo apt -y upgrade

Attach a Pro token (if not already attached)

Sign up for a free Ubuntu Pro token here.

sudo pro attach <token>

Enable and install USG

Check that the usg package is version 22.04.7 or higher:

sudo pro enable usg
sudo apt install usg
dpkg -s usg

Read the man pages

man usg-disa-stig

Create a tailoring file

sudo usg generate-tailoring disa_stig stig_custom.xml

Edit the tailoring file

The tailoring file lists all the rules within the STIG profile, and provides some level of customisation. You can enable or disable a specific rule by setting selected="true" or selected="false".

Install FIPS modules

One of the STIG requirements is to use NIST-validated cryptographic modules. Canonical provides these as part of Ubuntu Pro, but the NIST certification is handled by CMVP, a government entity: the certification process is time-consuming and not connected with either Canonical or DISA. This means that you need to perform your own checks on the current validity of the Ubuntu cryptographic module certificates. As of June 2024, the Ubuntu 22.04 modules are still awaiting NIST validation; we make the modules available for preview and testing you need to perform your own risk assessment of whether or not to use the pre-certified modules.

We strongly recommend that everyone makes use of the FIPS modules with security updates, available with the fips-updates option within the Pro client. The strict preview modules do not receive any security updates once they are submitted to NIST for certification, which means that they might contain security vulnerabilities.

sudo pro enable fips-updates

Installing FIPS modules involves loading a new kernel, so the system will have to be rebooted afterwards.

Fix the system

Now you can use the customised tailoring file to apply the STIG remediations:

sudo usg fix --tailoring-file stig_custom.xml

Run an audit

To check the compliance status of the system, again use the tailoring file with USG in audit mode:

sudo usg audit --tailoring-file stig_custom.xml

The output files, both XML & HTML, will be available in /var/lib/usg. They are owned by the root user for security reasons. The HTML file can be opened in any web browser.