Achieve conformity with DISA-STIG standards for Ubuntu 22.04 LTS through USG.

Share it

DISA, also known as the Defense Information Systems Agency, recently released their Security Technical Implementation Guide (STIG) for Ubuntu 22.04 LTS in April 2024. We are excited to introduce the Ubuntu Security Guide profile, which facilitates customers in automatically fortifying and evaluating their Ubuntu 22.04 LTS systems in accordance with the STIG standards.

Understanding STIGs

A STIG serves as a set of directives designed to configure an application or system to enhance its security. Hardening involves reducing the system’s vulnerability to attacks by eliminating unnecessary software, securing default values, and setting up the system to operate solely on essential requirements. These guidelines also aim to mitigate potential damage in case of a breach.

Exploring the Ubuntu Security Guide

The Ubuntu STIG encompasses more than 300 individual rules, making manual implementation a daunting task. To simplify and streamline the hardening process, we have developed the Ubuntu Security Guide (USG) tool to automate both the hardening and auditing aspects of the STIG.

Integration with Ubuntu Pro

USG is a feature included with Ubuntu Pro, an enterprise-grade security and compliance subscription layered on top of standard Ubuntu. You can activate and install USG using the following commands:

$ sudo pro enable usg

$ sudo apt install usg

The DISA-STIG profile comes preloaded in the latest USG version: 22.04.7.

Conducting Audits

To assess your system’s compliance with the STIG standards, run USG in audit mode:

$ sudo usg audit disa_stig

Implementing Remediation

To address any issues identified during the audit and bring your system into alignment with the STIG requirements, run USG in fix mode:

$ sudo usg fix disa_stig

Customizing the STIG

As each IT environment is unique, the STIG provides a foundational set of recommendations that may not perfectly align with your setup. You can tailor the STIG guidelines to suit your specific requirements by creating a tailoring file using the command:

$ sudo usg generate-tailoring disa_stig mytailoringfile.xml

Customize the tailoring file to enable or modify specific rules, then utilize it to audit or rectify the system accordingly:

$ sudo usg audit --tailoring-file mytailoringfile.xml

Accessing Detailed Assistance

For detailed instructions on adjusting certain rules within the STIG profile based on your configuration, such as remote logging preferences and Grub passwords, refer to the comprehensive guidance provided in the “man page” using the command:

$ man usg-disa-stig

Fulfilling FIPS Cryptography Requirements

Compliance with the STIG mandates the utilization of NIST-validated cryptographic modules accredited under FIPS 140 standards. While the FIPS 140-3 accreditation for the Ubuntu 22.04 LTS crypto modules is pending NIST’s approval, customers can test and preview these modules. NIST has initiated an Interim Validation process to expedite the certification of FIPS 140-3 modules. It is crucial to exercise discretion in deciding the required level of NIST certification for these modules, as USG is not directly linked to the NIST certification.

Final Remarks

This recent release of the DISA-STIG profile integrated with USG empowers customers to efficiently deploy and fortify Ubuntu 22.04 LTS (Jammy Jellyfish) in compliance with the STIG standards. Since USG is inclusive with Ubuntu Pro, a Pro subscription is necessary. Pro also encompasses the FIPS crypto modules. For additional information on USG or Ubuntu Pro, feel free to reach out to us.

Supplementary Materials

For more details, visit: DISA-STIG Ubuntu 22.04 USG

🤞 Don’t miss these tips!

🤞 Don’t miss these tips!

Solverwp- WordPress Theme and Plugin