Summary
The United States Defense Information Systems Agency (DISA) publishes Security Technical Implementation Guides (STIGs) as cybersecurity guidelines and best practices. STIGs provide a standard configuration baseline for components of information systems owned by the Department of Defense (DoD) and other federal agencies, supporting these systems in satisfying strict security standards.
STIGs contain technical guidance on how to configure software and applications securely. Guides include settings related to the least functionality, access control, patch management, encryption, and auditing. They also provide recommendations for mitigating specific vulnerabilities, which include reducing the attack surface of systems, and supporting satisfaction of United States Federal Government requirements, such as FIPS-200 and FISMA metrics. DISA works with other DoD entities, industry partners, and cybersecurity experts to develop and maintain these guidelines.
Although STIGs are primarily intended for National Security Systems systems, they are widely used by other federal agencies, contractors, and even private sector organizations within the United States and internationally to enhance their security practices.
The comprehensive list of STIGs is available from DISA on the DoD Cyber Exchange.
Built-in compliance capabilities
Red Hat products have built-in capabilities that help you to align with the DISA STIG policy. By using integrations with the system management solutions available in our portfolio, you can align the configuration of the machine with the requirements. However, the result is not full compliance - you always need to review the results and take the context of your specific deployment into account.
Red Hat Enterprise Linux
This profile requires a system that is installed in FIPS mode. See the Switching RHEL to FIPS mode chapter in the Security hardening document for more information.
You can install the system already pre-configured to DISA STIG by using RHEL image builder:
- RHEL 10: Creating pre-hardened images with RHEL image builder OpenSCAP integration
- RHEL 9: Creating pre-hardened images with RHEL image builder OpenSCAP integration
Note that this is integrated also in the Red Hat Insights, linked below.
If you prefer a kickstart-based installation, the method is described in the RHEL security guide:
- RHEL 10:Performing a hardened installation of RHEL with Kickstart
- RHEL 9: Kickstart-based installation of compliant systems
You can build and deploy hardened bootable images pre-configured to DISA STIG for RHEL Image mode:
- RHEL 10: Security hardening and compliance of bootable images
- RHEL 9: Security hardening and compliance of bootable images
You can check the system configuration during runtime by using the OpenSCAP command-line tool:
- RHEL 10: Scanning the system for configuration compliance
- RHEL 9: Scanning the system for configuration compliance and vulnerabilities
- RHEL 8: Scanning the system for configuration compliance and vulnerabilities
- RHEL 7: Scanning the System for Configuration Compliance and Vulnerabilities
Red Hat Satellite
You can plan and configure compliance policies, deploy the policies to hosts, and monitor the compliance of your hosts in Red Hat Satellite. For more information, see the product documentation:
Red Hat Insights for RHEL
You can create and manage your custom security policies entirely within the compliance service UI, as well as monitor the compliance state of your systems, remediate any discrepancies, and use the custom security policies in image builder to deploy additional systems:
Red Hat OpenShift
You can automate the inspection of numerous technical implementations and compare them against certain aspects of industry standards, benchmarks, and baselines.
Products in Scope
- Red Hat Enterprise Linux
- 9
- 8
- 7
- 6
- Red Hat Ansible Automation Platform
- 2
- Red Hat JBoss Enterprise Application Platform
- 6
- 5
- Red Hat OpenShift
- 4
Links
Additional Resources
Meta Data
Products
Regions
Industries
