Configure DISA STIG
The US Defense Information Systems Agency (DISA) has developed Security Technical Implementation Guide (STIG) standards that are designed to secure information systems and software.
Before you begin
Verify that the DISA STIG standards are available for your operating system. See System requirements.
Procedure
To configure DISA STIG, do not use the profile
and
level
parameters, which are associated with the
Center for Internet Security (CIS). Instead, specify the mac
parameter to determine the Mission Assurance Category (MAC) level
and the confidentiality
parameter to determine the
confidentiality level. The values that you specify will depend on the type of
information that your system processes. For detailed information about specifying
parameters, see the DISA STIG documentation and any relevant US Department of
Defense instructions.
To configure DISA STIG, add Hiera data to your control
repository, control-repo
, as shown in the following
example:
# control-repo/data/nodes/<node name>.yaml
sce_linux::benchmark: 'stig'
sce_linux::config:
# @param [Optional[Enum['1', '2', '3']]] mac
# Which STIG benchmark Mission Assurance Category (MAC) level to enforce.
mac: '3'
# @param [Optional[Enum['classified', 'sensitive', 'public']]] confidentiality
# Which STIG benchmark confidentiality level to enforce.
confidentiality: 'public'