Configure DISA STIG

The US Defense Information Systems Agency (DISA) has developed Security Technical Implementation Guide (STIG) standards that are designed to secure information systems and software.

Before you begin

Verify that the DISA STIG standards are available for your operating system. See Prepare to install the module.

To configure DISA STIG, do not use the profile and level parameters, which are associated with the Center for Internet Security (CIS). Instead, specify the mac parameter to determine the Mission Assurance Category (MAC) level and the confidentiality parameter to determine the confidentiality level. The values that you specify will depend on the type of information that your system processes. For detailed information about specifying parameters, see the DISA STIG documentation and any relevant US Department of Defense instructions.

To configure DISA STIG, add Hiera data to your control repository, control-repo, as shown in the following example:

# control-repo/data/nodes/<node name>.yaml
cem_linux::benchmark: 'stig'
cem_linux::config:
  # @param [Optional[Enum['1', '2', '3']]] mac
  #   Which STIG benchmark Mission Assurance Category (MAC) level to enforce.
  mac: '3'
  # @param [Optional[Enum['classified', 'sensitive', 'public']]] confidentiality
  #   Which STIG benchmark confidentiality level to enforce.
  confidentiality: 'public'