Security Technical Implementation Guide (STIG) Scans
A STIG scan evaluates a system against the hardening baseline published by the U.S. Defense Information Systems Agency (DISA). Each STIG turns high-level NIST SP 800-53 controls into concrete configuration checks, released in SCAP 1.x XML (XCCDF + OVAL). A scanner processes this XML and reports each rule as PASS, FAIL, or manual review needed, grouped by severity: Category I (critical), II (moderate), and III (low).
Common Tooling
| Tool | Role in the workflow | Key points |
|---|---|---|
OpenSCAP (oscap) |
Open-source CLI/GUI scanner that consumes DISA STIG XML directly and outputs ARF/XML, HTML, or CSV. | Ideal for Linux/Unix; integrates with CI/CD; supports remote
scanning via oscap-ssh. |
| SCAP Compliance Checker (SCC) | Free DoD GUI for Windows/Linux that imports SCAP bundles and exports
results as .ckl for STIG Viewer. |
Widely used on classified networks; digitally signed binaries. |
| STIG Viewer 3.x | Offline checklist manager to review findings, record waivers, and merge manual checks. | No installer; Java 11+ required; generates POA&M data. |
| Commercial VA platforms (Tenable.sc/Nessus, Rapid7 InsightVM, Qualys, etc.) |
Import SCAP content or native plugins mapped to STIG IDs; provide dashboards and trending. | Useful for enterprise roll-ups and continuous compliance. |
Typical End-to-End Workflow
- Install SCAP
cd /etc sudo mkdir SCAP cd SCAP sudo apt update sudo apt install -y openscap-utils openscap-common libopenscap25t64
- Verify SCAP is installed
which oscap
- Check your ubuntu release
lsb_release -a
- Download the benchmark (e.g., Ubuntu 20.04 LTS V2R3) from DISA. STIGs Document Library if you have the URL, use wget: sudo wget -4 https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_20-04_LTS_V2R3_STIG_SCAP_1-3_Benchmark.zip
- Select or tailor a profile (full checklist vs. “CAT I only” profile).
- Verify that the file is downloaded and unzip
- Change the file permissions
- Run the evaluation
- Open the .html file in a browser or Import results into STIG Viewer or a dashboard, annotate waivers, and record remediation notes
- Remediate & re-scan (many tools can auto-generate fix scripts).
- Report compliance (quarterly in DoD, or continuously via dashboards).
ls #You should see something like U_CAN_Ubuntu_20-04_LTS_V2R3_STIG_SCAP_1-3_Benchmark.zip #Unzip the file unzip U_CAN_Ubuntu_20-04_LTS_V2R3_STIG_SCAP_1-3_Benchmark.zip Archive: U_CAN_Ubuntu_20-04_LTS_V2R3_STIG_SCAP_1-3_Benchmark.zip inflating: U_CAN_Ubuntu-20.04_LTS_V2R3_STIG_SCAP_1-3_Benchmark.xml #Verify .xml file exists ls U_CAN_Ubuntu-20.04_LTS_V2R3_STIG_SCAP_1-3_Benchmark.xml
sudo chmod 755 U_CAN_Ubuntu-20.04_LTS_V2R3_STIG_SCAP_1-3_Benchmark.xml
sudo oscap xccdf eval \
--profile xccdf_mil.disa.stig_profile_CAT_I_Only \
--results /etc/SCAP/ubuntu20-results.xml \
--report /etc/SCAP/ubuntu20-report.html \
/etc/SCAP/U_CAN_Ubuntu_20-04_LTS_V2R3_STIG_SCAP_1-3_Benchmark.xml
Interpreting the Output
- PASS – configuration meets the control.
- FAIL – non-compliant; remediate or waive.
- NOT CHECKED / NOT APPLICABLE – rule can’t be automated or doesn’t apply.
- Severity – CAT I (mission-critical) to CAT III (hygiene).
Integration Patterns in Industry
- CI/CD gates – block non-compliant container images or AMIs during pipeline builds.
- Agentless remote scans –
oscap-sshor Nessus STIG plugins for servers without agents. - Central dashboards – Tenable.sc, Rapid7, Qualys, or Elastic/Splunk ingest ARF/CKL for fleet-wide compliance drift.
Limitations & Gotchas
- Manual controls remain – physical or site-specific items can’t be machine-tested.
- Content freshness – DISA updates STIGs quarterly; automate pulling new XML.
- Tailoring is normal – disable conflicting rules, but document waivers and risk acceptance.
Bottom line: STIG scans automate a large slice of compliance
by translating DISA hardening checklists into SCAP content that engines such
as OpenSCAP, SCC, or commercial VA tools can evaluate, producing artifacts
(.xml, .ckl, HTML) that feed audit and remediation
workflows.