Results 1 to 6 of 6

Thread: When will DISA_STIG tools & Livepatch work with the latest Ubuntu release/kernels?

  1. #1
    Join Date
    Jun 2023
    Beans
    1

    Question When will DISA_STIG tools & Livepatch work with the latest Ubuntu release/kernels?



    Specifically, 22.04.2 and kernel 5.19.0-43-generic
    Seems, I'm going to have to downgrade to 20.04, I just want a hardened system backed by government (military) standards for security research. Am I wrong for doing so? Additionally, how would I prevent a full system upgrade when going about the update center to prevent my system from upgrading out of Livepatch support (ergo going from 20.04 to 22.4.2 accidentally in an automatic update)? What security flaws may I embark on by downgrading?
    There's not a whole lot of documentation on this.

  2. #2
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: When will DISA_STIG tools & Livepatch work with the latest Ubuntu release/kernels

    The latest Ubuntu is 23.04 and to my knowledge, nobody attempts to create STIGs using non-LTS releases.

    Nobody here works for Canonical. Everyone is a volunteer.

    If you'd like an official answer, call the number on your Canonical Support Contract to let them know that your organization cares about these things. I think it usually takes 2+ yrs for an LTS STIG to be figured out, but I don't watch that stuff too closely.

  3. #3
    Join Date
    Mar 2010
    Location
    USA
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: When will DISA_STIG tools & Livepatch work with the latest Ubuntu release/kernels

    I also have no connection with Canonical, and the people to talk to about that would be Canonical's Ubuntu Pro Team. Which, like me, then you will referred to the DISA Helpdesk at: disa.stig_spt@mail.mil

    RE: https://discourse.ubuntu.com/t/ubunt...tation/30957/8
    There, when asked about when the toolkit was scheduled to roll out:
    henrycogill-- March 13, 2023

    Hi, this is still in development and we are intending to release it by May 2023.
    Hope that helps.
    When, I, as a customer asked the Ubuntu Pro Support Team about this... The toolkit is in beta, marked as such, until DISA publishes the STIG's for Ubuntu 22.04. It's a chicken before the egg kind of thing.

    As my understanding, and I am just a user... So I am no one as this goes. So what I am told, is that DISA STIG's are published by DISA. If you look at DISA's Library: https://public.cyber.mil/stigs/downl...s%2Cunix-linux

    ...There is no STIG published yet by DISA for ubunt past 20.04 LTS...
    DISA-STIG for Ubuntu

    Together with Canonical, DISA has developed STIGs for Ubuntu. The U.S. DoD provides the STIG checklist, which can be viewed using STIG viewer, and SCAP content for auditing. The versions of Ubuntu that have STIGs available by DISA are marked on the table below.
    But, looking at this from:

    STIGs


    Critical Updates

    To provide increased flexibility for the future, DISA has updated the systems that produce STIGs and SRGs. This has resulted in a modification to Group and Rule IDs (Vul and Subvul IDs).
    Test STIGs and test benchmarks were published from March through October 2020 to invite feedback. New and updated STIGs are now being published with the modified content.
    New releases of STIGs published prior to this change will include the “legacy” Group and Rule IDs as XCCDF ident elements.
    For all questions related to STIG content, please contact the DISA STIG Customer Support Desk at disa.stig_spt@mail.mil.




    Leads around in a circle, with DISA, not yet publishing what those modified requirements are for things later than 2020... Right? That is how I read that.

    There is OpenSCAP, which has reviewed what that means for Ubuntu 22.04 (https://static.open-scap.org/ssg-gui...ide-index.html), but how I read from DISA, that is still a best-guess, until DISA publishes the revisions to the STIG's.

    So yes, I would contact disa.stig_spt@mail.mi and get an official answer from them on when that timeline is now expected from them. May 2023 has now passed by.

    "Concurrent coexistence of Windows, Linux and UNIX..." || Ubuntu user # 33563, Linux user # 533637
    Sticky: Graphics Resolution | UbuntuForums 'system-info' Script | Posting Guidelines | Code Tags

  4. #4
    Join Date
    Jun 2010
    Location
    London, England
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: When will DISA_STIG tools & Livepatch work with the latest Ubuntu release/kernels

    update/upgrade
    how would I prevent a full system upgrade when going about the update center to prevent my system from upgrading out of Livepatch support (ergo going from 20.04 to 22.4.2 accidentally in an automatic update)?
    I am using 20.04.06 with livepatch and ESM activated. Running update/upgrade does not automatically upgrade one LTS to the next without user approval. After running Software Updater I get an advisory that 22.04 is available and an option to upgrade. I refuse because with Extended Security Maintenance (ESM) 20.04 gets an extra five years support beyond the normal end of support date.

    When that date arrives I shall decided to do a fresh install to 24.04. Or, if I feel lucky I might try doing online upgrades to 22.04 and then to 24.04.

    You could always open Software & Updates?updates tab and set Notify me of a new Ubuntu version to "Never." That will prevent starting the upgrade to the next LTS by mistake.

    As for the other matter, there is this official information:

    https://ubuntu.com/security/certifications#stig

    Regards
    It is a machine. It is more stupid than we are. It will not stop us from doing stupid things.
    Ubuntu user #33,200. Linux user #530,530


  5. #5
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: When will DISA_STIG tools & Livepatch work with the latest Ubuntu release/kernels

    apt or apt-get won't magically, unintentionally, move from a major release to another.

    apt upgrade and apt full-upgrade don't do that. They just update software for the current release. full-upgrade can take you from 22.04.1 --> 22.04.2, but that's about it, at least not without lots of manually file edits that you wouldn't do accidentally.

  6. #6
    Join Date
    Sep 2023
    Beans
    2

    Re: When will DISA_STIG tools & Livepatch work with the latest Ubuntu release/kernels

    I emailed the disa.stig_spt@mail.mil address this morning asking if they had an updated availability date for a 22.04 LTS STIG. This is their response:

    Unfortunately we can’t as there are steps in the release process that are outside of our control. I can say that a 22.04 STIG is being worked on and hopefully should be out this year.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •