Apply DISA STIG to an Anubiz Ubuntu 24 VPS
The DISA STIG (Security Technical Implementation Guide) is the US Department of Defense hardening standard. Applying it to an Anubiz VPS is overkill for most use cases, but if your work touches a federal contractor, an export-controlled dataset or an audit boundary that requires STIG, the controls do apply cleanly to Ubuntu 24.04. This guide is the practical STIG application on a single offshore VPS - not the full Ansible role but the controls that actually move the needle.
Need this done for your project?
We implement, you ship. Async, documented, done in days.
Scope
Apply only the high and medium findings. Skip categories I (information assurance training) that do not apply to a VPS. Use OpenSCAP with the STIG profile for scoring.
Step 1: FIPS Mode
Ubuntu Pro supports FIPS 140-3. Without it, run with FIPS-aligned crypto policy: disable SHA1, disable TLS <1.2, disable RSA <3072. SSH crypto policy in sshd_config: Ciphers and MACs limited to FIPS-approved.
Step 2: Audit Retention
STIG requires 30+ days retention. auditd with max_log_file = 100 and 30 rotated files. Plan disk: 3 GB for audit. Anubiz VPS III tiers fine.
Step 3: MAC Layer
AppArmor enforcing on critical services (sshd, nginx, postfix). See the AppArmor guide.
Step 4: Session Lock and Banner
STIG requires a login banner. Drop the standard DoD banner or your org's into /etc/issue.net and reference from sshd_config. autologout via TMOUT=900 in /etc/profile.d/.
Step 5: Scoring
oscap xccdf eval --profile stig ssg-ubuntu2404-ds.xml. Expect 70-85% on first run. Iterate on high findings until 95%+.
Related Services
Why Anubiz Host
Ready to get started?
Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.