{"id":49186009,"url":"https://github.com/dcrypt3d/centos10-disa-stig","last_synced_at":"2026-04-23T04:02:44.771Z","repository":{"id":327787167,"uuid":"1110759528","full_name":"dcrypt3d/centos10-disa-stig","owner":"dcrypt3d","description":null,"archived":false,"fork":false,"pushed_at":"2025-12-06T01:47:28.000Z","size":63,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-12-09T06:59:13.824Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dcrypt3d.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-05T17:15:47.000Z","updated_at":"2025-12-06T01:47:32.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/dcrypt3d/centos10-disa-stig","commit_stats":null,"previous_names":["dcrypt3d/centos10-disa-stig"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/dcrypt3d/centos10-disa-stig","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dcrypt3d%2Fcentos10-disa-stig","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dcrypt3d%2Fcentos10-disa-stig/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dcrypt3d%2Fcentos10-disa-stig/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dcrypt3d%2Fcentos10-disa-stig/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dcrypt3d","download_url":"https://codeload.github.com/dcrypt3d/centos10-disa-stig/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dcrypt3d%2Fcentos10-disa-stig/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32165201,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-23T02:19:40.750Z","status":"ssl_error","status_checked_at":"2026-04-23T02:17:55.737Z","response_time":53,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-23T04:02:39.320Z","updated_at":"2026-04-23T04:02:44.740Z","avatar_url":"https://github.com/dcrypt3d.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# DISA STIG Compliance for CentOS 10 Stream\n\nThis repository contains Ansible playbooks and configurations to apply DISA STIG V2R6 (Security Technical Implementation Guides) compliance to CentOS 10 Stream systems.\n\n## Overview\n\nDISA STIGs provide security configuration standards for Department of Defense systems. This project uses the **official DISA RHEL 9 STIG Ansible role** to automate the application of these security controls to CentOS 10 Stream systems.\n\n**Note**: CentOS Stream 10 is based on RHEL 10. While RHEL 10 STIG may not be available yet, the RHEL 9 STIG role provides compatible security controls. When RHEL 10 STIG becomes available, you may need to update the role directory from `rhel9STIG` to `rhel10STIG`.\n\n**Note**: This project includes the official DISA STIG Ansible role from the DISA STIG distribution package. All STIG controls are configured via variables in the role's defaults.\n\n## Prerequisites\n\n- Ansible 2.14.18 (tested and compatible)\n- Python 3.6 or higher\n- SSH access to target CentOS 10 Stream systems\n- Sudo/root privileges on target systems\n\n## Installation\n\n1. **Install Ansible** (if not already installed):\n   ```bash\n   # On RHEL/CentOS\n   sudo yum install ansible\n   ```\n\n2. **No additional roles needed**: The DISA STIG role is included locally in the `roles/rhel9STIG/` directory.\n\n## Configuration\n\n1. **Update inventory file** (`inventory.yml`):\n   Edit the file and add your CentOS 10 Stream hosts:\n   ```yaml\n   centos10_hosts:\n     hosts:\n       server1:\n         ansible_host: 192.168.1.100\n         ansible_user: your_user\n   ```\n\n2. **Configure SSH access**:\n   Ensure you can SSH into the target systems without password prompts (or configure SSH keys).\n\n3. **Review playbook variables** (`playbook.yml`):\n   Customize STIG settings according to your security requirements.\n\n## Usage\n\n### Apply all STIG controls:\n```bash\nansible-playbook -i inventory.yml playbook.yml --ask-become-pass\n```\n\nOr use the provided script:\n```bash\n# Linux/Mac\n./enforce.sh\n```\n\n### Dry run (check mode):\n```bash\nansible-playbook -i inventory.yml playbook.yml --check --ask-become-pass\n```\n\n### Limit to specific hosts:\n```bash\nansible-playbook -i inventory.yml playbook.yml --limit server1 --ask-become-pass\n```\n\n### Customize STIG controls:\nEdit `roles/rhel9STIG/defaults/main.yml` to enable/disable specific STIG rules. Each rule has a `rhel9STIG_stigrule_XXXXX_Manage` variable that can be set to `True` or `False`.\n\n## Alternative: Using OpenSCAP\n\nIf you prefer using OpenSCAP (SCAP Security Guide) instead of Ansible:\n\n1. **Install OpenSCAP on CentOS 10 Stream**:\n   ```bash\n   sudo dnf install openscap-scanner scap-security-guide\n   ```\n\n2. **Scan for compliance**:\n   ```bash\n   sudo oscap xccdf eval --profile stig --report report.html \\\n     /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml\n   ```\n   **Note**: If `ssg-rhel10-ds.xml` is not available, use `ssg-rhel9-ds.xml` as a fallback.\n\n3. **Remediate automatically**:\n   ```bash\n   sudo oscap xccdf eval --remediate --profile stig \\\n     /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml\n   ```\n   **Note**: If `ssg-rhel10-ds.xml` is not available, use `ssg-rhel9-ds.xml` as a fallback.\n\n## Important Notes\n\n⚠️ **WARNING**: Applying STIGs will make significant security changes to your system:\n- May disable services and features\n- Will enforce strict password policies\n- Will configure firewall rules\n- May require system reboot\n- Could break existing applications\n\n**Recommendations**:\n1. Test in a non-production environment first\n2. Review all changes before applying\n3. Take system backups before running\n4. Document any custom exceptions needed\n5. Reboot after applying STIGs\n\n## Post-Deployment\n\nAfter applying STIGs:\n\n1. **Check the XML compliance report**: The STIG XML callback plugin generates a compliance report automatically. Check the output path shown during execution (defaults to a temp directory).\n2. **Reboot the system** (if prompted or required)\n3. **Verify services** are running correctly\n4. **Test application functionality**\n5. **Review any failed STIG rules** in the XML report\n\n## STIG Rule Customization\n\nThe DISA STIG role includes hundreds of individual STIG rules. Each rule can be enabled or disabled by modifying variables in `roles/rhel9STIG/defaults/main.yml`.\n\nExample: To disable a specific STIG rule (e.g., R-257779), set:\n```yaml\nrhel9STIG_stigrule_257779_Manage: False\n```\n\n**Warning**: Disabling STIG rules may reduce security compliance. Only disable rules if you have a documented exception or alternative control.\n\n## Troubleshooting\n\n### Common Issues\n\n1. **Role not found**:\n   - The role should be in `roles/rhel9STIG/` directory\n   - Verify the role was copied correctly from the DISA STIG distribution\n\n2. **Permission denied**:\n   - Verify SSH access and sudo privileges\n   - Use `--ask-become-pass` flag\n\n3. **Service failures**:\n   - Some STIGs disable services that may be needed\n   - Review which services are being disabled in the role's tasks\n   - You can disable specific STIG rules in `roles/rhel9STIG/defaults/main.yml`\n\n4. **Callback plugin not found**:\n   - Ensure `callback_plugins/stig_xml.py` exists\n   - Check `ansible.cfg` has `callback_plugins = ./callback_plugins` configured\n\n5. **XML report not generated**:\n   - Check that the callback plugin is enabled in `ansible.cfg`\n   - Verify the STIG XML file exists in `roles/rhel9STIG/files/`\n\n## Resources\n\n- [DISA STIGs](https://public.cyber.mil/stigs/)\n- [Ansible Lockdown RHEL9-STIG](https://github.com/ansible-lockdown/RHEL9-STIG)\n- [SCAP Security Guide](https://www.open-scap.org/)\n- [CentOS Stream 10 Documentation](https://www.centos.org/documentation/)\n\n## License\n\nThis project is provided as-is for security compliance purposes.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdcrypt3d%2Fcentos10-disa-stig","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdcrypt3d%2Fcentos10-disa-stig","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdcrypt3d%2Fcentos10-disa-stig/lists"}