Multi-Platform STIG Remediation
STIG Hardening Tool
Upload a DISA Manual STIG XCCDF benchmark to generate a remediation script.
Linux and macOS produce runnable .sh (Bash) automation; Windows produces a
.ps1 (PowerShell) implementation workbook with GPO checklists and the few commands DISA embeds in fixtext.
Supported: Ubuntu, RHEL, Debian, macOS, Windows Server, Windows 11, and other DISA Manual STIG benchmarks. Use the Manual STIG zip from DISA—not SCAP scanner-only bundles.
Customize remediation options for each rule or use defaults, preview the script, then download. Always use the benchmark that matches your target system and review every command before running it.
What Each Platform Delivers
Capabilities depend on what DISA ships in the Manual STIG fixtext—not all platforms are equally automatable.
Linux
Automated remediation
- Runnable Bash from DISA fixtext
- High automated / partial rule coverage
- Deferred reboot + validation checks
macOS
Strong automation + profiles
- Bash extracted from prose fixtext
- profile rules need MDM/manual install
- Demo: macOS 15 (160 rules)
Windows
GPO implementation workbook
- gpo rules → structured policy checklists
- Only a few runnable PowerShell fixes per benchmark
- Configure policies in
gpedit.mscor domain GPO
Windows 11 demo (262 rules): ~4 automated, ~89 GPO checklists, ~169 manual narrative rules. See the How-To guide for limitations and workflow.
Guides
New to STIG scripting or want to automate with AI? Read the step-by-step walkthrough and agentic hardening guide.
Downloading XCCDF Files for STIG Remediation
Obtain Manual STIG benchmark files from DISA. Each zip contains the Security Technical Implementation Guide (STIG) for a specific operating system and version.
- 1 Visit DISA: public.cyber.mil/stigs/downloads
- 2 Select your OS (e.g. Ubuntu 24.04, RHEL 9, macOS 15, Windows Server 2025, Windows 11 Manual STIG).
-
3
Download the Manual STIG
.zip(contains*-Manual-xccdf.xml). - 4 Verify integrity using any provided checksums.
- 5 Upload below — ZIP archives are auto-extracted — or try a bundled demo benchmark.
Use the benchmark that matches your target OS and version. Windows SCAP-only bundles are for compliance scanners, not this tool.
Try Demo Benchmark
Explore the workflow with a bundled DISA STIG benchmark.
Disclaimer This tool is provided for educational and testing purposes only. By using it, you acknowledge and accept all risks. You are responsible for understanding what each STIG rule does before applying any remediation. You may customize or use default remediation options before generating a tailored script (Bash or PowerShell).
Warning Review every generated command before running on production systems. Windows is primarily a GPO checklist workbook—not one-click hardening. macOS profile rules require manual/MDM steps. Incorrect remediations can break services, lock accounts, or reduce availability. You are solely responsible for outcomes.
Ad Support
Ads help offset hosting costs so the tool remains free for everyone.