Multi-Platform STIG Remediation

STIG Hardening Tool

Upload a DISA Manual STIG XCCDF benchmark to generate a remediation script. Linux and macOS produce runnable .sh (Bash) automation; Windows produces a .ps1 (PowerShell) implementation workbook with GPO checklists and the few commands DISA embeds in fixtext.

Supported: Ubuntu, RHEL, Debian, macOS, Windows Server, Windows 11, and other DISA Manual STIG benchmarks. Use the Manual STIG zip from DISA—not SCAP scanner-only bundles.

Customize remediation options for each rule or use defaults, preview the script, then download. Always use the benchmark that matches your target system and review every command before running it.

1 Upload
2 Configure
3 Preview
4 Download

What Each Platform Delivers

Capabilities depend on what DISA ships in the Manual STIG fixtext—not all platforms are equally automatable.

Linux

Automated remediation

  • Runnable Bash from DISA fixtext
  • High automated / partial rule coverage
  • Deferred reboot + validation checks

macOS

Strong automation + profiles

  • Bash extracted from prose fixtext
  • profile rules need MDM/manual install
  • Demo: macOS 15 (160 rules)

Windows

GPO implementation workbook

  • gpo rules → structured policy checklists
  • Only a few runnable PowerShell fixes per benchmark
  • Configure policies in gpedit.msc or domain GPO

Windows 11 demo (262 rules): ~4 automated, ~89 GPO checklists, ~169 manual narrative rules. See the How-To guide for limitations and workflow.

Guides

New to STIG scripting or want to automate with AI? Read the step-by-step walkthrough and agentic hardening guide.

Downloading XCCDF Files for STIG Remediation

Obtain Manual STIG benchmark files from DISA. Each zip contains the Security Technical Implementation Guide (STIG) for a specific operating system and version.

  1. 1 Visit DISA: public.cyber.mil/stigs/downloads
  2. 2 Select your OS (e.g. Ubuntu 24.04, RHEL 9, macOS 15, Windows Server 2025, Windows 11 Manual STIG).
  3. 3 Download the Manual STIG .zip (contains *-Manual-xccdf.xml).
  4. 4 Verify integrity using any provided checksums.
  5. 5 Upload below — ZIP archives are auto-extracted — or try a bundled demo benchmark.

Use the benchmark that matches your target OS and version. Windows SCAP-only bundles are for compliance scanners, not this tool.

Upload Your STIG

Upload a DISA Manual STIG *-xccdf.xml or .zip package.

Try Demo Benchmark

Explore the workflow with a bundled DISA STIG benchmark.

Disclaimer This tool is provided for educational and testing purposes only. By using it, you acknowledge and accept all risks. You are responsible for understanding what each STIG rule does before applying any remediation. You may customize or use default remediation options before generating a tailored script (Bash or PowerShell).

Warning Review every generated command before running on production systems. Windows is primarily a GPO checklist workbook—not one-click hardening. macOS profile rules require manual/MDM steps. Incorrect remediations can break services, lock accounts, or reduce availability. You are solely responsible for outcomes.

Support the Project

Optional BTC/XRP donations help keep this tool free for everyone.

Donate

Ad Support

Ads help offset hosting costs so the tool remains free for everyone.