Guide

How to Use the STIG Hardening Tool

Turn a DISA Linux STIG XCCDF benchmark into a reviewed, customizable Bash remediation script—with validation checks appended automatically. This guide walks through the full workflow from download to deployment.

Before you start: Always match the benchmark to your target OS and version. Test on a non-production system first. You are responsible for every command the script runs.

What You Need

  • A DISA Linux STIG XCCDF file (*-xccdf.xml) or STIG .zip package for your distribution
  • A target Linux host (Ubuntu, RHEL, Debian, AlmaLinux, Rocky Linux, etc.) that matches the benchmark
  • Root access on the target when you run the generated script
  • A lab or staging environment for initial testing

Step 1 — Download the Benchmark from DISA

  1. 1 Visit public.cyber.mil/stigs/downloads and select your OS and version.
  2. 2 Download the STIG package. ZIP archives are supported—the tool auto-extracts the XCCDF XML inside.
  3. 3 Verify checksums if DISA provides them. Using the wrong benchmark version is a common source of breakage.

Step 2 — Upload or Try a Demo

On the home page, either upload your .xml or .zip file, or pick a bundled demo benchmark (Ubuntu 24.04, RHEL 8, or RHEL 9) to explore the workflow without a live STIG download.

After a successful parse you will see a summary: total rules, and how many are automated, partial, or manual.

Step 3 — Configure Each Rule

The remediation screen lists every STIG rule with its category, fix type, and DISA description. For each rule, choose:

  • Default Fix — use the DISA fixtext converted to Bash (best for automated rules)
  • Skip Fix — leave the rule unchanged; useful for rules you will handle manually or defer
  • Custom Fix — paste your own reviewed commands when DISA defaults do not fit your environment

Manual rules default to Skip because they often require human judgment. Use the search box and bulk actions when working with large benchmarks (hundreds of rules on RHEL).

Step 4 — Preview the Script

Click Generate Script to build a single Bash file. The preview shows the full output, including:

  • Root check and OS detection
  • Remediation commands grouped by rule with comments
  • Deferred reboot commands (moved to the end so validation runs first)
  • XCCDF check-content validation for each rule
  • A PASS / FAIL / MANUAL summary at the end

Read every line before downloading. If you use an AI assistant for review, see our Automation & AI guide for copy-ready prompts.

Step 5 — Download and Run on the Target

  1. 1 Download remediation.sh and transfer it to the target host (scp, Ansible, golden image, etc.).
  2. 2 Make it executable: chmod +x remediation.sh
  3. 3 Run as root: sudo ./remediation.sh
  4. 4 Review terminal output and the log file (default /var/log/stig-remediation-*.log, or ./ if /var/log is not writable).

Understanding Validation Results

At the end of the script, each rule is checked against DISA check-content:

PASS

Default automated remediation ran and the check passed.

FAIL

Default automated remediation ran but the check did not pass—investigate.

MANUAL

Custom, skipped, partial, or manual rules—human review required.

PASS/FAIL auto-scoring applies only to rules where you chose Default Fix on an automated rule. Everything else is flagged MANUAL by design so you do not get a false sense of compliance.

Pre-Flight Safety Checklist

  • Benchmark version matches target OS and major version
  • Snapshot or backup taken before running on any important system
  • Maintenance window scheduled (some rules restart services or defer a reboot)
  • Skipped rules documented with an owner and remediation plan
  • Script tested in a lab identical or close to production
  • Validation FAIL and MANUAL items reviewed before declaring the system compliant
Start on Home Page Automation & AI Guide