Browser-delivered STIG analyst workstations using Kasm Workspaces. One Docker image per STIGable OS — each pre-loaded with every applicable DISA STIG compliance tool available as free/open-source software.
Rule: Only OSes with a published DISA STIG are included.
╔══════════════════════════════════════════════════════════════════════════════════╗
║ FOR TESTING AND EVALUATION ONLY — UNCLASSIFIED ENVIRONMENTS ║
║ ║
║ DO NOT upload, process, store, or transmit any of the following using these ║
║ workspaces: ║
║ • Classified information (Confidential / Secret / Top Secret) ║
║ • TS/SCI, SAP, SAR, or any compartmented information ║
║ • CUI (Controlled Unclassified Information) ║
║ • FOUO (For Official Use Only) ║
║ • PII, PHI, or any privacy-protected data ║
║ • Export-controlled data (ITAR, EAR) ║
║ ║
║ These containers are NOT accredited, NOT ATO'd, and NOT connected to any ║
║ DoD network. They are development/training tools ONLY. ║
║ ║
║ Uploading classified or sensitive data into an unaccredited container ║
║ constitutes a SECURITY SPILLAGE and may result in criminal liability. ║
║ ║
║ This repository is a personal project. It does NOT represent the views, ║
║ products, or services of any employer, contractor, or government agency. ║
║ The author accepts NO responsibility for misuse of these tools. ║
╚══════════════════════════════════════════════════════════════════════════════════╝
Every workspace desktop displays this warning at login. If you are building on top of this project for a production environment, maintain and enforce your own data handling policies. This repo gives you the tools — your organization's ISSO/ISSM defines how to use them.
| Variant | DISA STIG | Base | FIPS (Open Source) | FIPS (Licensed) | Status |
|---|---|---|---|---|---|
ubuntu-22 |
Ubuntu 22.04 STIG | kasmweb/ubuntu-jammy-desktop |
✅ Ubuntu Pro + fips-updates |
✅ Working | |
ubuntu-24 |
Ubuntu 24.04 STIG | kasmweb/ubuntu-noble-desktop |
✅ Ubuntu Pro | 🔧 Stub | |
rhel-9 |
RHEL 9 STIG | ubi9/ubi (free, no sub needed) |
✅ Full RHEL 9 sub + fips-mode-setup |
🔧 Stub | |
rhel-8 |
RHEL 8 STIG | ubi8/ubi (free) |
✅ Full RHEL 8 sub | 🔧 Stub | |
alma-9 |
RHEL 9 STIG (compatible) | almalinux:9 |
✅ AlmaLinux FIPS Edition | 🔧 Stub | |
alma-8 |
RHEL 8 STIG (compatible) | almalinux:8 |
✅ AlmaLinux FIPS Edition | 🔧 Stub | |
rocky-9 |
RHEL 9 STIG (compatible) | rockylinux:9 |
N/A (no FIPS offering) | 🔧 Stub | |
rocky-8 |
RHEL 8 STIG (compatible) | rockylinux:8 |
N/A | 🔧 Stub |
Every OS listed below is past its vendor-supported End-of-Life date. This means:
- No free security patches from the vendor (unless you pay for extended support)
- Known, unpatched CVEs exist in these OS versions — some critical
- Running these in production without an active ESM/ELS contract is a STIG finding in itself (SI-2: Flaw Remediation)
- The STIG checklists for these OSes still exist — some DoD environments are still running them legally under extended support contracts (Ubuntu Pro ESM, Red Hat ELS)
These images exist for two purposes only:
- STIG assessment of existing legacy systems you are contractually obligated to maintain
- Developer/analyst training on older OS baselines
DO NOT deploy EOL OS variants as your primary workstation in a production environment.
| Variant | ☠️ EOL Date | Extended Support Available | DISA STIG | Open Source Base | Licensed Base | Status |
|---|---|---|---|---|---|---|
ubuntu-20 |
Apr 2025 ☠️ | Ubuntu Pro ESM → Apr 2030 | Ubuntu 20.04 STIG | ubuntu:20.04 |
Ubuntu Pro 20.04 | 🔧 Stub |
ubuntu-18 |
Apr 2023 ☠️ | Ubuntu Pro ESM → Apr 2028 | Ubuntu 18.04 STIG | ubuntu:18.04 |
Ubuntu Pro 18.04 | 🔧 Stub |
rhel-7 |
Jun 2024 ☠️ | RHEL ELS → Jun 2026 (paid) | RHEL 7 STIG | centos:7 (EOL) |
RHEL 7 ELS subscription | 🔧 Stub |
centos-7 |
Jun 2024 ☠️ | NONE — fully dead | RHEL 7 STIG (applicable) | centos:7 |
N/A — migrate to AlmaLinux/Rocky | 🔧 Stub |
centos-8 |
Dec 2021 ☠️ | NONE — fully dead | RHEL 8 STIG (applicable) | Use almalinux:8 instead |
N/A — migrate immediately | 🔧 Stub |
CentOS 7 and CentOS 8 have absolutely no vendor support path. There is no ESM, no ELS, no paid option — they are dead. If you are running these in production, your ISSO should be aware and you should have an active migration plan documented in your POA&M. These images exist only so you can assess and document findings on existing legacy systems.
FIPS note on open-source variants: Open-source builds (AlmaLinux, Rocky, Ubuntu community, UBI) do NOT include FIPS 140-2/140-3 validated cryptographic modules. The OpenSSL builds are functionally identical but lack the formal NIST validation certificate. Most developers don't care. If your environment requires FIPS validation, use the licensed variant (RHEL subscription, Ubuntu Pro).
| Tool | ubuntu-22/24/20/18 | rhel-9/8 | alma-9/8 | rocky-9/8 | rhel-7 | centos-7/8 |
|---|---|---|---|---|---|---|
| STIG Viewer 3 | ✅ | ✅ | ✅ | ✅ | ||
OpenSCAP (oscap) |
✅ apt | ✅ dnf | ✅ dnf | ✅ dnf | ✅ yum | ✅ yum |
| SCAP Workbench | ✅ apt | |||||
| SCAP Security Guide | ✅ apt | ✅ dnf | ✅ dnf | ✅ dnf | ✅ yum | ✅ yum |
| MITRE SAF CLI | ✅ npm | ✅ npm | ✅ npm | ✅ npm | ||
| Cinc Auditor | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| eMASSer | ✅ gem | ✅ gem | ✅ gem | ✅ gem | ||
| Lynis | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Grype (CVE scanner) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Syft (SBOM) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Trivy | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| trestle (OSCAL) | ✅ pip | ✅ pip | ✅ pip | ✅ pip | ||
| Heimdall 2 (browser) | ✅ Chromium | ✅ Firefox | ✅ Firefox | ✅ Firefox | ✅ Firefox | ✅ Firefox |
| Firefox | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Chromium | ✅ | ❌ | ❌ |
Not in EPEL — must compile from source. COPR repo available: dnf copr enable openscapmaint/openscap. Works post-install; just not dnf install-able directly.
Beyond the core STIG workflow tools, each image includes:
| Tool | License | What It Does | Why Include It |
|---|---|---|---|
| Lynis | GPL-3.0 (runtime) | Security auditing / hardening advisor | Fast pre-assessment before formal SCAP scan — tells you what's obviously broken |
| Grype | Apache-2.0 | CVE vulnerability scanner (container + filesystem) | Scan the workspace itself or uploaded artifacts for known CVEs |
| Syft | Apache-2.0 | SBOM generator (CycloneDX / SPDX) | Generate SBOM of installed packages — required for RMF supply chain controls (SA-12) |
| Trivy | Apache-2.0 | Multi-mode scanner (CVE, secrets, misconfigs, SBOM) | One-tool Swiss army knife; Grype alternative with broader coverage |
| trestle (IBM) | Apache-2.0 | OSCAL document authoring / validation | Author SSP, SAR, POAM in OSCAL JSON/YAML — the future of RMF |
| xmlstarlet | MIT | XCCDF/OVAL XML parsing from CLI | Parse SCAP results without full GUI |
| jq | MIT | JSON parsing | Parse SAF HDF output, Grype/Syft JSON |
| git | GPL-2.0 (runtime) | Version control | Track checklist changes over time; clone InSpec profiles |
| python3 + pip | PSF | Scripting | trestle, custom SCAP post-processing |
| curl / wget | MIT / GPL | Downloads | Fetch STIG zips from public.cyber.mil |
| Tool | Reason Excluded |
|---|---|
| Wazuh agent | Requires a Wazuh manager to connect to — useless standalone in a desktop container |
| ClamAV | AV scanning a Kasm workspace container is circular — scan the host, not the container |
| AIDE | Filesystem integrity monitoring requires a known-good baseline at install — not meaningful in ephemeral containers |
| OpenRMF | Web app requiring its own server stack — better run as a sidecar or separate service |
- Chromium (primary) + Firefox (secondary)
- Firefox (primary — the DoD-approved browser for most gov environments)
| Bookmark | URL | Purpose |
|---|---|---|
| DISA STIG Downloads | https://public.cyber.mil/stigs/downloads/ | Download STIG zip files |
| SCC Download | https://public.cyber.mil/stigs/scap/ | SCAP Compliance Checker (requires DoD account) |
| Heimdall 2 | https://heimdall.mitre.org | Upload HDF results for visualization |
| STIGViewer.com | https://stigviewer.com | Community STIG viewer — no CAC needed |
| MITRE SAF | https://saf.mitre.org | SAF CLI docs, InSpec profiles, HDF schema |
| NVD | https://nvd.nist.gov | CVE lookups |
| NIST SP 800-53 Rev 5 | https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final | Control catalog |
| ComplianceAsCode / SSG | https://github.com/ComplianceAsCode/content | SSG XCCDF profiles source |
| Heimdall 2 GitHub | https://github.com/mitre/heimdall2 | Run Heimdall locally |
| DoD Cyber Exchange | https://dl.dod.cyber.mil | DISA downloads |
| IBM trestle | https://github.com/oscal-compass/compliance-trestle | OSCAL authoring tool |
- Open the browser → go to https://public.cyber.mil/stigs/downloads/
- Search for your OS (e.g., "RHEL 9") → download the STIG zip
- Unzip → open STIG Viewer 3 (desktop icon) → File → Import STIG → select the
.xmlfile - Create a checklist → assign to your target system → start evaluating
Or use the CLI:
# Download RHEL 9 STIG zip (no CAC required for this)
wget "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_9_STIG.zip" -P ~/checklists/
cd ~/checklists && unzip U_RHEL_9_STIG.zip
# Run OpenSCAP against this machine using SSG
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_stig \
--results ~/scap-results/$(hostname)-rhel9-results.xml \
--report ~/reports/$(hostname)-rhel9-report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
# Convert to HDF for Heimdall
saf convert xccdf_results2hdf \
-i ~/scap-results/$(hostname)-rhel9-results.xml \
-o ~/reports/$(hostname)-rhel9.hdf.json~/Desktop/
├── ⚠️ WARNING-READ-FIRST.html ← Spillage warning + classification banner
├── STIG-Viewer-3.desktop ← Launch STIG Viewer 3 (Java)
├── SCAP-Workbench.desktop ← Launch SCAP Workbench GUI
├── Heimdall-2.desktop ← Open Heimdall 2 in browser
├── STIGViewer-com.desktop ← Open stigviewer.com (no CAC needed)
├── Terminal.desktop ← Terminal (oscap, saf, cinc, etc.)
└── START-HERE.html ← Workflow guide + tool links
~/checklists/ ← Drop .ckl / .cklb files here
~/scap-results/ ← oscap XML output
~/reports/ ← HTML reports + HDF JSON
~/ckl-working/ ← In-progress checklist work
~/ssg-content/ → (symlink to /usr/share/xml/scap/ssg/content/)
Every workspace displays a persistent banner:
┌─────────────────────────────────────────────────────────────────┐
│ ⚠ FOR TESTING AND EVALUATION ONLY — UNCLASSIFIED SYSTEMS ⚠ │
│ DO NOT PROCESS CUI / CLASSIFIED / FOUO / PII / PHI │
└─────────────────────────────────────────────────────────────────┘
Implemented as:
- Xfce desktop wallpaper — warning text baked into background image
~/Desktop/WARNING-READ-FIRST.html— full spillage policy, opens at first login- Browser home page — set to
file:///home/kasm-user/Desktop/WARNING-READ-FIRST.html
The example VNC_PW=ZtiSUNet2026Demo! meets DISA STIG minimum requirements:
- 15+ characters ✅ (17 chars)
- Upper + lower + number + special ✅
- Not a dictionary word ✅
Do NOT use YourPassword123! (shown in some older docs as a placeholder) — it would fail STIG V-238218 (minimum password length) and V-238219 (complexity). Change the VNC password to something that meets your org's password policy before deploying.
git clone https://github.com/hdean3/kasm-stig-desktop.git
cd kasm-stig-desktop/ubuntu-22
docker build -t kasm-stig-desktop:ubuntu-22 .
docker run --rm -p 6901:6901 \
-e VNC_PW=<15+chars-upper-lower-number-special> \
--shm-size=512m \
kasm-stig-desktop:ubuntu-22
open https://localhost:6901cd ubuntu-22
REMOTE_HOST=<your-host-ip> bash scripts/remote-deploy.sh| Tool | What It Does | Why Not Bundled | How to Get It |
|---|---|---|---|
| SCC (SCAP Compliance Checker) | DISA's official SCAP scanner — gold standard for RMF | Download requires DoD PKI / CAC login | public.cyber.mil/stigs/scap |
| DISA STIG zip files | Actual checklist XML content | CAC gate on some STIG downloads | public.cyber.mil/stigs/downloads |
| eMASS | DoD system of record for RMF packages | Web app on DoD network — not locally installable | Requires org eMASS instance + account |
SCC workaround: After launching, download SCC from public.cyber.mil and drop into
~/workspace-files/(bind-mounted from host). Run:bash SCC-5.x_RHEL9/cscc
| Tool | Why Not Bundled |
|---|---|
| Tenable Nessus | Paid license required |
| Tenable.sc (ACAS) | U.S. Government contract only |
| Rapid7 InsightVM | Paid SaaS |
| Qualys | Paid SaaS |
| BeyondTrust | Paid platform |
| Control Category | Reason |
|---|---|
| Disk encryption (LUKS/BitLocker) | No bare-metal disk to encrypt |
| UEFI / Secure Boot STIGs | Requires hardware firmware |
| Physical media controls | No physical ports in container |
| Full auditd rule sets | Kernel audit subsystem not namespaced in containers |
| Component | License |
|---|---|
| Kasm Workspaces platform (server) | Proprietary (Community Edition free) |
kasmweb/* Docker images (what we build FROM) |
MIT — open, forkable, commercial use OK |
| This repo | MIT (see LICENSE) |
| Tool | License | Copyleft Risk |
|---|---|---|
| STIG Viewer 3 | Public Domain (U.S. Gov) | None |
| OpenSCAP | LGPL-2.1 | None (dynamic linking only) |
| SCAP Workbench | GPL-3.0 | |
| SCAP Security Guide (SSG) | BSD-3-Clause | None |
| MITRE SAF CLI | Apache-2.0 | None |
| Cinc Auditor | Apache-2.0 | None |
| eMASSer | Apache-2.0 | None |
| Lynis | GPL-3.0 | |
| Grype | Apache-2.0 | None |
| Syft | Apache-2.0 | None |
| Trivy | Apache-2.0 | None |
| trestle (IBM) | Apache-2.0 | None |
| Node.js / npm | MIT | None |
| OpenJDK 17 | GPL-2.0 + Classpath Exception | Effectively none |
| Ruby | BSD-2-Clause | None |
| Python 3 | PSF | None |
Bottom line: Safe for internal use and Dockerfile distribution. If you fork this and ship a compiled appliance containing SCAP Workbench or Lynis, consult legal before distributing. Safest commercial path: remove those two tools and use oscap CLI + SAF CLI instead (both Apache-2.0).
Different impact levels require different numbers of controls. This project supports selecting an impact level at build time via --build-arg IMPACT_LEVEL=low|moderate|high, which selects the appropriate OpenSCAP profile and applies matching hardening.
| Impact Level | 800-53 Controls | 800-171 Req. | OpenSCAP Profile (SSG) | Who Needs It |
|---|---|---|---|---|
| Low | ~125 | N/A (CUI not applicable) | cis_level1 or standard |
Dev/test systems, internal tools, no federal data |
| Moderate | ~325 | 110 (all of 800-171) | stig (DISA STIG ≈ Moderate) |
Most federal systems, CUI environments, CMMC Level 2 |
| High | ~425 | 110 + enhanced | stig + FIPS mode |
National security systems, classified support |
800-171 note: NIST SP 800-171 Rev 2 (110 requirements) maps directly to the 800-53 Moderate baseline — it's a subset written for non-federal organizations handling CUI. If you're pursuing CMMC Level 2, use
IMPACT_LEVEL=moderate.
# Low — minimal hardening, dev/test use
docker build --build-arg IMPACT_LEVEL=low -t kasm-stig-desktop:ubuntu-22-low .
# Moderate — DISA STIG profile (default, recommended for most users)
docker build --build-arg IMPACT_LEVEL=moderate -t kasm-stig-desktop:ubuntu-22-moderate .
# High — STIG + FIPS (requires licensed OS — Ubuntu Pro or RHEL subscription)
docker build --build-arg IMPACT_LEVEL=high -t kasm-stig-desktop:ubuntu-22-high .The Dockerfile automatically runs an OpenSCAP scan at build time using the selected profile and saves the report to /home/kasm-user/reports/build-time-stig-report.html. Analysts see their baseline compliance score on first login.
Status: Build-arg automation is M3 — Impact Level Automation. Stub code exists in
ubuntu-22/Dockerfile. Full automation tracked in the milestone.
| NIST 800-53 Family | Low | Moderate | High | Notes |
|---|---|---|---|---|
| AC — Access Control | Partial | Full | Full + enhanced | |
| AU — Audit & Accountability | Basic | Full | Full + enhanced | Container: host auditd covers |
| CM — Configuration Mgmt | Basic | Full | Full | OpenSCAP/STIG enforces |
| IA — Identification & Auth | Password only | MFA recommended | MFA required | |
| SC — System & Comm Protection | TLS | TLS + FIPS | TLS + FIPS validated | High = FIPS 140-2/3 required |
| SI — System & Info Integrity | Patch | Patch + AV | Patch + AV + integrity | Container: Grype/Trivy at build |
| SA — System Acquisition | Basic SBOM | Full SBOM | Full SBOM + lineage | Syft covers this |
| RA — Risk Assessment | Grype scan | Grype + Trivy | Grype + Trivy + formal |
Kasm Technologies ships an official kasmweb/nessus Docker image — Nessus runs inside the Kasm workspace and streams to the browser exactly like this project.
# Run Kasm-delivered Nessus directly (no Kasm server needed for local test)
docker run --rm -it --shm-size=512m \
-p 6901:6901 \
-e VNC_PW=<YourSecurePassword> \
kasmweb/nessus:1.18.0
# Open: https://localhost:6901License reality:
| Nessus Tier | IP Limit | Docker? | Notes |
|---|---|---|---|
| Nessus Essentials (free) | 5 IPs | ✅ | No persistent volume — data lost on restart |
| Nessus Professional | Unlimited | ✅ | Paid; connects to Tenable.io |
| Tenable Security Center | On-prem enterprise | Docker support unofficial; community Dockerfiles available |
Tenable API client (pre-install in workspace):
pip install python-tenable # Apache-2.0 — OK for commercial useConnect from workspace to Tenable.io or Security Center via pyTenable SDK without needing Nessus locally.
| Tool | Run Full Stack in Kasm | CLI/Client in Workspace | Browser Bookmark | License |
|---|---|---|---|---|
| Tenable Nessus | ✅ kasmweb/nessus |
✅ python-tenable |
✅ Nessus Web UI | Commercial (Essentials free/5 IPs) |
| Tenable.io | N/A (SaaS) | ✅ python-tenable |
✅ cloud.tenable.com | SaaS subscription |
| Tenable Security Center | ✅ python-tenable (sc client) |
✅ On-prem URL | Enterprise contract | |
| Splunk | ✅ splunk-sdk (pip) |
✅ Your Splunk URL | Enterprise; free dev license | |
| OpenSearch | ✅ opensearch-py (pip) |
✅ Dashboards URL | Apache-2.0 ✅ | |
| ELK (Elasticsearch) | ✅ elasticsearch (pip) |
✅ Kibana URL | SSPL |
|
| Wazuh | ❌ Needs manager | ✅ REST API via requests |
✅ Wazuh Dashboard | GPL-2.0 (runtime OK) |
| Qualys | N/A (SaaS) | ✅ qualysapi (pip) |
✅ qualys.com | Paid SaaS |
| Carbon Black | N/A (SaaS) | ✅ cbapi (pip) |
✅ carbonblack.com | Paid |
kasm-stig-desktop/
├── ubuntu-22/ ← ✅ Working — STIG compliance analyst
├── tenable/ ← kasmweb/nessus base + pyTenable CLI
├── siem/ ← OpenSearch/Wazuh client tools + bookmarks
└── devsecops/ ← Ansible + OpenTofu + AWS CLI + GitLab CLI (glab)
Short answer: No — and they can't be.
A Kasm workspace container is a tool, not an accredited system. What actually needs to be STIGd is the platform underneath it. Here's how the layers work:
┌─────────────────────────────────────────┐
│ Kasm Workspace Container │ ← Tool. NOT the system under assessment.
│ (kasm-stig-desktop:ubuntu-22) │ Apply STIG controls where possible.
├─────────────────────────────────────────┤
│ Kasm Workspaces Platform │ ← Has its own DISA STIG. Apply it.
├─────────────────────────────────────────┤
│ Host OS (where Docker runs) │ ← THIS must be fully STIGd.
├─────────────────────────────────────────┤
│ Hardware / Hypervisor │ ← Physical/virtual controls apply here.
└─────────────────────────────────────────┘
When a STIG control cannot be applied inside a container, the compensating control lives at the host or platform layer.
| STIG Control Category | Why N/A in Container | Compensating Control |
|---|---|---|
| Disk encryption (LUKS/BitLocker) | No bare-metal disk to encrypt | Host OS disk is encrypted; container volumes inherit host-level encryption |
| UEFI / Secure Boot | No hardware firmware interface | Host enforces Secure Boot; container cannot subvert it |
| Physical media (USB, CD/DVD) | No physical ports in container | Host OS disables physical media; container has no access path |
| Bootloader controls | No bootloader in a container | Host bootloader is configured and password-protected |
| Full auditd rule sets | Kernel audit subsystem is not fully namespaced | Host auditd captures syscalls including container activity; Kasm logs all sessions |
| SELinux / AppArmor enforcement | Container may run in permissive mode | Host enforces MAC policy; Docker seccomp profile restricts syscalls |
| Screen lock / idle timeout | Kasm handles session timeout, not the OS | Kasm Admin → Session idle timeout configured at platform level |
| Antivirus on OS | No persistent filesystem to scan | Host AV scans Docker volumes; container image scanned with Grype/Trivy at build time |
| Network interface hardening | Container uses virtual network | Host firewall + Docker network policy controls egress/ingress |
| Account lockout on OS | kasm-user is a fixed container user |
Kasm enforces login lockout at the platform/browser layer |
| Control Category | Applies Inside Container? | How |
|---|---|---|
| Application password policy | ✅ Yes | VNC_PW meets STIG length/complexity at runtime |
| Session timeout | ✅ Yes | Kasm idle timeout + VNC timeout configured |
| Unnecessary services disabled | ✅ Yes | Container runs only required processes |
| File permissions | ✅ Yes | /home/kasm-user ownership enforced in Dockerfile |
| Banners / warning messages | ✅ Yes | Desktop warning HTML + wallpaper displayed at login |
| Software currency (CVEs) | ✅ Yes | Base image + packages updated at build time; Grype scan in CI |
| FIPS-validated crypto | Open-source builds: no FIPS validation. Licensed builds (Ubuntu Pro, RHEL sub): FIPS mode available |
| Component | STIG / SRG | Where to Find |
|---|---|---|
| Kasm Workspaces platform | Kasm Workspaces STIG | public.cyber.mil |
| Docker / container runtime | Container Platform SRG | public.cyber.mil |
| Host OS (RHEL 9) | RHEL 9 STIG | public.cyber.mil |
| Host OS (Ubuntu 22) | Ubuntu 22.04 STIG | public.cyber.mil |
| Web browser (Firefox) | Firefox STIG | public.cyber.mil |
Bottom line: STIG the host. STIG the Kasm platform. Use this project's containers as analyst tools. Don't try to get an ATO on the workspace container itself — that's not what it's for.
DISA only publishes STIGs for OSes under DoD use with a formal STIG development agreement. Debian, Fedora, openSUSE, Arch, etc. have CIS Benchmarks — not STIGs. This repo is STIG-specific by design.
This repository is MIT licensed. See LICENSE. Individual installed tools retain their own licenses.