On the node's host, jq is required for certain cluster operations. ansible and unzip are only required for Ansible if one is looking to enforce STIGs via an Ansible playbook.
To STIG your host, you can use the Ansible playbook provided by DISA as part of their automation content.
Leveraging this automation ensures that we stay as close to the source of the STIG as possible, and do not have to implement all the STIG fixes/checks ourselves.
The one piece not implemented in the Ansible STIG content is the enabling/installation of FIPS packages, as FIPS on Ubuntu requires a subscription.
You can use the existing scripts to perform dependency installs and the STIG process.
The OS Preparation script changes a number of things on the base OS to ensure smooth operation of RKE2 and UDS pieces running on top such as UDS Core. Requirements were pulled from upstream documentation:
- SELinux requirements: general requirements and logging specific requirements
- Handling prerequisite requirements: Modifying network manager and disabling services that conflict with cluster networking (see this and this)