[ale] Security Template (STIG) Scripts for RHEL on github
George Allen
glallen01 at gmail.com
Wed Jan 7 17:53:50 EST 2015
FYI, re-post from the gov-sec at redhat list:
> https://github.com/SimonTek/stigs
> I wrote these I while ago, I have had them on my server for a few
> years, finally moved them to my github account. Primarily for RHEL 6
> machines, and ESXI 5 servers. I am working on RHEL 7 scripts. Please
> read through the scripts before you run them. For instance, all the
> ESXi scripts will lock the machine down, to the point you may have to
> re-install. Similar to the old gold disc.
Would you be interested in merging your changes (especially the
evolving RHEL7 scripts!) into the STIG directly? Working with DISA and
NSA, we've put everything on GitHub:
https://github.com/openscap/scap-security-guide
Essentially, one language (OVAL) performs the pass/fail check on the
system. The workflow embeds a bash script into the results which can
be executed by a system administrator to remediate their box. Those
bash scripts are located here:
https://github.com/OpenSCAP/scap-security-guide/tree/master/RHEL/6/input/fixes/bash
The GitHub project serves as the upstream of the DoD STIG, and also
the scap-security-guide package delivered in RHEL6.
While a bit dated, this sample report gives you an idea of things:
http://people.redhat.com/swells/ssg-results/report.html#ruleresult-idp26062848
Our ultimate goal is to align scanning with remediation, allowing a
single workflow between the processes. Now shipping in RHEL6, this
also means systems can be configured as STIG/NSA/CIA/NRO/etc compliant
out of the box.
More information about the Ale
mailing list