[ale] Security Template (STIG) Scripts for RHEL on github

Raj Wurttemberg rajaw at c64.us
Wed Jan 7 21:54:00 EST 2015


Very interesting George!

We have a client with a rapidly growing RHEL infrastructure (13 servers in
June, 180 now!) and they give us build sheets. We also have to secure and
configure servers according to their STIG.... which, I'll be honest, is very
time consuming and tedious to QA.

I need some tool to do simple checks on a large number of servers.

Kind regards,
Raj


> -----Original Message-----
> From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of
> George Allen
> Sent: Wednesday, January 07, 2015 5:54 PM
> To: Atlanta Linux Enthusiasts
> Subject: [ale] Security Template (STIG) Scripts for RHEL on github
> 
> FYI, re-post from the gov-sec at redhat list:
> 
> > https://github.com/SimonTek/stigs
> > I wrote these I while ago, I have had them on my server for a few
> > years, finally moved them to my github account. Primarily for RHEL 6
> > machines, and ESXI 5 servers. I am working on RHEL 7 scripts. Please
> > read through the scripts before you run them. For instance, all the
> > ESXi scripts will lock the machine down, to the point you may have to
> > re-install. Similar to the old gold disc.
> 
> Would you be interested in merging your changes (especially the evolving
> RHEL7 scripts!) into the STIG directly? Working with DISA and NSA, we've
put
> everything on GitHub:
> 
> https://github.com/openscap/scap-security-guide
> 
> Essentially, one language (OVAL) performs the pass/fail check on the
system.
> The workflow embeds a bash script into the results which can be executed
> by a system administrator to remediate their box. Those bash scripts are
> located here:
> 
> https://github.com/OpenSCAP/scap-security-
> guide/tree/master/RHEL/6/input/fixes/bash
> 
> The GitHub project serves as the upstream of the DoD STIG, and also the
> scap-security-guide package delivered in RHEL6.
> 
> While a bit dated, this sample report gives you an idea of things:
> http://people.redhat.com/swells/ssg-results/report.html#ruleresult-
> idp26062848
> 
> Our ultimate goal is to align scanning with remediation, allowing a single
> workflow between the processes. Now shipping in RHEL6, this also means
> systems can be configured as STIG/NSA/CIA/NRO/etc compliant out of the
> box.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo



More information about the Ale mailing list