[ale] Security Template (STIG) Scripts for RHEL on github

JD jdp at algoloma.com
Thu Jan 8 05:40:42 EST 2015


Ansible? Takes about 20 minutes to get started.

On 01/07/2015 09:54 PM, Raj Wurttemberg wrote:
> Very interesting George!
> 
> We have a client with a rapidly growing RHEL infrastructure (13 servers in
> June, 180 now!) and they give us build sheets. We also have to secure and
> configure servers according to their STIG.... which, I'll be honest, is very
> time consuming and tedious to QA.
> 
> I need some tool to do simple checks on a large number of servers.
> 
> Kind regards,
> Raj
> 
> 
>> -----Original Message-----
>> From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of
>> George Allen
>> Sent: Wednesday, January 07, 2015 5:54 PM
>> To: Atlanta Linux Enthusiasts
>> Subject: [ale] Security Template (STIG) Scripts for RHEL on github
>>
>> FYI, re-post from the gov-sec at redhat list:
>>
>>> https://github.com/SimonTek/stigs
>>> I wrote these I while ago, I have had them on my server for a few
>>> years, finally moved them to my github account. Primarily for RHEL 6
>>> machines, and ESXI 5 servers. I am working on RHEL 7 scripts. Please
>>> read through the scripts before you run them. For instance, all the
>>> ESXi scripts will lock the machine down, to the point you may have to
>>> re-install. Similar to the old gold disc.
>>
>> Would you be interested in merging your changes (especially the evolving
>> RHEL7 scripts!) into the STIG directly? Working with DISA and NSA, we've
> put
>> everything on GitHub:
>>
>> https://github.com/openscap/scap-security-guide
>>
>> Essentially, one language (OVAL) performs the pass/fail check on the
> system.
>> The workflow embeds a bash script into the results which can be executed
>> by a system administrator to remediate their box. Those bash scripts are
>> located here:
>>
>> https://github.com/OpenSCAP/scap-security-
>> guide/tree/master/RHEL/6/input/fixes/bash
>>
>> The GitHub project serves as the upstream of the DoD STIG, and also the
>> scap-security-guide package delivered in RHEL6.
>>
>> While a bit dated, this sample report gives you an idea of things:
>> http://people.redhat.com/swells/ssg-results/report.html#ruleresult-
>> idp26062848
>>
>> Our ultimate goal is to align scanning with remediation, allowing a single
>> workflow between the processes. Now shipping in RHEL6, this also means
>> systems can be configured as STIG/NSA/CIA/NRO/etc compliant out of the
>> box.
>> _________________


More information about the Ale mailing list