[ale] Security Template (STIG) Scripts for RHEL on github

Leam Hall leamhall at gmail.com
Thu Jan 8 06:55:45 EST 2015


Well, here's the rub. The Aqueduct project ( 
https://git.fedorahosted.org/git/aqueduct.git ) is a set of security 
stuff. The original plan was for *Nix capability to cover STIG, PCI, 
etc. Most of the work has been done on Linux and STIGs because that's 
where most of our time is spent. You can grab the code and resolve most 
of your CAT I and CAT II items. I haven't done much on CAT III's because 
they seldom got looked at. That's changing, and the STIGs are being 
updated, so there's work to be done. Aqueduct's code is primarily Bash 
but there was some Puppet contributed and there's been some Ansible 
stuff added late last year.

Here's the rub. Red Hat wants to focus on RHEL 6 and the incoming RHEL 
7. However, STIGs are US DoD centric and have a lot more RHEL 5 boxes 
than RHEL 6, and I doubt if anyone has RHEL 7 in production. There are 
already tools that check STIG compliance. There are tools that check for 
vulnerabilities not in the STIGs.

At this point my limited brain capacity is set on Puppet so I will be 
cranking out code for that. My plan is to cover RHEL 5 and 6 first, and 
start with the low-hanging fruit while I build my module creation 
skills. Then on to CAT I items and down.

So, Raj, grab the Aqueduct code and have fun. Holler at me if there are 
things that need work. Feel free to contribute code.

Leam


On 01/08/15 05:40, JD wrote:
> Ansible? Takes about 20 minutes to get started.
>
> On 01/07/2015 09:54 PM, Raj Wurttemberg wrote:
>> Very interesting George!
>>
>> We have a client with a rapidly growing RHEL infrastructure (13 servers in
>> June, 180 now!) and they give us build sheets. We also have to secure and
>> configure servers according to their STIG.... which, I'll be honest, is very
>> time consuming and tedious to QA.
>>
>> I need some tool to do simple checks on a large number of servers.
>>
>> Kind regards,
>> Raj
>>
>>
>>> -----Original Message-----
>>> From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of
>>> George Allen
>>> Sent: Wednesday, January 07, 2015 5:54 PM
>>> To: Atlanta Linux Enthusiasts
>>> Subject: [ale] Security Template (STIG) Scripts for RHEL on github
>>>
>>> FYI, re-post from the gov-sec at redhat list:
>>>
>>>> https://github.com/SimonTek/stigs
>>>> I wrote these I while ago, I have had them on my server for a few
>>>> years, finally moved them to my github account. Primarily for RHEL 6
>>>> machines, and ESXI 5 servers. I am working on RHEL 7 scripts. Please
>>>> read through the scripts before you run them. For instance, all the
>>>> ESXi scripts will lock the machine down, to the point you may have to
>>>> re-install. Similar to the old gold disc.
>>>
>>> Would you be interested in merging your changes (especially the evolving
>>> RHEL7 scripts!) into the STIG directly? Working with DISA and NSA, we've
>> put
>>> everything on GitHub:
>>>
>>> https://github.com/openscap/scap-security-guide
>>>
>>> Essentially, one language (OVAL) performs the pass/fail check on the
>> system.
>>> The workflow embeds a bash script into the results which can be executed
>>> by a system administrator to remediate their box. Those bash scripts are
>>> located here:
>>>
>>> https://github.com/OpenSCAP/scap-security-
>>> guide/tree/master/RHEL/6/input/fixes/bash
>>>
>>> The GitHub project serves as the upstream of the DoD STIG, and also the
>>> scap-security-guide package delivered in RHEL6.
>>>
>>> While a bit dated, this sample report gives you an idea of things:
>>> http://people.redhat.com/swells/ssg-results/report.html#ruleresult-
>>> idp26062848
>>>
>>> Our ultimate goal is to align scanning with remediation, allowing a single
>>> workflow between the processes. Now shipping in RHEL6, this also means
>>> systems can be configured as STIG/NSA/CIA/NRO/etc compliant out of the
>>> box.
>>> _________________
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>

-- 
http://31challenge.net
http://31challenge.net/insight


More information about the Ale mailing list