LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-25-2008, 01:41 PM   #1
zcrxsir88
Member
 
Registered: Oct 2004
Location: Cardiff-by-the-Sea, CA
Distribution: Fedora X & RHEL X.X
Posts: 51

Rep: Reputation: 18
DISA STIG Compliance Scripts/RPM's


All,

I know many of you might not have to deal with, or have ever heard of the DISA STIG's, but I wanted to reach out and see if any of you have created or thought about creating scripts/RPM's/DEB's that will automatically put the OS into the most "secure" state dictated by the STIG's. There is a commercially available too to do this however, it's not open source and I'm sure will cost as much as a small country.

I do not have a lot of experience in building RPM's or DEB's but with enough interest if anyone would like to start collaborating and possibly building something like this with me I think it could be something really good for the "community". I do have a tremendous amount of experience with the DISA Stigs/Scripts.
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 02-25-2008, 09:38 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
First of all thanks for offering and I hope something good will come out of it.

I've read some STIG shell scripts for GNU/Linux and they looked like they needed more eyeballs ;-p And I know just enough of systems hardening, RPM building and scripting to get around. But maybe you could start by clearing up some misconceptions for me. How does STIG relate to work done by say NIST? CIS? What's the current state of STIG scripts for GNU/Linux? Does it already cover RHEL-5? Ever looked at other tools like COPS, SARA, Tiger, Bastille-Linux? Who will be working on this, you or? Will all contribs be accessable w/o restrictions? What does STIG bring to the table others can benefit from?
 
Old 02-27-2008, 12:59 AM   #3
zcrxsir88
Member
 
Registered: Oct 2004
Location: Cardiff-by-the-Sea, CA
Distribution: Fedora X & RHEL X.X
Posts: 51

Original Poster
Rep: Reputation: 18
Thanks for the post. In answer to your questions:

"How does the STIG relate to work done by NIST? CIS?"

The STIG's are what is used as a baseline security screening for DOD systems. It's what is mandatory for DOD systems to comply with. You have to comply 100 percent, or if you don't comply 100 percet you have to write a Risk Assessment and someone signs off saying that any remaining vulnerabilities that cannot be fixed are "accepted risk". NIST does a similar "baseline", only it's for everyone else. Personally I think the NIST stuff is more policy. I have actually had to ask the question to a client, "Do you have a policy written on how to write your security policy?"

That got a funny look!!

Anyone can use the DISA SRR scripts to "analyze" the security posture of any system. For commercial company's they usually don't like the DISA STIG's guidelines because they are way more strict then say NIST.

"What's the current state of the STIG scripts for GNU/Linux?"

The scripts that are used by DISA (SRR's) dont actually fix anything. They just analyze. I can post the link if you would like to run one on your system. They are pretty self explanatory.

"Does it cover RHEL-5"

Yes, it can run on multiple platforms ranging from Sun to Fedora to AIX to RHEL. But yet again, they just analyze. No automated fixing.

"Ever looked at other tools like COPS, SARA, Tiger, Bastille-Linux?"

I have used S.A.R.A., for vulnerability scanning. But not any of the other tools.

"Who will be working on this, you or? Will all contribs be accessable w/o restrictions?"

Yes, 100 percent open. I'm very new to the programming game, so it's not like I will be able to pull this together on my own. I just wanted to probe and see if anyone was even remotely interested in any of it.

"What does the STIG bring to the table others can benafit?"

The DISA STIGS/SRR's are great tools for looking at single host's security posture. Does it cover all the bases? Absolutely not! But its another good free tool to use when securing a system and if something can be created that will aid the "lockdown" process I think it would be a great time saver.
 
Old 02-27-2008, 07:45 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Yes, please do post the link to the most current SSR tarball.
BTW, does "new to programming" mean you can't write Bourne compatible shell scripts?
 
Old 02-27-2008, 09:17 AM   #5
zcrxsir88
Member
 
Registered: Oct 2004
Location: Cardiff-by-the-Sea, CA
Distribution: Fedora X & RHEL X.X
Posts: 51

Original Poster
Rep: Reputation: 18
http://iase.disa.mil/stigs/SRR/index.html

The link above has all the available DISA SRR's.


lol, yes I can Shell Script.
 
Old 02-27-2008, 12:38 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Quote:
Originally Posted by zcrxsir88 View Post
lol, yes I can Shell Script.
OK, OK, just had to ask. Now I've got this UNIX_51_15January08.tar.bz2 (which was wrongly named _tar.bz2 and some files/dirs have wrong permissions and the spec mentions RHEL-3,4 but not 5). It's huge, addresses a lot of *NIX and carries around stuff like john. Where should we* start?

* We as in it's FFA I'm sure, so come on. Don't just eyeball this thread.

Last edited by unSpawn; 02-27-2008 at 01:11 PM.
 
Old 02-27-2008, 01:49 PM   #7
zcrxsir88
Member
 
Registered: Oct 2004
Location: Cardiff-by-the-Sea, CA
Distribution: Fedora X & RHEL X.X
Posts: 51

Original Poster
Rep: Reputation: 18
Yeah,

It's a beast. I think the first part will be addressing the checks that are easily fixable. The software update ones should be completely eliminated.

What do you think?
 
Old 02-27-2008, 02:18 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
I'm cool with that. Let's just see where it ends up.

BTW: is there a simple document listing all compliance checks w/o any fluff? Like just "must have IP, must have hostname (as in FQDN)" and not anything else? Could help track things more easily. Are you aware of certain areas in which checks aren't complete or nonexistent? Are there any checks you would like to see? Or are you just aiming for this to be STIG-compatible and nothing else?

In any case I'll start by reading the Start-SRR.
 
Old 02-27-2008, 03:11 PM   #9
zcrxsir88
Member
 
Registered: Oct 2004
Location: Cardiff-by-the-Sea, CA
Distribution: Fedora X & RHEL X.X
Posts: 51

Original Poster
Rep: Reputation: 18
I'm up for anything. After hearing about Security Blanket (Which puts a *nix box into STIG compliance) I thought there might be some intrest in having an open source counterpart. But that's just me
 
Old 02-27-2008, 06:22 PM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
at USD 200 per server...

Anyway, initially it seems a bit slow until I found out he's doing a load of stuff with find scripts. Pretty nifty. After killing Linux/GEN003000 (hang) and after the Manual Review (interesting but some issues aren't GNU/Linux or could be tested for) I get the impression it's done quite the bit of checking. It's just a bit of a let down on the reporting side ;-p Definately workable. Now on to read the tests it actually performs and compare them to what the UNIX Guideline says about it and see if it could be improved.
 
Old 04-17-2008, 09:43 AM   #11
willc
LQ Newbie
 
Registered: Apr 2008
Posts: 4

Rep: Reputation: 0
Found this thread via Google and thought I'd pipe in. I've been battling STIGs for a few years now and have been praying someone would develop a script that would help automate the process.

I have tried out Security Blanket, and the coolest thing they have going is the ability to not only scan the system and fix insecure things, but to be able to undo those actions easily.

For me, the biggest problem with STIGs has come when you have to update/patch your system. In some areas, things are so locked down, applying patches from, say, Red Hat Network, will hose everything up severely. So, having a tool that can *undo* STIG lockdowns, let you apply patches, then *redo* the STIG lockdowns, would be awesome. Security Blanket does that, but as mentioned above, it is $200/server and then $40/year for updates.

I'm not so great at shell scripting so I'm not sure I can lend a hand there, but here's a link to the UNIX STIG documentation, which may be of help:

http://iase.disa.mil/stigs/checklist...1_20080315.zip

Hopefully you people not on a .mil domain can access that.

Good luck, and let me know if I can do anything to help!
 
Old 04-17-2008, 09:55 AM   #12
zcrxsir88
Member
 
Registered: Oct 2004
Location: Cardiff-by-the-Sea, CA
Distribution: Fedora X & RHEL X.X
Posts: 51

Original Poster
Rep: Reputation: 18
hey

Thanks for the post. I unfortunately haven't made an inch of progress in this "script".

I'm actually out on client side and speaking with some of the admins there are some GREAT tools that are coming down the pipe to help with disa/FIPS/NIST stuff. I dont recall the program name, (I will try and scrounge it up) but it supposedly you do something to the effect of pick
disa/nist/fips, etc and then select lock down. Bang your compliant.


I'm guessing it will break some stuff, but thats how the cookie crumbles.

Also it will do routine checks to ensure nothing has been changed on the systems.

Sounds pretty interesting.

R/

Vince
 
Old 04-17-2008, 12:04 PM   #13
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
We also use security blanket and it works great. The nice thing like stated above is that fact that it is not extremely expensive and it gets updated every 3 months when a new STIG comes out.

And is on the approved software list

Quote:
I'm actually out on client side and speaking with some of the admins there are some GREAT tools that are coming down the pipe to help with disa/FIPS/NIST stuff. I dont recall the program name, (I will try and scrounge it up) but it supposedly you do something to the effect of pick
disa/nist/fips, etc and then select lock down. Bang your compliant.
this is exactly what Security Blanket is.


I think the GOVT. is going to try to change the STIG at some point to just say

Is SELinux enabled and running

yes= compliant
no= non-compliant


Sad to see but thats what it looks like.

Last edited by slimm609; 04-17-2008 at 12:11 PM.
 
Old 04-17-2008, 12:44 PM   #14
zcrxsir88
Member
 
Registered: Oct 2004
Location: Cardiff-by-the-Sea, CA
Distribution: Fedora X & RHEL X.X
Posts: 51

Original Poster
Rep: Reputation: 18
Yeah, I was tracking on security blanket. Does it do audits. So after you click the "fix me" button, can you have it go back and report percentage of compliance?
 
Old 04-17-2008, 01:46 PM   #15
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
yes you can and you can also do baselining with security blanket.
 
  


Reply

Tags
deb, fedora, rpm, scripts, security, ubuntu


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LSB Compliance RPM Ray Hill Slackware 4 12-04-2006 11:44 PM
regarding POSIX compliance rajesh_b Programming 1 05-05-2006 04:31 AM
LSB 3.0 released - Slackware compliance? Yalla-One Slackware 1 09-21-2005 08:34 PM
Are source RPM's and binary RPM's installed the same way? Simon Adebisi Linux - Software 3 06-28-2005 04:45 AM
squid compliance question ferretmanus Linux - Networking 0 10-20-2003 10:52 AM


All times are GMT -5. The time now is 10:21 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration