1. Forum
  2. Usenet
  3. LINUX.DEBIAN.SECURITY

  • Re: Compiled list (STIG for Debian)

    From Jeremiah C. Foster@21:1/5 to Stephen Dowdy on Wed Mar 2 19:00:01 2022
    On 3/2/22 12:50, Stephen Dowdy wrote:
    On 3/2/22 07:43, Paul Tagliamonte wrote:
    STIGs are maintained by DISA, not by Debian

       Paul

    On Wed, Mar 2, 2022 at 9:42 AM Stephanie Hall <shall@oteemo.com
    <mailto:shall@oteemo.com>> wrote:

        Good morning,

        Do you have an excel version of a STIG for Debian 9 & 10 that you
    would be willing to share?

        Thank you in advance!



    The DISA STIGviewer (a Java app that runs just find on Debian), can
    import a STIG  file and export to CSV

    https://public.cyber.mil/stigs/srg-stig-tools/

    However, there is no STIG specific to Debian that i'm aware of.
    Your best bet is referencing the Ubuntu ones:

        U_CAN_Ubuntu_{18-04,20-04}_LTS_V......_STIG.zip


    Cannot speak for it's provenance, but there's this; https://github.com/hardenedlinux/STIG-4-Debian

    Cheers,

    Jeremiah

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Stephen Dowdy@21:1/5 to Jeremiah C. Foster on Wed Mar 2 19:30:01 2022
    On 3/2/22 10:54, Jeremiah C. Foster wrote:
    Cannot speak for it's provenance, but there's this; https://github.com/hardenedlinux/STIG-4-Debian

    Jeremiah,

    Thanks, that actually looks like more of an SRR (System Readiness Review[0]) evaluation checker for applicable STIGs.

    As it states, it uses the RHEL7 STIG as a baseline for the tests.

    While old (2017), it might still prove useful if it can identify CAT I issues quickly with few false negatives as a *starting point*

    --stephen
    [0] i think DISA stopped making these scripts due to the burden of keeping them upto date. 3rd parties now do that for $$$$

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Reinhart Eisermann@21:1/5 to Stephanie Hall on Thu Mar 3 19:30:02 2022
    I followed and a bit surprised that only 46 lines are in that excel list
    ;-)
    Thanks for sharing that.

    On Wed, 2 Mar 2022 13:56:48 -0500
    Stephanie Hall <shall@oteemo.com> wrote:

    Thank you everyone! We found a SCAP Security Guide (SSG) for each of the 3 versions we were looking at. 9-11. It's not a STIG, but SCAP is a DoD industry standard so they should look favorably on it. <fingers crossed>
    All three had the same line items. We broke it out into an excel
    spreadsheet that I wanted to share with you since not everyone uses SCAP.

    Thanks for the help!

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)