leam hall wrote:
> Good questions from Skylar and others. Sorry if I was not forthcoming; my
> goal was to be brief enough to not bog anyone down in detail.
>
> Aqueduct is used at DoD installations to secure the servers per DISA STIG
> guidelines. You can tell it's a government thing; too many acronyms.
>
> My own work is STIG compliance for Red Hat and eventually Solaris boxes. I
> use Bourne/Bash shell scripts to do the work. So far there is no central
> collation mandated so each installation is on their own. Of course, the
> ideal would be a locally centralized CMDB plug-in that would feed any
> issues into a ticketing system. That's why the hostname is in the output,
> for collation.
>
> Each OS version probably has 200-600 scripts to be run. Each script should
> be runnable on a system at any time; it should not change a complaint
> system. It should report if a system is compliant or not.
>
> How big? Lots. Easily hundreds and eventually thousands of servers.
>
> The problems? Lots. Lack of higher level language standardization, like
> Python. Lack of standard database (SQLite, MongoDB, etc), lack of a
> standard CMDB (ServiceNow, Remedy), and lack of pretty much any other
> standard.
>
> At this point I'm biting off a small enough chunk to chew on for a bit. The
> goal is to leave the output open enough so sites can choose their own
> solution until I can maybe form some global FOSS company for integration
> and reporting. :)
This is a good fit for a plugin. Provide a generic shell
function for processing results with a simple, robust API and
one or two usable plugins. Maybe --
usage() {
echo 'Usage $0 <scriptname> <passfail> [ <additional1> ] [ <additional2>
] ...
Exit code: 0 (success) 1 (failed to report) 2 (error in calling arg)'
logger -t STIGERROR -- "$@"
exit 2
}
stigreport() {
[[ $# -gt 1 ]] || usagefoo
[[ ( $1 = pass ) || ($1 = fail) ]] || usagefoo
logger -t STIGCHECK -- "$@"
}
Calling example:
[ a -eq b ] || stigreport fail script123 "$a must equal $b"
Output (syslog):
Jul 11 07:47:44 tron STIGCHECK: fail script123 xxx must equal yyy
Site implementors can change stigreport() to insert into a DB,
write to stdout, emit JSON, whatever. If you might want to
change the calling convention someday add an argument for API
version to avoid updating 1,000 scripts.
HTH,
--
Charles
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
