On 9/3/14, 12:09 AM, Vincent Passaro wrote: > Phillip, > > Aqueduct definitely has the most options (Ansible / Puppet / Bash) for > DISA STIG remediation. > > Cheers, > > Vince > > On Sep 2, 2014, at 9:03 PM, Philip Shuman <philip.shu...@sri.com > <mailto:philip.shu...@sri.com>> wrote: > >> Are the Aqueduct remediation scripts still the best available place >> to start for implementing requested changes from the DISA STIG >> findings for RHEL5 and RHEL6?
Aqueduct is pretty much the only location with RHEL5 scripts. And like Vince pointed out, Aqueduct also has Puppet and Ansible. IIRC, the Puppet scripts were contributed by Maura Dailey earlier this summer, and represented NSA open sourcing their baseline. Everything Aqueduct has is reputable and very tested. A benefit of SSG is that scanning/remediation is tightly integrated through human-readable prose guides, scanning/evaluation, and remediation. A single change within SSG (say, to tailor password lengths) will automatically trickle to prose guides (XCCDF), evaluation (OVAL), and remediation (bash scripts). SSG also benefits from a vibrant community, and further, will be shipping natively in RHEL 6.6+. A third option would be to evaluate the STIG kickstart builder Red Hat Gov released to GitHub: https://github.com/RedHatGov/stig-fix-el6-kickstart It wraps SSG + stig-fix scripts + banners into a customized installation DVD/ISO. Many of the remediation scripts were originally sourced from Aqueduct.
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
