Warning - shameless commercial plug below. I'm an engineer on a commercial product called 'Security Blanket' that can also help with the remediation against the RHEL5 and RHEL6 STIGs, in addition to other industry/government standards. We do not consume the SCAP content directly from DISA, but read the manual prose and then use our own library code to implement the desired changes. If you are interested, please check our our website at http://www.trustedcs.com/securityblanket. There are some very dated videos on YouTube that you can find as well as a much more recent video on our reseller's web-site : http://www.shadow-soft.com/linux-hardening. Feel free to contact me off list as well.
-Rob Sanders =========================== Rob Sanders Sr. Secure Systems Engineer Raytheon Trusted Computer Solutions 12950 Worldgate Drive, Suite 600 Herndon, Virginia 20170 Security Blanket Support: 1-866-230-1317 Security Blanket Email: securityblan...@trustedcs.com Office: 703-896-4762 Fax: 703-318-5041 Email: rsand...@trustedcs.com ________________________________ From: scap-security-guide-boun...@lists.fedorahosted.org [scap-security-guide-boun...@lists.fedorahosted.org] on behalf of Vincent Passaro [vi...@buddhalabs.com] Sent: Wednesday, September 03, 2014 1:49 AM To: Joe Nall Subject: Re: Remediation advice for RHEL 5 and 6 On the topic of the rhel stig fix repo, what was the intent in forking Aqueduct bash content and creating a separate project? Wouldn't we want to keep things together to prevent the community from now having multiple projects attempting the same goal... Using the same Aqueduct code? It would make sense that a fork occurred if it was done by an external person or company, but this was done by Red Hat employees. I'm sure the Aqueduct community would have loved to see the contribution from Red Hat back into the project. On Sep 2, 2014 9:46 PM, "Shawn Wells" <sh...@redhat.com<mailto:sh...@redhat.com>> wrote: On 9/3/14, 12:09 AM, Vincent Passaro wrote: Phillip, Aqueduct definitely has the most options (Ansible / Puppet / Bash) for DISA STIG remediation. Cheers, Vince On Sep 2, 2014, at 9:03 PM, Philip Shuman <philip.shu...@sri.com<mailto:philip.shu...@sri.com>> wrote: Are the Aqueduct remediation scripts still the best available place to start for implementing requested changes from the DISA STIG findings for RHEL5 and RHEL6? Aqueduct is pretty much the only location with RHEL5 scripts. And like Vince pointed out, Aqueduct also has Puppet and Ansible. IIRC, the Puppet scripts were contributed by Maura Dailey earlier this summer, and represented NSA open sourcing their baseline. Everything Aqueduct has is reputable and very tested. A benefit of SSG is that scanning/remediation is tightly integrated through human-readable prose guides, scanning/evaluation, and remediation. A single change within SSG (say, to tailor password lengths) will automatically trickle to prose guides (XCCDF), evaluation (OVAL), and remediation (bash scripts). SSG also benefits from a vibrant community, and further, will be shipping natively in RHEL 6.6+. A third option would be to evaluate the STIG kickstart builder Red Hat Gov released to GitHub: https://github.com/RedHatGov/stig-fix-el6-kickstart It wraps SSG + stig-fix scripts + banners into a customized installation DVD/ISO. Many of the remediation scripts were originally sourced from Aqueduct. -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org<mailto:scap-security-guide@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
