• Stars
    star
    142
  • Rank 258,443 (Top 6 %)
  • Language
    Shell
  • Created over 9 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Security Technical Implementation Guide for Debian

STIG for Debian

About

This script is used to check DISA STIG(Security Technical Implementation Guides) for Debian 9 Porting from DISA RHEL 7 STIG V1 R1
Benchmark Date: 27 Feb 2017

Upgrade

It has been a long time since we have updated STIG for Debian's framework. I think it's time to upgrade for the release of Debian 9 stable.

HTML report output supported

For easy to read reports, we decided to output to HTML as the primary (and for now, only) option.

Thanks to the author zavoloklom for the HTML table template

Usage

# bash stig-4-debian.sh -h

usage: stig-4-debian.sh [options]

  -s    Start checking and output repot in html format.
  -v    Display version
  -h    Display help

Default report is output in current directory(STIG-for-Debian-*.html)

STIG for Debian Compliance Checking Tools (v2.0)

Ported from DISA RHEL 7 STIG

Run on the GNOME desktop environment

stig-4-debian-run-gnome

Details of the report output

details-report

Overview of the report output

overview-report

How to get involved

This is a new framework release only. Not many check rules have been ported from DISA RHEL 7 STIG yet.

We (and you) will fill it up soon.

How to add check rule:

  1. Create a new check script file in the scripts directory for the new check rule and implementation.
  2. Move new check rule description to stig-debian.txt.
  3. Call the check script file in stig-4-debian.sh, as follows:
bash scripts/${new-check-rule-script}.sh >/dev/null 2>&1 &
spinner $!
output "SV-id_rule" $?

How to delete a check rule:

  1. Delete check rule description from stig-debian.txt.
  2. Delete the check script file in the scripts directory.
  3. Delete calls the check script line in stig-4-debian.sh.

Example

bash scripts/check-nullok.sh >/dev/null 2>&1 &
spinner $!
output "SV-86561r1_rule" $?

In this code snippet, we using a script name check-nullok.sh to check nullok in system-auth-ac and use exit status to determine the results of the check:

spinner $! is a small function for administrator to feel this script is running ;)

output "SV-86561r1_rule" $? using output function to output.

When the script is ported, note that the original text is from DISA RHEL 7 STIG. If some rule is RHEL 7 specific, you should use a corresponding check method in Debian and update the textfile stig-debian.txt.

If you encounter some rule that you cannot easily write a small script to check. You can put this rule in manual.txt.

Addition

In the statics directory xml2text.sh is a script that can extract the information we need from offcial STIG XML file, such as 'U_Red_Hat_Enterprise_Linux_7_STIG_V1R1_Manual-xccdf.xml'. The original text file stig-debian.txt is copy of stig-rhel-7.txt. How to easily update STIG for Debian textfile when the offcial RHEL 7 STIG changes is under discussion.

Special Note:

SELinux-related items (not matched):

  • SV-86663r1_rule
  • SV-86695r2_rule
  • SV-86759r3_rule
  • SV-86761r3_rule
  • SV-86763r3_rule
  • SV-86765r3_rule
  • SV-86595r1_rule
  • SV-86615r2_rule

Get deb package

Signed package address

https://github.com/harbian/stig4debian/tree/master/stig4debian-package

Unsigned package address

https://github.com/harbian/stig4debian/tree/master/stig4debian-unsigned-package

More Repositories

1

linux-exploit-development-tutorial

a series tutorial for linux exploit development to newbie.
C
546
star
2

grsecurity-101-tutorials

C
340
star
3

harbian-audit

Hardened Debian GNU/Linux distro auditing
Shell
331
star
4

Debian-GNU-Linux-Profiles

Debian GNU/Linux based Services Profiles
Shell
230
star
5

cheap-pcb

Cheap PCB: Better understanding the current status of hardware supply chain
167
star
6

firmware-anatomy

Tear the firmware apart with your bare hands;-)
Assembly
162
star
7

offensive_poc

Writing PoC for fun and educate people take security seriously;-)
C
139
star
8

harbian-qa

Bug hunting through fuzzer/*-sanitizer/etc...
Roff
127
star
9

embedded-iot_profile

embedded-iot_profile
86
star
10

hardenedlinux_profiles

It contains hardenedlinux community documentation.
Verilog
58
star
11

hardenedlinux-zeek-scripts

Zeek
38
star
12

armv7-nexus7-grsec

Hardened PoC: PaX for Android
38
star
13

hardenedlinux.github.io

hardenedlinux.org website
HTML
30
star
14

grsecurity-reproducible-build

Some scripts to create a reproducible build for grsecurity
Shell
29
star
15

hardenedlinux_translations

21
star
16

TraditionalMitigation

Traditional Mitigation in GCC to defend Memory Corruption Vulnerability
C
17
star
17

RAP-optimizations

This rap optimizations and hl_cfi have be merged in hardenedlinux/linux-unofficial_grsec
C
16
star
18

coreboot4HiFive1

coreboot for HiFive1
C
12
star
19

security-chain

This is not the cyber you ever expected....did I just say cyyyberrrr....
11
star
20

nixpkgs-hardenedlinux

Nix
10
star
21

zeek2nix

An operator which calls zeek to nix-ecosystem simply.
Nix
9
star
22

Infosec-data-science

8
star
23

platform-resiliency-docs

Infrastructure Platform Resilency Technical Guidleline
8
star
24

HardenedNixOS

Hardened NixOS with feature of Grescurity and aggressive security settings
Nix
8
star
25

Hardenedlinux_design

Hardenedlinux design.
7
star
26

debian-nix-manager

Using nix(DevOps) to deploy Network Security Monitoring System on Debian
Nix
5
star
27

elfix-deb

elfix for Debian package
Shell
5
star
28

debrepo

A Debian repository includes necessary packages for HardenedLinux. Of HardenedLinux, by HardenedLinux, for HardenedLinux.
5
star
29

pax-bites

A small tool provides add/delete/view the binary of PaX flags
Shell
3
star
30

hardened_argus

Hardened Argus
Go
2
star
31

io386

C
2
star
32

tpm_pcrtool

a command line tool to operate PCRs with a TPM
C
2
star
33

hardenedlinux-jupyter-lab

Nix
1
star
34

harbian-pack

Package building system of Harbian.
Shell
1
star
35

STIG-OS-mirror

STIGs Document Library of OS mirror
1
star
36

LLVMIncTrans

A tool change LLVM .inc file to c code that can accommodate for mainly Capstone source.
C++
1
star
37

flake-registry

1
star
38

hardenedlinux-osquery-scripts

hardenedlinux-osquery-script
1
star