Re: Compiled list (STIG for Debian)

2022-03-03 Thread Reinhart Eisermann 
I followed and a bit surprised that only 46 lines are in that excel list
;-)
Thanks for sharing that.

On Wed, 2 Mar 2022 13:56:48 -0500
Stephanie Hall  wrote:

> Thank you everyone!  We found a SCAP Security Guide (SSG) for each of the 3
> versions we were looking at.  9-11.   It's not a STIG, but SCAP is a DoD
> industry standard so they should look favorably on it. 
> All three had the same line items. We broke it out into an excel
> spreadsheet that I wanted to share with you since not everyone uses SCAP.
> 
> Thanks for the help!

Re: Compiled list (STIG for Debian)

2022-03-02 Thread Stephanie Hall 
Thank you everyone!  We found a SCAP Security Guide (SSG) for each of the 3
versions we were looking at.  9-11.   It's not a STIG, but SCAP is a DoD
industry standard so they should look favorably on it. 
All three had the same line items. We broke it out into an excel
spreadsheet that I wanted to share with you since not everyone uses SCAP.

Thanks for the help!

On Wed, Mar 2, 2022 at 1:23 PM Stephen Dowdy  wrote:

> On 3/2/22 10:54, Jeremiah C. Foster wrote:
> > Cannot speak for it's provenance, but there's this;
> https://github.com/hardenedlinux/STIG-4-Debian
>
> Jeremiah,
>
> Thanks, that actually looks like more of an SRR (System Readiness
> Review[0]) evaluation checker for applicable STIGs.
>
> As it states, it uses the RHEL7 STIG as a baseline for the tests.
>
> While old (2017), it might still prove useful if it can identify CAT I
> issues quickly with few false negatives as a *starting point*
>
> --stephen
> [0] i think DISA stopped making these scripts due to the burden of keeping
> them upto date.   3rd parties now do that for 
>


-- 

Stephanie Hall

Oteemo, Inc. 

Sr. Consultant, Cybersecurity

m: (315)-723-9951

e: sh...@oteemo.com





Oteemo Customer Love 


Debian_9-11_SSG.xlsx
Description: MS-Excel 2007 spreadsheet

Re: Compiled list (STIG for Debian)

2022-03-02 Thread Stephen Dowdy 

On 3/2/22 10:54, Jeremiah C. Foster wrote:

Cannot speak for it's provenance, but there's this; 
https://github.com/hardenedlinux/STIG-4-Debian


Jeremiah,

Thanks, that actually looks like more of an SRR (System Readiness Review[0]) 
evaluation checker for applicable STIGs.

As it states, it uses the RHEL7 STIG as a baseline for the tests.

While old (2017), it might still prove useful if it can identify CAT I issues 
quickly with few false negatives as a *starting point*

--stephen
[0] i think DISA stopped making these scripts due to the burden of keeping them 
upto date.   3rd parties now do that for

Re: Compiled list (STIG for Debian)

2022-03-02 Thread Jeremiah C. Foster 




On 3/2/22 12:50, Stephen Dowdy wrote:

On 3/2/22 07:43, Paul Tagliamonte wrote:

STIGs are maintained by DISA, not by Debian

   Paul

On Wed, Mar 2, 2022 at 9:42 AM Stephanie Hall > wrote:


    Good morning,

    Do you have an excel version of a STIG for Debian 9 & 10 that you 
would be willing to share?


    Thank you in advance!




The DISA STIGviewer (a Java app that runs just find on Debian), can 
import a STIG  file and export to CSV


https://public.cyber.mil/stigs/srg-stig-tools/

However, there is no STIG specific to Debian that i'm aware of.
Your best bet is referencing the Ubuntu ones:

     U_CAN_Ubuntu_{18-04,20-04}_LTS_V.._STIG.zip



Cannot speak for it's provenance, but there's this; 
https://github.com/hardenedlinux/STIG-4-Debian


Cheers,

Jeremiah

Re: Compiled list

2022-03-02 Thread Stephen Dowdy 

On 3/2/22 07:43, Paul Tagliamonte wrote:

STIGs are maintained by DISA, not by Debian

   Paul

On Wed, Mar 2, 2022 at 9:42 AM Stephanie Hall mailto:sh...@oteemo.com>> wrote:

Good morning,

Do you have an excel version of a STIG for Debian 9 & 10 that you would be 
willing to share?

Thank you in advance!




The DISA STIGviewer (a Java app that runs just find on Debian), can import a 
STIG  file and export to CSV

https://public.cyber.mil/stigs/srg-stig-tools/

However, there is no STIG specific to Debian that i'm aware of.
Your best bet is referencing the Ubuntu ones:

U_CAN_Ubuntu_{18-04,20-04}_LTS_V.._STIG.zip


--stephen

Re: Compiled list

2022-03-02 Thread Paul Tagliamonte 
STIGs are maintained by DISA, not by Debian

  Paul

On Wed, Mar 2, 2022 at 9:42 AM Stephanie Hall  wrote:

> Good morning,
>
> Do you have an excel version of a STIG for Debian 9 & 10 that you would be
> willing to share?
>
> Thank you in advance!
>
> --
>
> Stephanie Hall
>
> Oteemo, Inc. 
>
> Sr. Consultant, Cybersecurity
>
> m: (315)-723-9951
>
> e: sh...@oteemo.com
>
>
> 
> 
>
> Oteemo Customer Love 
>
>
>


-- 
All programmers are playwrights, and all computers are lousy actors.

#define sizeof(x) rand()
:wq

Compiled list

2022-03-02 Thread Stephanie Hall 
Good morning,

Do you have an excel version of a STIG for Debian 9 & 10 that you would be
willing to share?

Thank you in advance!

-- 

Stephanie Hall

Oteemo, Inc. 

Sr. Consultant, Cybersecurity

m: (315)-723-9951

e: sh...@oteemo.com





Oteemo Customer Love