Re: Compiled list (STIG for Debian)

[Reinhart Eisermann]

I followed and a bit surprised that only 46 lines are in that excel list
;-)
Thanks for sharing that.

On Wed, 2 Mar 2022 13:56:48 -0500
Stephanie Hall  wrote:

> Thank you everyone!  We found a SCAP Security Guide (SSG) for each of the 3
> versions we were looking at.  9-11.   It's not a STIG, but SCAP is a DoD
> industry standard so they should look favorably on it. 
> All three had the same line items. We broke it out into an excel
> spreadsheet that I wanted to share with you since not everyone uses SCAP.
> 
> Thanks for the help!

Re: Compiled list (STIG for Debian)

[Stephanie Hall]

Thank you everyone!  We found a SCAP Security Guide (SSG) for each of the 3
versions we were looking at.  9-11.   It's not a STIG, but SCAP is a DoD
industry standard so they should look favorably on it. 
All three had the same line items. We broke it out into an excel
spreadsheet that I wanted to share with you since not everyone uses SCAP.

Thanks for the help!

On Wed, Mar 2, 2022 at 1:23 PM Stephen Dowdy  wrote:

> On 3/2/22 10:54, Jeremiah C. Foster wrote:
> > Cannot speak for it's provenance, but there's this;
> https://github.com/hardenedlinux/STIG-4-Debian
>
> Jeremiah,
>
> Thanks, that actually looks like more of an SRR (System Readiness
> Review[0]) evaluation checker for applicable STIGs.
>
> As it states, it uses the RHEL7 STIG as a baseline for the tests.
>
> While old (2017), it might still prove useful if it can identify CAT I
> issues quickly with few false negatives as a *starting point*
>
> --stephen
> [0] i think DISA stopped making these scripts due to the burden of keeping
> them upto date.   3rd parties now do that for 
>


-- 

Stephanie Hall

Oteemo, Inc. 

Sr. Consultant, Cybersecurity

m: (315)-723-9951

e: sh...@oteemo.com





Oteemo Customer Love 


Debian_9-11_SSG.xlsx
Description: MS-Excel 2007 spreadsheet

Re: Compiled list (STIG for Debian)

[Stephen Dowdy]

On 3/2/22 10:54, Jeremiah C. Foster wrote:

Cannot speak for it's provenance, but there's this; 
https://github.com/hardenedlinux/STIG-4-Debian


Jeremiah,

Thanks, that actually looks like more of an SRR (System Readiness Review[0]) 
evaluation checker for applicable STIGs.

As it states, it uses the RHEL7 STIG as a baseline for the tests.

While old (2017), it might still prove useful if it can identify CAT I issues 
quickly with few false negatives as a *starting point*

--stephen
[0] i think DISA stopped making these scripts due to the burden of keeping them 
upto date.   3rd parties now do that for 

Re: Compiled list (STIG for Debian)

[Jeremiah C. Foster]

On 3/2/22 12:50, Stephen Dowdy wrote:

On 3/2/22 07:43, Paul Tagliamonte wrote:

STIGs are maintained by DISA, not by Debian

   Paul

On Wed, Mar 2, 2022 at 9:42 AM Stephanie Hall > wrote:


    Good morning,

    Do you have an excel version of a STIG for Debian 9 & 10 that you 
would be willing to share?


    Thank you in advance!




The DISA STIGviewer (a Java app that runs just find on Debian), can 
import a STIG  file and export to CSV


https://public.cyber.mil/stigs/srg-stig-tools/

However, there is no STIG specific to Debian that i'm aware of.
Your best bet is referencing the Ubuntu ones:

     U_CAN_Ubuntu_{18-04,20-04}_LTS_V.._STIG.zip



Cannot speak for it's provenance, but there's this; 
https://github.com/hardenedlinux/STIG-4-Debian


Cheers,

Jeremiah