This script is used to check DISA STIG(Security Technical Implementation Guides) for Debian 9
Porting from DISA RHEL 7 STIG V1 R1
Benchmark Date: 27 Feb 2017
It has been a long time since we have updated STIG for Debian's framework. I think it's time to upgrade for the release of Debian 9 stable.
For easy to read reports, we decided to output to HTML as the primary (and for now, only) option.
Thanks to the author zavoloklom for the HTML table template
# bash stig-4-debian.sh -h
usage: stig-4-debian.sh [options]
-s Start checking and output repot in html format.
-v Display version
-h Display help
Default report is output in current directory(STIG-for-Debian-*.html)
STIG for Debian Compliance Checking Tools (v2.0)
Ported from DISA RHEL 7 STIG
This is a new framework release only. Not many check rules have been ported from DISA RHEL 7 STIG yet.
We (and you) will fill it up soon.
- Create a new check script file in the scripts directory for the new check rule and implementation.
- Move new check rule description to stig-debian.txt.
- Call the check script file in stig-4-debian.sh, as follows:
bash scripts/${new-check-rule-script}.sh >/dev/null 2>&1 &
spinner $!
output "SV-id_rule" $?
- Delete check rule description from stig-debian.txt.
- Delete the check script file in the scripts directory.
- Delete calls the check script line in stig-4-debian.sh.
bash scripts/check-nullok.sh >/dev/null 2>&1 &
spinner $!
output "SV-86561r1_rule" $?
In this code snippet, we using a script name check-nullok.sh
to check nullok in system-auth-ac and use exit status to determine the results of the check:
spinner $!
is a small function for administrator to feel this script is running ;)
output "SV-86561r1_rule" $?
using output
function to output.
When the script is ported, note that the original text is from DISA RHEL 7 STIG. If some rule is RHEL 7 specific, you should use a corresponding check method in Debian and update the textfile stig-debian.txt
.
If you encounter some rule that you cannot easily write a small script to check. You can put this rule in manual.txt
.
In the statics
directory xml2text.sh
is a script that can extract the information we need from offcial STIG XML file, such as 'U_Red_Hat_Enterprise_Linux_7_STIG_V1R1_Manual-xccdf.xml'. The original text file stig-debian.txt
is copy of stig-rhel-7.txt
. How to easily update STIG for Debian textfile when the offcial RHEL 7 STIG changes is under discussion.
SELinux-related items (not matched):
- SV-86663r1_rule
- SV-86695r2_rule
- SV-86759r3_rule
- SV-86761r3_rule
- SV-86763r3_rule
- SV-86765r3_rule
- SV-86595r1_rule
- SV-86615r2_rule
https://github.com/harbian/stig4debian/tree/master/stig4debian-package
https://github.com/harbian/stig4debian/tree/master/stig4debian-unsigned-package