DISA IASE STIG validation & remediation for Linux/UNIX
Code Coverage: 2018-11-23
OS | Version | STIG Rule(s) | Completed | Percentage |
---|---|---|---|---|
AIX | 6.1 | 501 | 0 | 0% |
HP-UX | 11.31 | 518 | 0 | 0% |
Oracle Linux | 5 | 569 | 0 | 0% |
Oracle Linux | 6 | 264 | 0 | 0% |
Red Hat | 6 | 263 | 0 | 0% |
Red Hat | 7 | 242 | 0 | 0% |
Solaris | 10 | 511 | 29 | 5.67% |
Solaris | 11 | 236 | 94 | 39.83% |
Ubuntu | 16.04 | 229 | 0 | 0% |
SuSE | 12 | 138 | 0 | 0% |
Totals | 3471 | 123 | 3.54% |
No installer package; simply copy latest stigadm
toolkit and use.
validation
Default: Performs validation of STIG recommendationsremediation
Remediates STIG recommendationsrestoration
Restores configurations of any previously changed STIG remediations
$ ./stigadm -h
stigadm - Facilitates STIG Validation & Modifications
Usage ./stigadm [options]
Help:
-h Show this message
Targeting:
-O Operating System
Supported: [Solaris]
-V OS Version
Supported: [11|10]
Filters:
-C Classification
Supported: [CAT-I|CAT-II|CAT-III]
-L VMS ID List - A comma separated list VMS ID's
Example: V0047799,V0048211,V0048189
Options:
-a Author name (required when using -c)
-b Use new boot environment (Solaris only)
-c Make the change
-v Enable verbose messages
Restoration:
-r Perform rollback of changes
Reporting:
-l Default: /var/log/stigadm/<HOST>-<OS>-<VER>-<ARCH>-<DATE>.json
-j JSON reporting structure (default)
-x XML reporting structure
Here are a few usage examples to get you started with the toolkit. If you are interested in the XML or JSON reporting that is generated see here
This is the default mode of the library. It evaluates each STIG rule and outputs the
current state. Use the -v
for additional details"
Targeting the OS allows for greater flexibility with regards to an automated solution;
$ ./stigadm.sh -O Solaris -V 10
Targeting the STIG classification can be used to filter tests or remediation
$ ./stigadm.sh -C CAT-II
Providing a comma separated list of VMS ID's can also assist with filtering tests or remediation
$ ./stigadm.sh -L V0047799,V0048211,V0048189
Remeditaion mode will find and resolve STIG ID's. Note that an author name/initials is required for
any -c
flag.
Targeting the OS allows for greater flexibility with regards to an automated solution;
$ ./stigadm.sh -O Solaris -V 10 -ca jlg
Targeting the STIG classification can be used to filter tests or remediation
$ ./stigadm.sh -C CAT-II -ca jlg
Providing a comma separated list of VMS ID's can also assist with filtering tests or remediation
$ ./stigadm.sh -L V0047799,V0048211,V0048189 -ca jlg
Because Solaris offers an alternate boot environment for changes you can make use of the -b
option
for changes. Please note this is alpha stage of implementation
$ ./stigadm.sh -C CAT-I -bca jlg
Contributions are welcome & appreciated. Refer to the contributing document to help facilitate pull requests.
An API can be used for contibuting new modules of suggesting fixes etc.
Pleae read the FAQ to answer general questions about the project. Thanks.
This software is licensed under the MIT License.
Copyright Jason Gerfen, 2015-2018.