Project: STIG-4-Debian

##Why STIG?

STIGs is bring by a government agency called The Defense Information System Agency(DISA), which is entity responsible for maintaining the security posture of the Department of Defence(DoD) IT infrastructure. After we heard how the NSA fuck this world from Mr.Sn0wd3n.We will pay more attention about how they do the defense.

DoD use this Security Technical Implementation Guides to All DoD IT assets before online/operations.

And the STIGs classification system based on Mission Assurance Catagory (I-III) and Confidentiality Level (Public-Classified), giving you 9 different possible combinations of config requirements.

##Why Debian?

In this scripts I’ve on Debian GNU/Linux 8, Debian has a lot security mechanism, and some good features, especially “ReproducibleBuilds”. I use the STIG for Red hat 6 v1r7 to porting STIG for Debian 8.

Debian always has active maintenance, and has good security in default-configuration

##What’s different?

In STIG for RHEL-06, there’s some service doesn’t exist in debian, or some command or some purpose implement in different way.

You could find the porting-log in the repo STIG-4-Debian

But the general idea are all based on STIG For RHEL-06 v1r7


There’s a lot of TODO
Because this version I release just a simple “POC”, and just a pre-release version. It doesn’t even cover all the “check”

But I will release the first version of “full-check” version soon, and add Classification and Severity right after full-check, I think it will release in next month.


[1]Difference between hardening guides (CIS, NSA, DISA)

[2]What Are “STIGs” and How Do They Impact Your Overall Security Program?

[3]Beyond compliance: DISA STIGs’ role in cybersecurity

[4]Security Technical Implementation Guides (STIGs)


[6]Defense Information Systems Agency