[SFS] STIG?

David L. Anselmi sfs@thegeek.nu
Thu, 07 Nov 2013 15:03:03 -0700


Matt James wrote:
> Hey Linuxers,
>      I've been working on performing a STIG for some systems and wondering
> if anyone else has had to deal with this stuff.  Now - Willson, calm down,
> I don't work for the DOD/NSA/etc. - but my customers have to comply with
> their standards and are asking for my help.

I haven't worked with STIGs directly but I have seen tools that do checks for you, possibly 
published by NSA or NIST.  For one project I did they measured compliance using a scan tool they had 
configured - eEye Retina, maybe (it sucked but it wasn't as bad as checking by hand).

Can your customers talk to the people who require compliance and get in touch with the relevant 
organizations?  If someone were to show up to audit them they would likely have such a tool--maybe 
they'll share, or tell you where your customer can buy the right thing.

Dave