[SFS] STIG?
Matt James
sfs@thegeek.nu
Thu, 7 Nov 2013 15:08:20 -0700
--047d7b15aef9c7edc404ea9d8232
Content-Type: text/plain; charset=ISO-8859-1
The tool I have seen used by the fed is called Nessus. For one project
they were nice enough to give us a license but not so on this project.
It's a $1500 a year subscription that isn't currently in the budget. I'll
keep poking. Thanks for the feedback.
Matt
On Thu, Nov 7, 2013 at 3:03 PM, David L. Anselmi <anselmi@anselmi.us> wrote:
> Matt James wrote:
>
>> Hey Linuxers,
>> I've been working on performing a STIG for some systems and wondering
>> if anyone else has had to deal with this stuff. Now - Willson, calm down,
>> I don't work for the DOD/NSA/etc. - but my customers have to comply with
>> their standards and are asking for my help.
>>
>
> I haven't worked with STIGs directly but I have seen tools that do checks
> for you, possibly published by NSA or NIST. For one project I did they
> measured compliance using a scan tool they had configured - eEye Retina,
> maybe (it sucked but it wasn't as bad as checking by hand).
>
> Can your customers talk to the people who require compliance and get in
> touch with the relevant organizations? If someone were to show up to audit
> them they would likely have such a tool--maybe they'll share, or tell you
> where your customer can buy the right thing.
>
> Dave
>
> _______________________________________________
> SFS mailing list
> SFS@thegeek.nu
> http://mailman.thegeek.nu/mailman/listinfo/sfs
>
--
Go Green! Please do not print this e-mail unless it is completely
necessary.
--047d7b15aef9c7edc404ea9d8232
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">The tool I have seen used by the fed is called Nessus. =A0=
For one project they were nice enough to give us a license but not so on th=
is project. =A0It's a $1500 a year subscription that isn't currentl=
y in the budget. =A0I'll keep poking. =A0Thanks for the feedback.<div>
<br></div><div>Matt</div></div><div class=3D"gmail_extra"><br><br><div clas=
s=3D"gmail_quote">On Thu, Nov 7, 2013 at 3:03 PM, David L. Anselmi <span di=
r=3D"ltr"><<a href=3D"mailto:anselmi@anselmi.us" target=3D"_blank">ansel=
mi@anselmi.us</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div class=3D"im">Matt James wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
Hey Linuxers,<br>
=A0 =A0 =A0I've been working on performing a STIG for some systems and =
wondering<br>
if anyone else has had to deal with this stuff. =A0Now - Willson, calm down=
,<br>
I don't work for the DOD/NSA/etc. - but my customers have to comply wit=
h<br>
their standards and are asking for my help.<br>
</blockquote>
<br></div>
I haven't worked with STIGs directly but I have seen tools that do chec=
ks for you, possibly published by NSA or NIST. =A0For one project I did the=
y measured compliance using a scan tool they had configured - eEye Retina, =
maybe (it sucked but it wasn't as bad as checking by hand).<br>
<br>
Can your customers talk to the people who require compliance and get in tou=
ch with the relevant organizations? =A0If someone were to show up to audit =
them they would likely have such a tool--maybe they'll share, or tell y=
ou where your customer can buy the right thing.<br>
<br>
Dave<div class=3D"HOEnZb"><div class=3D"h5"><br>
______________________________<u></u>_________________<br>
SFS mailing list<br>
<a href=3D"mailto:SFS@thegeek.nu" target=3D"_blank">SFS@thegeek.nu</a><br>
<a href=3D"http://mailman.thegeek.nu/mailman/listinfo/sfs" target=3D"_blank=
">http://mailman.thegeek.nu/<u></u>mailman/listinfo/sfs</a><br>
</div></div></blockquote></div><br><br clear=3D"all"><div><br></div>-- <br>=
Go Green!=A0 Please do not print this e-mail unless it is completely necess=
ary.
</div>
--047d7b15aef9c7edc404ea9d8232--