Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/mitre/apache-site-2.4x-stig-baseline

InSpec testing for baseline compliance with the Apache Server 2-4 UNIX Site STIG
https://github.com/mitre/apache-site-2.4x-stig-baseline

inspec mitre-corporation mitre-saf security-automation

Last synced: 6 months ago
JSON representation

InSpec testing for baseline compliance with the Apache Server 2-4 UNIX Site STIG

Awesome Lists containing this project

README 

          
## Apache Site STIG Automated Compliance Validation Profile



InSpec profile to validate the secure configuration of a Apache Site against DISA's Apache Site Secure Technical Implementation Guide (STIG) Version 2, Release 1.



## Apache Site STIG Overview



The Apache Site STIG (https://public.cyber.mil/stigs/) by the United States Defense Information Systems Agency (DISA) offers a comprehensive compliance guide for the configuration and operation of various technologies.

DISA has created and maintains a set of security guidelines for applications, computer systems or networks connected to the DoD. These guidelines are the primary security standards used by many DoD agencies. In addition to defining security guidelines, the STIG also stipulates how security training should proceed and when security checks should occur. Organizations must stay compliant with these guidelines or they risk having their access to the DoD terminated.



[STIG](https://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide)s are the configuration standards for United States Department of Defense (DoD) Information Assurance (IA) and IA-enabled devices/systems published by the United States Defense Information Systems Agency (DISA). Since 1998, DISA has played a critical role enhancing the security posture of DoD's security systems by providing the STIGs. The STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack.



The requirements associated with the Apache Site STIG are derived from the [National Institute of Standards and Technology](https://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology) (NIST) [Special Publication (SP) 800-53, Revision 4](https://en.wikipedia.org/wiki/NIST_Special_Publication_800-53) and related documents.



While the Apache Site STIG automation profile check was developed to provide technical guidance to validate information with security systems such as applications, the guidance applies to all organizations that need to meet internal security as well as compliance standards.



## Getting Started



### Requirements



#### Apache Site  

- Apache Site

- Account providing appropriate permissions to perform audit scan



#### Required software on Apache Site machine

- git

- [InSpec](https://www.chef.io/products/chef-inspec/)



### Setup Environment on Apache Site machine 

#### Install InSpec

Goto https://www.inspec.io/downloads/ and consult the documentation for your Operating System to download and install InSpec.



#### Ensure InSpec version is at least 4.23.10 

```sh

inspec --version

```



### How to execute this instance  

(See: https://www.inspec.io/docs/reference/cli/)



#### Execute a single Control in the Profile 

**Note**: Replace the profile's directory name - e.g. - `` with `.` if currently in the profile's root directory.

```sh

inspec exec /controls/V-72841.rb --show-progress

```

or use the --controls flag to execute checking with a subset of controls

```sh

inspec exec  --controls=V-72841.rb V-72845.rb --show-progress

```



#### Execute a Single Control and save results as JSON 

```sh

inspec exec  --controls=V-72841.rb --show-progress --reporter json:results.json

```



#### Execute All Controls in the Profile 

```sh

inspec exec  --show-progress

```



#### Execute all the Controls in the Profile and save results as JSON 

```sh

inspec exec  --show-progress  --reporter json:results.json

```