GSA/security-benchmarks

Name: security-benchmarks

Owner: U.S. General Services Administration

Description: GSA Security Benchmarks and Tools

Created: 2017-05-19 00:50:32.0

Updated: 2018-05-21 21:48:57.0

Pushed: 2018-05-21 21:48:59.0

Homepage:

Size: 1637

Language: Python

GitHub Committers

User	Most Recent Commit	# Commits

Other Committers

User	Email	Most Recent Commit	# Commits

README

GSA Security Benchmarks

Welcome to the General Services Administration Security Benchmarks repository. Here you can find items to help implement GSA Security Benchmarks, Infrastructure As Code, and other tools for our DevSecOps work.

What are GSA Security Benchmarks?

The GSA publishes security guides for various operating systems and applications commonly used at the agency. For more information, please refer to the published guides on insite.gsa.gov (only accessible with GSA account).

Available Tools

Benchmarks

Only accessible with GSA account.

• GSA Security Benchmarks
  • IT Security Technical Guides and Standards - Documents outlining the general use and standards for security baselines.
  • Security Benchmark Workbooks - Individual workbooks listing the applicable security settings.
• Tenable Nessus Audit Files - Custom audit files for use with Tenable Security Center or Nessus Vulnerability Scanner

For questions or comments, please email ise-guides@gsa.gov.

Infrastructure

The DevSecOps Example is a good starting point for understanding how all the various pieces fit together. The components are at varying levels of “completion” - see the README and open issues in the respective repository for more details. Feedback more than welcome!

Terraform Modules

• Base Infrastructure
• EKK (logging) stack
• Jenkins
• AWS VPC flow logs

Ansible Roles

• Jenkins
• Nessus
• NGINX HTTPS proxy
• OSSEC

By operating system

Work in progress.

Recommended tools to use on every server, though you are not limited to the options this list.

Requirement | Linux | Windows — | — | — Activity monitoring | OSSEC | OSSEC Antivirus (preferred if OS is supported) | Cylance|Cylance Antivirus | ClamAV | ClamAV Hardening (to match benchmarks) | RHEL 6, RHEL 7, Ubuntu 14, Ubuntu 16 | Group Policy Settings Log forwarding | rsyslog | Snare Multi-factor auth (required for internet-facing servers) | Google Authenticator | Rohos Logon Key Vulnerability scanning | Nessus | Nessus Incident response (if OS is supported) | FireEyeHx|FireEyeHx

Base images

Work in progress.

This repository also contains code to build the base server images with all the agents etc. installed.

1. Set up the AWS CLI.

   1. Install
   2. Configure

2. Install additional dependencies:

   • Ansible
   • Packer

3. Specify a region (options).

   rt AWS_DEFAULT_REGION=...
   

4. Build the AMI.

This will create AMIs with names of <operating system>-base-<timestamp>.

Service Control Policy

See the SCP-specific README.