RE: DISA Security Readiness Review Evaluation Scripts

From: Smith, Michael J. (Michael.J.Smith_at_unisys.com)
Date: 11/25/05

  • Next message: tarunthenut_at_gmail.com: "Re: Re: Nmap scanning speed" 
    Date: Fri, 25 Nov 2005 10:04:00 -0600
To: "hannibal blog" <hannibalsec@gmail.com>, <pen-test@securityfocus.com>

    The SRR scripts are very good, but keep in mind that what they do is
    check the configurations that are specified in the STIGs.

    It goes like this:
    NSA creates Security Guides
    Which begat:
    DISA Security Technical Implementation Guides
    Which begat:
    DISA Manual Checklists
    Which begat:
    DISA SRR Scripts

    What the SRR Scripts are is an automated way to do the checks in the
    manual checklists.

    A word of caution is that if an OS is configured according to the STIGS,
    they will break. The good thing is that it's a fast tool to check for
    vulnerabilities.

    The scripts for windows machines use winbatch as the script language.
    They take about 15-20 minutes to run once you've figured out how to do
    it. What we do is go into an office, select a random percentage of
    computers to check, load the script, and start it. By the time we're
    done starting the script on the last computer, it's time to start
    retrieving results off the first ones.

    When DISA sends their audit team around, they run the SRR Scripts and an
    external scan with ISS or Retina.

    As for the .mil restriction, last time I looked at them, they allow
    anybody to download the STIGS but you need a .mil address to download
    the SRR Scripts. There is also the "gold disk" which has all the SRR
    Scripts on it.

    HTH
    --Mike

    Michael J Smith michael.j.smith@unisys.com
    Information Security Architect
    703.419.3109 W
    703.855.0890 C
    "Those who do not understand Unix are condemned to reinvent it, poorly."

    --Henry Spencer

    > -----Original Message-----
    > From: hannibal blog [mailto:hannibalsec@gmail.com]
    > Sent: Thursday, November 24, 2005 3:19 AM
    > To: pen-test@securityfocus.com
    > Subject: DISA Security Readiness Review Evaluation Scripts
    >
    > Hello
    >
    > did anyone try the publicly available disa SRR availble at
    > http://iase.disa.mil/stigs/SRR/
    > what is the diference between the publicly available ones and those
    > reserved to .mil ?
    > What do u think about using them to audit a customer win 2k server ?
    >
    >
    ------------------------------------------------------------------------ 

    --
> ----
> Audit your website security with Acunetix Web Vulnerability Scanner:
> 
> Hackers are concentrating their efforts on attacking applications on
your
> website. Up to 75% of cyber attacks are launched on shopping carts,
forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down
servers
> are
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before
> hackers do!
> Download Trial at:
> 
> http://www.securityfocus.com/sponsor/pen-test_050831
>
------------------------------------------------------------------------
--
> -----
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
  • Next message: tarunthenut_at_gmail.com: "Re: Re: Nmap scanning speed"

    Relevant Pages

    • RE: DISA Security Readiness Review Evaluation Scripts
      ... I've used the DISA disks to validate OS hardening dozens of times. ... DISA Security Readiness Review Evaluation Scripts ... > your website. ... Up to 75% of cyber attacks are launched on shopping ...
      (Pen-Test)
    • RE: DISA Security Readiness Review Evaluation Scripts
      ... > What the SRR Scripts are is an automated way to do the checks in the ... >> Hackers are concentrating their efforts on attacking applications on ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
      (Pen-Test)
    • RE: Scripts found on web server
      ... Are the .asp scripts valid and used on the website for auth? ... SQL injection on it and see what you get. ... I was doing a penetration testing on one of our client's website, ... Up to 75% of cyber attacks are launched on shopping carts, ...
      (Pen-Test)
    • Scripts found on web server
      ... some scripts. ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)
    • Re: [Full-disclosure] Web Server Botnets and Server Farms as Attack Platforms
      ... insecure web application written in PHP, although attacks for other ... The main reason for this is that many different PHP applications are ... and you've found your way to execute shell code on the remote web server. ... those scripts were put in place. ...
      (Full-Disclosure)