--- name: pentest-stig description: DISA STIG (Security Technical Implementation Guide) audit + GPO remediation + keep-open justification advisory. Triggers on STIG, DISA, SCAP, OpenSCAP, Compliance Master, GPO, group policy hardening, keep-open justification, CKL. license: MIT compatibility: Works with Claude Code allowed-tools: Read Write Edit Bash Grep metadata: author: badi badi-version: ">=1.24.0" category: pentest scope: advisory inspired-by: 0xSteph/pentest-ai-agents stig-analyst --- # pentest-stig DISA STIG audit + remediation advisory. Devlet, finans, kritik altyapi engagement'lerinde standart. ## Triggers - "STIG audit" - "SCAP / OpenSCAP tarama" - "GPO hardening" - "keep-open justification" - "CKL file analizi" - "compliance baseline" ## STIG Nedir US Department of Defense Defense Information Systems Agency (DISA) tarafindan yayinlanan **security configuration baseline**. Linux, Windows, web server, network device, database, application icin spesifik kurallar. Format: - **STIG ID** (Group_ID + Rule_ID): GENERIC-NIST-800-53'e map - **Severity**: CAT I (kritik), CAT II (yuksek), CAT III (orta) - **Vulnerability discussion**: niye onemli - **Check Text**: nasil kontrol edilir - **Fix Text**: nasil duzeltilir ## SCAP Tarama ```bash # OpenSCAP (Linux audit) oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig \ --results scan-results.xml \ --report scan-report.html \ --datastream-id ds-rhel8.xml \ ssg-rhel8-ds.xml # Windows: SCC Tool (DISA) veya OpenSCAP Windows port # Web: scap-security-guide / OpenSCAP web UI ``` ## CKL (Checklist) Format DISA STIG Viewer ile acilan XML format. Her STIG ID icin: - **NotAFinding** — uygun - **Open** — bulgu var - **Not_Applicable** — kapsam disi - **Not_Reviewed** — henuz bakilmadi ## Common STIG Categories (Linux RHEL 8) | ID | Title | CAT | |----|-------|-----| | RHEL-08-010020 | Crypto Policy = FIPS | I | | RHEL-08-010049 | Banner login warn message | III | | RHEL-08-010130 | SSH PermitRootLogin no | II | | RHEL-08-010140 | Disable USB mass storage | II | | RHEL-08-010210 | /tmp nosuid mount | II | | RHEL-08-010370 | sudo logging | II | | RHEL-08-010460 | password complexity (pwquality) | II | | RHEL-08-010620 | session timeout 15min | III | | RHEL-08-020220 | account lockout 3 try | II | | RHEL-08-040340 | firewalld enabled | II | ## Common STIG Categories (Windows Server 2022) | ID | Title | CAT | |----|-------|-----| | WN22-00-000010 | Inactive accounts disable | III | | WN22-AC-000010 | Lockout duration | II | | WN22-AC-000020 | Lockout threshold | II | | WN22-AU-000010 | Audit Account Logon | II | | WN22-SO-000020 | Anonymous SID lookup | I | | WN22-SO-000080 | LM hash storage off | I | | WN22-SO-000100 | LMCompat Level 5 | I | ## Keep-Open Justification Bazi STIG kurallari business-spesifik nedenle uygulanmaz. **Justification** yazimi: ```markdown ## STIG ID: RHEL-08-010130 (SSH PermitRootLogin) ### Status: Open (Mitigated) ### Justification - **Risk**: Direct root SSH allows offline brute force, lateral movement - **Compensating Control 1**: SSH bind only to management VLAN (192.168.99.0/24) - **Compensating Control 2**: PubkeyAuth only (PasswordAuth off) - **Compensating Control 3**: All sudo + root commands logged to remote syslog - **Compensating Control 4**: 2FA via FreeIPA (TOTP) - **Compensating Control 5**: Bastion host required (jump server with session record) - **Business Need**: Legacy application requires root for service init - **Remediation Roadmap**: Application refactor to sudo-only by Q4 2026 - **Approval**: Security Manager , - **Review Frequency**: Every 6 months ``` ## GPO Remediation Mapping ```powershell # STIG WN22-SO-000080 (LM hash storage off) # Manual GPO yolu: # Computer Config -> Policies -> Windows Settings -> Security Settings # -> Local Policies -> Security Options # -> "Network security: Do not store LAN Manager hash value on next password change" # Enable # Komut ile (LGPO.exe veya ADMX): ntfrsutl ds # AD baglanti var mi # Group Policy Object icine ekle: # HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash = 1 ``` ## STIG Audit Otomasyon ```bash # Tum sistemde STIG check (cron / Ansible) oscap xccdf eval --profile stig \ --results-arf /var/log/stig-arf.xml \ --report /var/log/stig-report.html \ ssg-rhel8-ds.xml # Ansible STIG playbook ansible-playbook -i inventory stig-rhel8-playbook.yml --check # Sonuc -> CKL'e convert sscap-to-checklist --input stig-arf.xml --output system.ckl ``` ## Output Sablonu ```markdown ## STIG Audit — ### Compliance Score - Total: 250 STIG rules - NotAFinding: 195 (78%) - Open: 38 (15.2%) - Not_Applicable: 12 (4.8%) - Not_Reviewed: 5 (2%) ### CAT I Open (Kritik — 5) 1. RHEL-08-010210 /tmp nosuid eksik (remediation: 1 satir mount opt) 2. WN22-SO-000080 LM hash storage acik (GPO update) 3. ... (3 more) ### Keep-Open Justified (Mitigated) 1. RHEL-08-010130 SSH root login (5 compensating control) 2. ... ### Remediation Plan | Priority | Count | Effort | Timeline | |----------|-------|--------|----------| | CAT I | 5 | 8h | 1 hafta | | CAT II | 28 | 32h | 1 ay | | CAT III | 5 | 8h | 3 ay | ``` ## Out-of-Scope - Production hardening uygulamasi (musteri sysadmin yapar) - STIG yazma (DISA resmi) - Non-DISA framework (CIS Benchmark, NIST 800-53 — ayri skill)