Framework Reference

Framework Reference

This guide provides comprehensive documentation of the security frameworks, standards, and compliance requirements implemented by the Linux Security Audit Project, including authoritative sources, key concepts, and practical applications.

Table of Contents

• Framework Overview
• Core Security Best Practices
• CIS Benchmarks
• CISA Cybersecurity Guidance
• ENISA Cybersecurity Guidelines
• ISO/IEC 27001
• NIST Frameworks
• NSA Cybersecurity Guidance
• DISA STIGs
• Framework Comparison
• Compliance Mapping

Framework Overview

The Linux Security Audit Project implements eight distinct security frameworks, each with specific focus areas, compliance requirements, and target audiences.

Framework Categories

Industry Standards:

• CIS Benchmarks: Consensus-based security configurations
• ISO/IEC 27001: International information security management standard

Government Frameworks:

• NIST: Federal government and contractor requirements
• DISA STIGs: Department of Defense security standards
• NSA: Advanced security hardening and classified systems
• CISA: Critical infrastructure protection

Regional Standards:

• ENISA: European Union cybersecurity guidelines

Baseline:

• Core: Industry best practices and vendor-specific guidance

Core Security Best Practices

Overview

Focus: Fundamental security baseline for all Linux systems
Authority: Industry consensus, vendor security guides
Applicability: Universal - all Linux environments

Standards Sources

Linux Foundation

• Open Source Security Foundation (OpenSSF)
• Linux Foundation Best Practices
• Secure Software Development Fundamentals

URL: https://www.linuxfoundation.org/projects/security

Vendor Security Guides

Debian Security Manual

• Debian-specific security configurations
• Security update procedures
• Package management security
• Security advisories (DSA)

URL: https://www.debian.org/security/

Red Hat Security Guide

• RHEL security best practices
• SELinux implementation
• Security advisories (RHSA)
• Enterprise security configurations

URL: https://access.redhat.com/security/

Ubuntu Security Notices

• Ubuntu-specific security updates
• USN (Ubuntu Security Notice) tracking
• AppArmor configuration
• Security hardening guides

URL: https://ubuntu.com/security/notices

Security Standards Organizations

SANS Institute

• Critical Security Controls (now CIS Controls)
• System hardening guidelines
• Security best practices

URL: https://www.sans.org/

OWASP (Open Web Application Security Project)

• Application security guidelines
• Security testing methodologies
• Common vulnerabilities

URL: https://owasp.org/

Key Concepts

Defense in Depth

Multiple layers of security controls:

1. Perimeter (firewall, network security)
2. Host (system hardening, access control)
3. Application (service security, sandboxing)
4. Data (encryption, access controls)

Principle of Least Privilege

• Minimal permissions for users and processes
• Need-to-know access
• Regular privilege reviews
• Separation of duties

Secure by Default

• Default deny policies
• Minimal initial attack surface
• Secure default configurations
• Hardened baselines

Security Patch Management

• Regular security updates
• Vulnerability tracking
• Timely patch application
• Testing before deployment

Practical Application

The Core module checks are derived from:

• OS vendor security documentation
• Industry best practices consensus
• Common security misconfigurations
• Real-world security incidents

CIS Benchmarks

Overview

Full Name: Center for Internet Security Benchmarks
Authority: Center for Internet Security (CIS)
Version: CIS Benchmarks for Linux (Distribution-specific)
Applicability: All organizations seeking security baselines

About CIS

The Center for Internet Security is a nonprofit organization that develops consensus-based security configuration guidelines. CIS Benchmarks are created through a global community of cybersecurity experts.

URL: https://www.cisecurity.org/

CIS Benchmark Structure

Benchmark Organization

CIS Benchmark
├── Section 1: Initial Setup
│   ├── 1.1 Filesystem Configuration
│   ├── 1.2 Software Updates
│   ├── 1.3 Filesystem Integrity
│   ├── 1.4 Secure Boot
│   ├── 1.5 Process Hardening
│   └── 1.6 Mandatory Access Control
├── Section 2: Services
│   ├── 2.1 Time Synchronization
│   ├── 2.2 Special Purpose Services
│   └── 2.3 Service Clients
├── Section 3: Network Configuration
│   ├── 3.1 Network Parameters (Host)
│   ├── 3.2 Network Parameters (Host/Router)
│   ├── 3.3 IPv6
│   └── 3.4 Uncommon Protocols
├── Section 4: Logging and Auditing
│   ├── 4.1 System Accounting (auditd)
│   └── 4.2 Logging Configuration
├── Section 5: Access, Authentication, Authorization
│   ├── 5.1 Cron Configuration
│   ├── 5.2 SSH Configuration
│   ├── 5.3 PAM Configuration
│   ├── 5.4 User Accounts
│   ├── 5.5 Root Login Restrictions
│   └── 5.6 su Command Restrictions
└── Section 6: System Maintenance
    ├── 6.1 System File Permissions
    └── 6.2 User and Group Settings

Profile Levels

Level 1 (L1)

• Purpose: Basic security with minimal impact
• Characteristics: Low risk, practical for most systems
• Impact: Minimal service disruption
• Recommendation: All production systems

Example Controls:

• Disable unused filesystems
• Configure software updates
• Set secure file permissions
• Enable basic auditing
• Configure SSH securely

Level 2 (L2)

• Purpose: Defense-in-depth with higher security
• Characteristics: More restrictive, potential operational impact
• Impact: May affect functionality
• Recommendation: High-security environments

Example Controls:

• Separate partitions for all sensitive directories
• Comprehensive audit logging
• Strict access controls
• Advanced network hardening
• Mandatory Access Control (MAC)

Benchmark Versions

CIS provides distribution-specific benchmarks:

Ubuntu Linux:

• CIS Ubuntu Linux 20.04 LTS Benchmark
• CIS Ubuntu Linux 22.04 LTS Benchmark
• CIS Ubuntu Linux 24.04 LTS Benchmark

Red Hat Enterprise Linux:

• CIS Red Hat Enterprise Linux 7 Benchmark
• CIS Red Hat Enterprise Linux 8 Benchmark
• CIS Red Hat Enterprise Linux 9 Benchmark

Debian Linux:

• CIS Debian Linux 10 Benchmark
• CIS Debian Linux 11 Benchmark
• CIS Debian Linux 12 Benchmark

Scoring Methodology

Scored Controls

• Can be automatically verified
• Pass/Fail determination
• Counted in compliance score
• Example: "Ensure SSH root login is disabled"

Not Scored Controls

• Require manual verification
• Organizational policy dependent
• Guidance provided, not enforced
• Example: "Ensure security policies are documented"

References

Official CIS Resources:

• CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks/
• CIS Controls: https://www.cisecurity.org/controls/
• CIS Hardened Images: https://www.cisecurity.org/cis-hardened-images/

CISA Cybersecurity Guidance

Overview

Full Name: Cybersecurity and Infrastructure Security Agency
Authority: U.S. Department of Homeland Security
Focus: Critical infrastructure protection and cybersecurity
Applicability: Federal agencies, critical infrastructure, state/local governments

About CISA

CISA leads the national effort to understand, manage, and reduce risk to cyber and physical infrastructure. It provides cybersecurity guidance, tools, and services for government and private sector organizations.

URL: https://www.cisa.gov/

CISA Directive Types

Binding Operational Directives (BODs)

Compulsory directives for federal civilian executive branch agencies.

BOD 18-01: Enhanced Email and Web Security

• DMARC implementation
• Email authentication (SPF, DKIM)
• Web security headers
• HTTPS enforcement

URL: https://cyber.dhs.gov/bod/18-01/

BOD 19-02: Vulnerability Remediation Requirements

• Critical vulnerability remediation within 15 days
• High vulnerability remediation within 30 days
• Vulnerability scanning requirements

URL: https://cyber.dhs.gov/bod/19-02/

BOD 20-01: Vulnerability Disclosure Policy

• Develop vulnerability disclosure policy
• Create security.txt file
• Establish reporting mechanisms

URL: https://cyber.dhs.gov/bod/20-01/

BOD 22-01: Known Exploited Vulnerabilities

• Remediate KEV catalog vulnerabilities
• Track actively exploited vulnerabilities
• Automated patch management

URL: https://www.cisa.gov/known-exploited-vulnerabilities

BOD 23-01: Asset Visibility and Vulnerability Detection

• Comprehensive asset inventory
• Vulnerability detection capabilities
• Network segmentation verification

URL: https://www.cisa.gov/news-events/directives/bod-23-01

Emergency Directives (EDs)

Require immediate action due to known or actively exploited vulnerabilities.

Characteristics:

• Issued for critical threats
• Immediate compliance required
• Time-sensitive actions
• Address zero-day vulnerabilities

Recent Examples:

• ED 21-01: Mitigate Microsoft Exchange vulnerabilities
• ED 22-02: Mitigate Apache Log4j vulnerabilities
• ED 23-02: Mitigate Ivanti vulnerabilities

URL: https://www.cisa.gov/emergency-directives

Known Exploited Vulnerabilities (KEV) Catalog

Purpose: Prioritize vulnerabilities based on active exploitation

Inclusion Criteria:

1. Assigned CVE ID
2. Known exploited in the wild
3. Remediation action available

URL: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

CISA Security Frameworks

Cross-Sector Cybersecurity Performance Goals (CPGs)

Voluntary baseline cybersecurity practices for critical infrastructure.

Focus Areas:

• Account security
• Device security
• Data security
• Governance and training
• Vulnerability management
• Supply chain security

URL: https://www.cisa.gov/cpg

CISA Insights

Regular threat intelligence and mitigation guidance.

Topics:

• Ransomware guidance
• Phishing defense
• Insider threat mitigation
• Supply chain security
• Cloud security

URL: https://www.cisa.gov/insights

Critical Infrastructure Sectors

CISA provides sector-specific guidance for:

• Chemical
• Commercial Facilities
• Communications
• Critical Manufacturing
• Dams
• Defense Industrial Base
• Emergency Services
• Energy
• Financial Services
• Food and Agriculture
• Government Facilities
• Healthcare and Public Health
• Information Technology
• Nuclear Reactors
• Transportation Systems
• Water and Wastewater

References

Key CISA Resources:

• CISA Homepage: https://www.cisa.gov/
• Alerts & Advisories: https://www.cisa.gov/news-events/cybersecurity-advisories
• Free Cybersecurity Services: https://www.cisa.gov/resources-tools/resources/free-cybersecurity-services-and-tools
• Shields Up: https://www.cisa.gov/shields-up

ENISA Cybersecurity Guidelines

Overview

Full Name: European Union Agency for Cybersecurity
Authority: European Union
Focus: EU-wide cybersecurity policy and standards
Applicability: EU member states, organizations operating in EU

About ENISA

ENISA contributes to EU cyber policy, enhances the trustworthiness of ICT products, services, and processes, and cooperates with EU member states and institutions to develop a culture of network and information security.

URL: https://www.enisa.europa.eu/

ENISA Framework Coverage

Baseline Security Recommendations

Core security measures for all organizations.

Categories:

• Organizational security
• Physical and environmental security
• Communications and operations management
• Access control
• Information systems acquisition, development, and maintenance
• Information security incident management
• Business continuity management
• Compliance

URL: https://www.enisa.europa.eu/topics/cybersecurity-policy

Threat Landscape

Annual report on cybersecurity threats affecting the EU.

ENISA Threat Landscape (ETL) Topics:

• Ransomware
• Malware
• Social engineering
• Data-related threats
• DDoS attacks
• Supply chain attacks
• Identity theft

URL: https://www.enisa.europa.eu/topics/cyber-threats

Good Practices

Secure Software Development:

• Secure coding practices
• Security testing integration
• DevSecOps guidelines
• Supply chain security

Cloud Security:

• Cloud security certification schemes
• Secure cloud adoption
• Multi-cloud security
• Cloud incident response

IoT Security:

• IoT security baseline
• Secure lifecycle management
• IoT risk assessment
• Device certification

URL: https://www.enisa.europa.eu/topics/

EU Regulations Alignment

NIS2 Directive

Network and Information Security Directive (revised).

Requirements:

• Risk management measures
• Business continuity
• Supply chain security
• Incident handling
• Vulnerability disclosure

URL: https://www.enisa.europa.eu/topics/nis-directive

GDPR Alignment

General Data Protection Regulation security requirements.

Security Principles:

• Security of processing (Article 32)
• Data protection by design and default
• Personal data breach notification
• Data protection impact assessment

URL: https://gdpr.eu/

Cybersecurity Act

EU-wide certification framework for ICT products and services.

Assurance Levels:

• Basic
• Substantial
• High

URL: https://www.enisa.europa.eu/topics/eu-cybersecurity-certification-framework

ENISA Publications

Cybersecurity Guide for SMEs:

• Practical security measures
• Budget-conscious solutions
• Risk-based approach
• Step-by-step implementation

5G Cybersecurity Standards:

• 5G network security
• Edge computing security
• Network slicing security

Incident Response Guidelines:

• Incident classification
• Response procedures
• Information sharing
• Recovery strategies

References

Key ENISA Resources:

• ENISA Homepage: https://www.enisa.europa.eu/
• Publications: https://www.enisa.europa.eu/publications
• Threat Landscape: https://www.enisa.europa.eu/topics/cyber-threats/threats-and-trends
• Good Practices: https://www.enisa.europa.eu/topics/csirts-in-europe/glossary/good-practices

ISO/IEC 27001

Overview

Full Name: ISO/IEC 27001:2022 Information Security Management
Authority: International Organization for Standardization (ISO)
Version: ISO/IEC 27001:2022 (current), ISO/IEC 27001:2013 (previous)
Applicability: Global - all organizations implementing ISMS

About ISO 27001

ISO/IEC 27001 is the international standard for information security management systems (ISMS). It provides requirements for establishing, implementing, maintaining, and continually improving an ISMS.

URL: https://www.iso.org/isoiec-27001-information-security.html

ISO 27001:2022 Structure

Core Components

Clauses 4-10: ISMS Requirements

• Context of the organization
• Leadership
• Planning
• Support
• Operation
• Performance evaluation
• Improvement

Annex A: Information Security Controls

• 93 controls organized into 4 themes
• Controls are derived from ISO/IEC 27002:2022

Annex A Control Categories

Organizational Controls (37 controls)

• Information security policies
• Organization of information security
• Human resource security
• Asset management
• Supplier relationships

Example Controls:

• A.5.1: Policies for information security
• A.5.7: Threat intelligence
• A.5.23: Information security for cloud services
• A.5.37: Documented operating procedures

People Controls (8 controls)

• Pre-employment screening
• Terms and conditions of employment
• Information security awareness
• Disciplinary process

Example Controls:

• A.6.1: Screening
• A.6.2: Terms and conditions of employment
• A.6.3: Information security awareness, education, and training
• A.6.8: Information security event reporting

Physical Controls (14 controls)

• Physical security perimeters
• Physical entry controls
• Securing offices, rooms, and facilities
• Protecting against threats
• Equipment security

Example Controls:

• A.7.1: Physical security perimeters
• A.7.2: Physical entry
• A.7.4: Physical security monitoring
• A.7.7: Clear desk and clear screen

Technological Controls (34 controls)

• User endpoint devices
• Privileged access rights
• Information access restriction
• Secure authentication
• Cryptographic controls
• Network security
• Secure development

Example Controls:

• A.8.1: User endpoint devices
• A.8.2: Privileged access rights
• A.8.3: Information access restriction
• A.8.5: Secure authentication
• A.8.9: Configuration management
• A.8.24: Use of cryptography

ISO/IEC 27002:2022

Companion Standard: Code of practice providing implementation guidance for ISO 27001 Annex A controls.

Structure:

• Detailed implementation guidance
• Purpose and control objective
• Guidance sections
• Additional information

URL: https://www.iso.org/standard/75652.html

Certification Process

Steps to ISO 27001 Certification:

1. Gap analysis against standard
2. ISMS implementation
3. Internal audit
4. Management review
5. Stage 1 audit (documentation review)
6. Stage 2 audit (implementation verification)
7. Certification decision
8. Surveillance audits (annual)
9. Recertification (every 3 years)

Related Standards

ISO/IEC 27000 Family:

• 27000: Vocabulary and overview
• 27001: Requirements (certifiable)
• 27002: Code of practice
• 27003: ISMS implementation guidance
• 27004: Monitoring, measurement, analysis, and evaluation
• 27005: Information security risk management
• 27017: Cloud services information security
• 27018: Cloud privacy
• 27701: Privacy information management

References

Key ISO Resources:

• ISO 27001: https://www.iso.org/isoiec-27001-information-security.html
• ISO 27002: https://www.iso.org/standard/75652.html
• ISO/IEC JTC 1/SC 27: https://www.iso.org/committee/45306.html

NIST Frameworks

Overview

Full Name: National Institute of Standards and Technology
Authority: U.S. Department of Commerce
Focus: Federal information security standards and guidelines
Applicability: Federal agencies, contractors, critical infrastructure

About NIST

NIST develops cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies, and the broader public.

URL: https://www.nist.gov/cybersecurity

NIST SP 800-53 Rev 5

Full Title: Security and Privacy Controls for Information Systems and Organizations

Purpose: Comprehensive catalog of security and privacy controls for federal information systems and organizations.

URL: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

Control Families (20 families)

Access Control (AC): Account management, access enforcement, least privilege
Awareness and Training (AT): Security awareness, role-based training
Audit and Accountability (AU): Audit logging, review, retention
Assessment, Authorization, and Monitoring (CA): Security assessments, continuous monitoring
Configuration Management (CM): Baseline configurations, change control
Contingency Planning (CP): Incident response, disaster recovery
Identification and Authentication (IA): User and device identification
Incident Response (IR): Incident handling, reporting
Maintenance (MA): System maintenance, tools
Media Protection (MP): Media access, storage, transport
Physical and Environmental Protection (PE): Physical access, monitoring
Planning (PL): Security planning, rules of behavior
Program Management (PM): Security program management
Personnel Security (PS): Position categorization, screening
PII Processing and Transparency (PT): Privacy controls
Risk Assessment (RA): Risk assessment, vulnerability scanning
System and Services Acquisition (SA): Acquisition process, supply chain
System and Communications Protection (SC): Application partitioning, boundary protection
System and Information Integrity (SI): Flaw remediation, malicious code protection
Supply Chain Risk Management (SR): Supply chain security

Control Baselines

Low Impact: Basic protection (53 controls)
Moderate Impact: Moderate protection (325 controls)
High Impact: High protection (421 controls)

Control Enhancement Levels

• Base control
• Enhancements (1), (2), (3), etc.
• Example: AC-2(1), AC-2(2)

NIST Cybersecurity Framework (CSF) 2.0

Full Title: Framework for Improving Critical Infrastructure Cybersecurity

Purpose: Voluntary framework for managing cybersecurity risks.

URL: https://www.nist.gov/cyberframework

CSF 2.0 Functions

Govern (GV): NEW in CSF 2.0

• Organizational context
• Risk management strategy
• Roles, responsibilities, and authorities
• Policy
• Oversight
• Cybersecurity supply chain risk management

Identify (ID):

• Asset Management (ID.AM)
• Risk Assessment (ID.RA)
• Improvement (ID.IM)

Protect (PR):

• Identity Management, Authentication and Access Control (PR.AA)
• Awareness and Training (PR.AT)
• Data Security (PR.DS)
• Platform Security (PR.PS)
• Technology Infrastructure Resilience (PR.IR)

Detect (DE):

• Continuous Monitoring (DE.CM)
• Adverse Event Analysis (DE.AE)

Respond (RS):

• Incident Management (RS.MA)
• Incident Analysis (RS.AN)
• Incident Response Reporting and Communication (RS.CO)
• Incident Mitigation (RS.MI)

Recover (RC):

• Incident Recovery Plan Execution (RC.RP)
• Incident Recovery Communication (RC.CO)

Implementation Tiers

Tier 1: Partial

• Risk management is ad hoc
• Limited awareness
• Reactive approach

Tier 2: Risk Informed

• Risk management practices approved but not policy
• Awareness exists but not formalized
• Some processes in place

Tier 3: Repeatable

• Risk management practices are formal policy
• Organization-wide awareness
• Consistent implementation

Tier 4: Adaptive

• Proactive risk management
• Continuous improvement
• Advanced and innovative practices

NIST SP 800-171 Rev 2

Full Title: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Purpose: Protect Controlled Unclassified Information (CUI) in non-federal systems.

URL: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

14 Requirement Families (110 requirements)

1. Access Control (AC): 22 requirements
2. Awareness and Training (AT): 3 requirements
3. Audit and Accountability (AU): 9 requirements
4. Configuration Management (CM): 9 requirements
5. Identification and Authentication (IA): 11 requirements
6. Incident Response (IR): 5 requirements
7. Maintenance (MA): 5 requirements
8. Media Protection (MP): 7 requirements
9. Personnel Security (PS): 2 requirements
10. Physical Protection (PE): 6 requirements
11. Risk Assessment (RA): 3 requirements
12. Security Assessment (CA): 7 requirements
13. System and Communications Protection (SC): 17 requirements
14. System and Information Integrity (SI): 7 requirements

Applicability

Required for:

• Federal contractors handling CUI
• Defense Industrial Base (DIB)
• Organizations with Federal Acquisition Regulation (FAR) contracts
• DFARS 252.204-7012 compliance

NIST Special Publications

Key Security Publications:

• SP 800-53: Security controls catalog
• SP 800-171: CUI protection
• SP 800-37: Risk Management Framework
• SP 800-30: Risk assessment guide
• SP 800-61: Incident handling guide
• SP 800-115: Technical security testing
• SP 800-190: Container security

URL: https://csrc.nist.gov/publications/sp

References

Key NIST Resources:

• NIST Cybersecurity: https://www.nist.gov/cybersecurity
• CSRC Publications: https://csrc.nist.gov/publications
• Cybersecurity Framework: https://www.nist.gov/cyberframework
• National Vulnerability Database: https://nvd.nist.gov/

NSA Cybersecurity Guidance

Overview

Full Name: National Security Agency Cybersecurity Directorate
Authority: U.S. National Security Agency
Focus: Defense-grade security, classified systems, advanced threats
Applicability: DoD, Intelligence Community, NSS, defense contractors

About NSA Cybersecurity

NSA Cybersecurity prevents and eradicates threats to U.S. national security systems with an integrated approach that includes strong cyber defense, integrated cyber intelligence, and resilient solutions.

URL: https://www.nsa.gov/What-We-Do/Cybersecurity/

NSA Key Technologies

Security-Enhanced Linux (SELinux)

Development: Created by NSA
Purpose: Mandatory Access Control (MAC) for Linux
Status: Integrated into Linux kernel

Key Features:

• Mandatory access controls
• Role-based access control (RBAC)
• Type enforcement (TE)
• Multi-level security (MLS)
• Multi-category security (MCS)

URL: https://www.nsa.gov/What-We-Do/Research/SELinux/

SELinux Modes:

• Enforcing: Denies access based on policy
• Permissive: Logs but doesn't deny (testing mode)
• Disabled: SELinux not active

SELinux Policies:

• Targeted: Default policy, selected processes confined
• Strict: All processes confined
• MLS: Multi-level security policy

Commercial Solutions for Classified (CSfC)

Purpose: NSA-approved commercial products to protect classified information.

Components Program: List of approved products that can be layered for classified protection.

Capability Packages: Guidance on layering commercial products.

URL: https://www.nsa.gov/Resources/Commercial-Solutions-for-Classified-Program/

NSA Cybersecurity Guidance Documents

Cybersecurity Technical Reports (CTRs)

Topics:

• System hardening
• Network security
• Cryptography
• Insider threat mitigation
• Supply chain security

Recent CTRs:

• Linux Hardening Guidance
• Kubernetes Hardening Guidance
• Network Infrastructure Security Guidance
• Securing Wireless Devices
• Mitigating Cloud Vulnerabilities

URL: https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/

Cybersecurity Information Sheets (CSIs)

Quick-reference security guidance on specific topics.

Topics:

• Secure communications
• Authentication best practices
• Zero trust principles
• Encrypted DNS
• Software supply chain

URL: https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/

Cybersecurity Advisories

Time-sensitive information about cyber threats and vulnerabilities.

Types:

• CVE-based advisories
• Threat actor TTPs
• Mitigation guidance
• Detection signatures

URL: https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/

NSA Security Configuration Guides

Operating System Hardening

• Linux hardening
• Windows hardening
• Network device hardening
• Mobile device security

Application Security

• Web server security
• Database security
• Email security
• DNS security

Network Security

• Network segmentation
• Boundary protection
• Secure protocols
• IPsec and VPN

Cryptographic Standards

NSA works with NIST on cryptographic standards:

• Suite B Cryptography (legacy): RSA, ECC, SHA, AES
• Commercial National Security Algorithm (CNSA) Suite: Post-quantum preparation
• FIPS 140-2/140-3: Cryptographic module validation

URL: https://www.nsa.gov/Cybersecurity/Cryptographic-Capabilities/

References

Key NSA Resources:

• NSA Cybersecurity: https://www.nsa.gov/What-We-Do/Cybersecurity/
• Cybersecurity Advisories: https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/
• SELinux Project: https://github.com/SELinuxProject
• CSfC Program: https://www.nsa.gov/Resources/Commercial-Solutions-for-Classified-Program/

DISA STIGs

Overview

Full Name: Defense Information Systems Agency Security Technical Implementation Guides
Authority: U.S. Department of Defense
Focus: DoD security requirements for information systems
Applicability: DoD systems, defense contractors, federal agencies

About DISA

The Defense Information Systems Agency (DISA) provides IT and communications support to the President, Vice President, Secretary of Defense, and other DoD components.

URL: https://public.cyber.mil/

STIG Overview

STIGs are configuration standards for DoD systems. They contain technical guidance to "lock down" information systems to protect against threats.

URL: https://public.cyber.mil/stigs/

STIG Structure

Finding Severity Categories

CAT I (High/Critical):

• Severity: High
• Description: Vulnerabilities that allow attacker to compromise system
• Remediation: Immediate
• Impact: Loss of confidentiality, integrity, or availability
• Example: Default passwords, unpatched critical vulnerabilities

CAT II (Medium):

• Severity: Medium
• Description: Vulnerabilities that could result in compromise
• Remediation: Within 30 days
• Impact: Potential loss of confidentiality, integrity, or availability
• Example: Weak authentication, insufficient logging

CAT III (Low):

• Severity: Low
• Description: Vulnerabilities that degrade security
• Remediation: Within 90 days
• Impact: Minor security degradation
• Example: Missing security banners, incomplete documentation

STIG Components

Vulnerability ID (VID): Unique identifier (V-XXXXXX)
Rule ID: STIG rule identifier (SV-XXXXXX)
STIG ID: Control identifier
Severity: CAT I, CAT II, or CAT III
Check Text: How to verify compliance
Fix Text: How to remediate

Linux STIG Coverage

Operating System STIGs

Red Hat Enterprise Linux (RHEL):

• RHEL 7 STIG
• RHEL 8 STIG
• RHEL 9 STIG

URL: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux

Ubuntu:

• Ubuntu 20.04 LTS STIG
• Ubuntu 22.04 LTS STIG

General Purpose Operating System STIG:

• Applies to various Linux distributions
• Generic Unix/Linux guidance

STIG Requirements Categories

Access Control:

• Account management
• Access enforcement
• Least privilege
• Remote access

Audit and Accountability:

• Audit generation
• Audit review
• Audit protection
• Clock synchronization

Identification and Authentication:

• User identification
• Device identification
• Authenticator management
• Session controls

System and Information Integrity:

• Flaw remediation
• Malicious code protection
• System monitoring
• Software integrity

Configuration Management:

• Baseline configuration
• Change control
• Least functionality
• Security settings

System and Communications Protection:

• Application separation
• Cryptographic protection
• Network security
• Session management

Security Requirements Guide (SRG)

Purpose: High-level security requirements that STIGs implement.

Hierarchy:

DoD Instruction 8500.01
    ↓
Security Requirements Guide (SRG)
    ↓
Security Technical Implementation Guide (STIG)

URL: https://public.cyber.mil/stigs/srg-stig-tools/

STIG Compliance Tools

SCC (SCAP Compliance Checker)

DISA's official STIG compliance scanning tool.

Features:

• Automated STIG compliance checking
• SCAP 1.2/1.3 support
• Results in CKL format

URL: https://public.cyber.mil/stigs/scap/

STIG Viewer

View and manage STIG checklists.

Features:

• Read XCCDF and CKL files
• Create checklist files
• Export reports

URL: https://public.cyber.mil/stigs/srg-stig-tools/

Assessment and Authorization (A&A)

STIGs are part of the Risk Management Framework (RMF) process:

1. Categorize: Determine system impact level
2. Select: Choose security controls
3. Implement: Apply STIGs
4. Assess: Verify STIG compliance
5. Authorize: ATO decision
6. Monitor: Continuous monitoring

References

Key DISA Resources:

• Public Cyber: https://public.cyber.mil/
• STIG Downloads: https://public.cyber.mil/stigs/downloads/
• STIG Tools: https://public.cyber.mil/stigs/srg-stig-tools/
• SCAP Compliance: https://public.cyber.mil/stigs/scap/

Framework Comparison

Comparative Analysis

Framework	Prescriptive	Risk-Based	Certification	Global	U.S. Federal	Defense/Intel
Core	Low	High	No	Yes	No	No
CIS	Medium	Medium	No	Yes	No	No
CISA	Medium	High	No	Yes	Yes	Partial
ENISA	Low	High	No	EU	No	No
ISO 27001	Medium	High	Yes	Yes	No	No
NIST 800-53	High	Medium	No	No	Yes	Yes
NIST CSF	Low	High	No	Yes	Partial	No
NSA	High	Medium	No	No	Yes	Yes
STIG	Very High	Low	No	No	Yes	Yes

Framework Selection Guide

For General Organizations:

Start with: Core + CIS
Add for certification: ISO 27001
Add for best practices: NIST CSF

For U.S. Federal Agencies:

Required: NIST 800-53 + CISA directives
Add: NIST CSF
Defense: Add STIG + NSA

For Defense Contractors:

Required: STIG + NIST 800-171
Recommended: NSA + CISA
Foundation: Core + CIS

For EU Organizations:

Required: ENISA (if critical infrastructure)
Add for certification: ISO 27001
Foundation: Core + CIS

For Critical Infrastructure:

U.S.: CISA + NIST CSF + CIS
EU: ENISA + ISO 27001 + CIS
Defense: Add NSA + STIG

Compliance Mapping

Control Mapping Examples

Common security controls across frameworks:

Password Policy

Framework	Control ID	Requirement
Core	Password Policy	Complexity, aging, history
CIS	5.4.1	Password expiration ≤ 365 days
ISO 27001	A.9.4.3	Password management system
NIST 800-53	IA-5	Authenticator management
STIG	V-204392	Password minimum length 15 chars

Audit Logging

Framework	Control ID	Requirement
Core	Audit Logging	Comprehensive logging enabled
CIS	4.1	auditd installed and enabled
ISO 27001	A.12.4.1	Event logging
NIST 800-53	AU-2	Audit events
NIST CSF	DE.CM	Continuous monitoring
STIG	V-204486	Audit events for account access

Encryption

Framework	Control ID	Requirement
Core	Data Protection	Encryption at rest and in transit
CIS	Multiple	Cryptographic configuration
ENISA	Cryptographic Controls	Strong cryptography
ISO 27001	A.10.1	Cryptographic controls
NIST 800-53	SC-8	Transmission confidentiality
NSA	Crypto Standards	CNSA Suite algorithms

Compliance Attestation

Organizations often need to attest compliance to multiple frameworks:

Example: Financial Services Company

• Required: ISO 27001 (certification)
• Required: SOX (Sarbanes-Oxley)
• Industry: PCI-DSS
• Foundation: CIS Benchmarks

Implementation: Use Core + CIS as baseline, implement ISO 27001 ISMS, map to PCI-DSS

Example: Defense Contractor

• Required: NIST 800-171 (CUI protection)
• Required: DFARS 252.204-7012
• Required: STIGs (contract-specific)
• Recommended: NSA guidance

Implementation: Implement STIGs fully, verify NIST 800-171 compliance, add NSA hardening

Additional Resources

Framework Documentation:

• Module Documentation: Technical implementation of frameworks
• Usage Guide: Running framework-specific audits
• Development Guide: Extending framework coverage

Standards Organizations:

• CIS: https://www.cisecurity.org/
• CISA: https://www.cisa.gov/
• ENISA: https://www.enisa.europa.eu/
• ISO: https://www.iso.org/
• NIST: https://www.nist.gov/
• NSA: https://www.nsa.gov/
• DISA: https://public.cyber.mil/

---

← Back to Module Documentation | Home | Next: Development Guide →