stig-manager

by allamiro

1stars

0forks

1watchers

Updated over 1 year ago

About

STIG Manager is a Docker-based tool for managing Security Technical Implementation Guides (STIGs) with proxy support via NGINX for secure access.

stig manager setup with proxy

Primary Use Case

This tool is designed for security and compliance teams to automate and manage compliance auditing using STIGs in a containerized environment. It simplifies deployment through Docker and Docker Compose, enabling integration into DevSecOps workflows with secure access via an NGINX reverse proxy.

Key Features

Containerized deployment using Docker and Docker Compose
Supports reverse proxy configuration with NGINX for TLS encryption
Automates compliance auditing based on STIG standards
Facilitates integration into DevSecOps pipelines
Cross-platform installation instructions for Ubuntu, RHEL, Windows, and Mac
Environment variable configuration for flexible setup

Installation

Install Docker and Docker Compose on your system (Ubuntu, RHEL, Windows, or Mac)
For Ubuntu: update package index and install prerequisites
Add Docker’s official GPG key and repository
Install Docker CE and start the Docker service
For RHEL: remove old Docker versions, install yum-utils, add Docker repo, install Docker CE, start and enable Docker
Download and install Docker Compose binary and set executable permissions
Clone the stig-manager repository: git clone https://github.com/allamiro/stig-manager.git
Navigate to the cloned directory: cd stig-manager
Update environment variables in the .env file as needed
Start the services using Docker Compose: docker-compose up -d

Usage

>_ sudo apt update

Update package index on Ubuntu

>_ sudo apt install apt-transport-https ca-certificates curl software-properties-common

Install packages required for Docker repository over HTTPS

>_ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

Add Docker’s official GPG key

>_ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"

Add Docker repository to APT sources

>_ sudo apt install docker-ce

Install Docker Community Edition

>_ sudo curl -L "https://github.com/docker/compose/releases/download/v2.5.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

Download Docker Compose binary

>_ sudo chmod +x /usr/local/bin/docker-compose

Make Docker Compose binary executable

>_ git clone https://github.com/allamiro/stig-manager.git

Clone the STIG Manager repository

>_ cd stig-manager

Navigate into the cloned repository directory

>_ docker-compose up -d

Start STIG Manager services in detached mode

>_ docker-compose ps

Verify that Docker containers are running

>_ openssl genrsa -out mydomain.key 2048

Generate a private key for SSL certificate

>_ openssl req -new -key mydomain.key -out mydomain.csr

Generate a Certificate Signing Request (CSR)

>_ openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

Generate a private key and CSR without prompt

>_ openssl x509 -signkey domain.key -in domain.csr -req -days 365 -out domain.crt

Create a self-signed SSL certificate

Security Frameworks

Reconnaissance

Defense Evasion

Collection

Discovery

Impact

Usage Insights

Integrate STIG Manager into CI/CD pipelines to automate compliance checks and reduce manual auditing overhead.
Leverage the NGINX reverse proxy setup to enforce TLS encryption, enhancing secure access to compliance dashboards.
Use containerized deployment to quickly spin up isolated compliance environments for testing and validation.
Combine with vulnerability scanning tools to correlate STIG compliance with vulnerability data for prioritized remediation.
Automate reporting and alerting to notify security teams of compliance drift or configuration deviations in near real-time.