Welcome to the General Services Administration Security Benchmarks repository. Here you can find items to help implement GSA Security Benchmarks, Infrastructure As Code, and other tools for our DevSecOps work.

The GSA publishes security guides for various operating systems and applications commonly used at the agency. For more information, please refer to the published guides on insite.gsa.gov (only accessible with GSA account).

Only accessible with GSA account.

• GSA Security Benchmarks
  • IT Security Technical Guides and Standards - Documents outlining the general use and standards for security baselines.
  • Security Benchmark Workbooks - Individual workbooks listing the applicable security settings.
• Tenable Nessus Audit Files - Custom audit files for use with Tenable Security Center or Nessus Vulnerability Scanner

For questions or comments, please email [email protected].

The DevSecOps Example is a good starting point for understanding how all the various pieces fit together. The components are at varying levels of "completion" - see the README and open issues in the respective repository for more details. Feedback more than welcome!

• Base Infrastructure
• EKK (logging) stack
• Jenkins
• AWS VPC flow logs

• Jenkins
• Nessus
• NGINX HTTPS proxy
• OSSEC

Work in progress.

Recommended tools to use on every server, though you are not limited to the options this list (only accessible with GSA account).

Work in progress.

This repository also contains code to build the base server images with all the agents etc. installed.

1. Set up the AWS CLI.

   1. Install
   2. Configure

2. Install additional dependencies:

   • Ansible
   • Packer

3. Specify a region (options).

   export AWS_DEFAULT_REGION=...

4. Build the AMI.

   make

This will create AMIs with names of <operating system>-base-<timestamp>.

See the SCP-specific README.