We are an open source project which collects and curates information about a variety of mechanically-verifiable IT best practices, with our initial emphasis being on security. From a security perspective, most of these rules will effectively be hardening rules. We expect most of our checks to be server related, we are open to security best practices for other IT devices such as switches and routers.

This effort is in support of “best practices as code” efforts, even though it’s not currently our intent to provide this code as part of this project.

Verifying that a particular practice is followed is typically as simple as checking to see that a particular feature is turned off or on, or that some value matches some regular expression. However explaining these best practices is much more difficult and time-consuming. It is our intent primarily to collect and curate these bodies of text and leave the implementation of the checks to the various tools involved (for example, Lynis and the Assimilation Project.

This allows us to share the difficult work of explaining these practices, and avoids arguing about the best method for implementing these checks in a particular environment.

Our Principles

Our guiding principles are simple:

  • Create a community and collaborate around collecting mechanically verifable security rules
  • Share freely and with minimal restrictions (Apache 2 or MIT or similar licenses)
  • Curate security rules and provide with basic general guidance on importance.
  • Not responsible for what you our any vendor does with the rules we collect.
  • Stick with simple solutions
  • We prefer JSON over XML.
  • We should be multi-language compatible (even if we don’t have any/many translations yet).
  • (eventually) Provide our information through a web interface with a well-known query structure on this web site.
  • We will store our results in our Github project.

We expect to collect as much as possible from other public sources. In particular, the NIST STIGs (named below), and the SecComFrame, and Lynis projects are also good potential sources.

It’s worth noting that the Center for Internet Security Benchmarks have a number of checklists, but they are not freely-available (i.e., they are “Available to CIS Security Benchmarks Members”), therefore they are sadly not useful for our purposes.

The basic idea here is to collect and cross-reference all freely available sources and collect and curate our own in one freely-available (FOSS) repository.

Many NIST STIGs are freely available, but some are not publicly available (“Official Use Only”). The NIST National Vulnerability Database lists 9 Tier IV checklists and 72 Tier III checklists. Note that the NIST web site refers to their content as being publicly available, and does not list license terms under which their checklists may be used. We have sent them an email requesting clarification on their license terms.

The initial proposal for this project and an explanation of the directory structure can be found on Google Docs.

This project will be first presented publicly at the OSCON 2015 conference. More information can be found here.

 

A Few Sample JSON rules

At this writing, there are a few hundred security rules, and one network rule. Below you’ll find a sample of each.

  • A network rule for avoiding buffer bloat can be found here.
  • A security rule for ensuring that the sudo command requires authentication can be found here.

Presentation Links

Below are a few presentations related to this project which we’ve given in the past:

Our Contributor Agreement

The IT Best Practices project has a contributor agreement which contributors are required to sign before contributing to the project. You can find the set of all such completed signature forms on github.