Linux, Unix and Windows Security Readiness Review Scripts

I often get questions from organizations looking to beef up their security policies and procedures. Often enough, this is right after a system has been compromised. Linux and Unix admins will often tout the inherent security framework built into Linux and Unix, but no system that is improperly configured or maintained is safe from threat or attack. As a baseline, I often urge these businesses to take a look at the U.S. Government Information Assurance Security Readiness Review Scripts. These can be run against new or existing builds (servers and desktops) to get a better idea what vulnerabilities exist on the system. They are pretty straightforward, and they usually have readme files that explain how to use them. You can download these scripts at the DISA Website:

There are scrpts for Unix (Linux), Windows, Oracle and some other exotic and legacy operating systems. Having a baseline for security is important. Not every single server can be hardened down 100% and it is up to your risk assessment people to determine what level of risk is acceptable in trade for functionality. There are a few more resources that I will post about in the future, but these should get you started on the right path to securing your systems. After all, the DoD requires the use of these SRRs, so you should definitely take a look at them at the very least. If you are not sure how to use them or what they do, just Google around for some more information. The better prepared you are from the start, the less of a chance that your systems will be victims of a security breach.

1 comment:

  1. Seek elsewhere. DISA pulled the scripts from the distribution in Dec. 2009 due to a discovered vulnerability. Now available only if you have a DoD PKI Cert.

    Interesting Catch-22 for those who are required to run these on Civ. Gov. systems. Reminds me of "Treated as Top Secret"