STIG for Debian ?

[mdedonno1337]

By browsing the https://public.cyber.mil/stigs/downloads/ website and the folder of profiles for Debian products (9 and 10), I've seen that there is no STIG profile for Debian 9 and Debian 10, but there is for Ubuntu (which is based upon Debian).

My question is the following:

Would it be possible, from a legal or administrative point of view, to port the Ubuntu STIG profile to Debian 9 and 10 ?
I assume that, from a technical point of view it would be possible.

Thanks!

PS:

• I dont ask you to do it, I may like to do it if it would make sense and would be acceptable from a legal point of view.
• I understand that I can port them for myself and use them as I'd like if I need to

[ggbecker]

Sure you can have a STIG profile for debian in this project that's not a problem, but it won't have any legal liability. Nor other STIG profiles have any liability as well. Profiles developed in this project are merely to support institutions to assess their systems for a STIG compliance that should follow benchmarks (usually manual) provided by DISA.

The formal process to start developing an official STIG for a product is to follow their vendor process here: https://public.cyber.mil/stigs/vendor-process/

If you come up with a STIG profile in this project, it must have a disclaimer stating that the profile is a draft and should not be considered an official profile.

I hope that helps.

[mdedonno1337]

Yes, this answer perfectly the question.
I will have a look on how to add this profile based upon the other profiles already available.

Thanks!