Warning: Can't synchronize with repository "(default)" (/srv/svn/aqueduct does not appear to be a Subversion repository.). Look in the Trac log for more information.
Last modified 3 years ago Last modified on 05/29/14 13:22:14

Project Overview

The Aqueduct project provides automated changes to Red Hat Enterprise Linux based systems to meet security guidelines established by various agencies. These changes are in the form of Bash scripts and Puppet manifests. Each change is specific to the agency's auditing criteria and granular enough to allow the system owner to decide on changes at the line item level.

Supported Security Configuration Guidances

  • Center for Internet Security (CIS)
  • Defense Information Systems Agency Security Technical Implementation Guide (STIG)
  • Department of Homeland Security (DHS)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • National Industrial Security Program Operating Manual (NISPOM)
  • Payment Card Industry (PCI)
  • US Government Configuration Baselines (USGCB)

Development Status

  • Active development on released version of RHEL 5 and RHEL 6 STIGs
  • RHEL 5 Bash scripts accomplish a 92% Vulnerator score
  • RHEL 6 Bash scripts cover most CAT I and CAT II findings that can be automated.
  • Seeking contributors for other configuration guidelines

Project Objectives

  • Translate compliance requirements:
  Thou shalt not allow root access to ssh

Into automated configuration modification:

  sed -i -e 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
  • Focus on development of Bash script content and Puppet configuration manifests for RHEL 5
  • Port configuration scripts/manifests to function on RHEL 6 following finalization of RHEL 5 Aqueduct content
  • Work to identify Security Content Automation Protocol (SCAP) compliant content for future releases of security requirements from DISA
  • Work with scap-security-guide to develop step by step user guides for all supported configuration guidance policies

Site Index

Frequently Asked Questions

Getting Involved

IRC: #aqueduct on
Mailing List:
Bi-Weekly Call: Call
Web-based source browser:
Anonymous checkout: git clone git://
Commit access: git push ssh://

Become A Developer