SCAP Compliance Checker and STIG Viewer

Joint Security Awareness Council

Nicole D TorrezInformation Systems Security Risk Analyst

April 12-13, 2017

2

Terminology

SCAP –

Security Content Automation Protocol

STIG –Security Technical Implementation Guide - The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems.

SCC –SCAP Compliance Checker, a tool used to analyze STIG Benchmark Compliance

STIG Benchmark –Portion of the STIG that is SCAP compliant - intended to be imported into SCC

*The STIG Benchmark does not encompass the entirety of the STIG*

STIG Viewer –Java application used to view STIGs and XCCDF results from SCC

3

Where Do I Start?

Go to http://iase.disa.mil/This is the authoritative source for the most updated STIG and SCAP Content from DISA

- The DSS page will redirect you to the DISA IASE website

- NCMS has SCC content on their internal member site under Resource Library *however* this content is not always the most current version available.

The DSS NISP Authorization Office (NAO), in collaboration with the Defense Information Systems Agency and the Space and Naval Warfare Systems Command, has made the Security Content Automation Protocol (SCAP) Compliance Checker available to industry via OBMS. Installation files for the SCAP Compliance Checker are posted in the "ODAA Bulletin Board" section of OBMS for all supported operating systems. For additional information, please view the updated SCAP Job Aid posted on the DSS Risk Management Framework website. Applying for sponsorship through MAX.gov is no longer necessary as all PKI-protected SCAP content is available within OBMS.

- STIG Benchmarks and Manual STIG documents from IASE do not require PKI!

4

Downloading SCAP & STIG Content

• SCAP Benchmarks and Manual STIG Content must be downloaded and viewed separately

• The most common current content is as follows:

• SCC 4.2 Windows *PKI 3/27/2017

• *SCC 4.0.1 is the last version of SCC that is compatible with Windows XP*

• Microsoft Windows 7 STIG Benchmark, Ver 1, Rel 31 1/27/2017

• Microsoft Windows 7 STIG - Ver 1, Rel 25 1/27/2017

• Microsoft Windows 10 STIG Benchmark - Ver 1 Rel 6 2/8/2017

• Microsoft Windows 10 STIG - Ver 1, Rel 8 2/8/2017

• STIG Viewer Version 2.5.1 3/7/2017

• Check regularly for new content to ensure you are using the most current version available!

5

How to View a STIG Document

• Download from DISA (http://iase.disa.mil/)

• Extract content from .zip file

• Open .xml file with…– Internet Explorer or Microsoft Edge Browser

• STIGs can be viewed as an HTML document in your browser or you can print to PDF for a more user friendly exportable document

6

Viewing STIG Content

7

Reading a STIG Document

8

Interpreting with STIG Viewer

9

Importing SCC Results to STIG Viewer

• Import the SCC Benchmark into STIG Viewer

• Select Checklist > Create Checklist

• In the new checklist select Import > XCCDF Results File– This checklist can be saved and exported for a variety of requirement

– You can manually mark items as Open, Not a Finding or Not Applicable

– You can enter finding details and comments to your saved checklist

10

SCC and STIG Viewer Demonstration

11

SCC and Linux

• Same appearance and interface

• Red Hat STIG can be used with CentOS– Uncheck ignore CPE-OVL errors

• Other flavors of Linux (Fedora, Ubuntu, SuSe) – Use existing STIGs as Reference

12

Notes

• There are STIGs for Operating Systems, Applications, Routers, Switches, Removable Storage Devices, etc…

– DSS is only looking at Operating Systems at this time

• STIGs are updated frequently – Coordinate with your DSS Rep on the currency of the benchmark required for your facility or program – The last few updates were only months apart

– Vulnerabilities may change, be added or removed

• STIGs are generally released with an updated Benchmark

13

Notes

• Windows SCC can be set up to run from CD

• You can use SCC to scan remote single and multiple remote computers

• SCC can be installed to run as a Service

– Built into Windows installation

– Other OS’s require scripting

• You can create custom SCAP Content to be run on SCC

– See the SCC Read Me’s FAQ for tips

• Baseline Configuration Reviews are required annually

– CM-2(1)

• Employ Automation Support for Accuracy

– CM-2(2)

14

Links

• STIGs

– http://iase.disa.mil/stigs/Pages/index.aspx

• STIG Mailing List

– https://public.govdelivery.com/accounts/USDISA/subscriber/new?topic_id=USDISA_181

• SCAP Content and Tools

– SCC* and Benchmarks

• * Requires CAC

– http://iase.disa.mil/stigs/scap/Pages/index.aspx

• DSS Risk Management Framework Information and Resources

– DSS Technical Assessment Guides for Windows 7, 10, Server 2012, and RHEL 6 located under Resources section

– http://www.dss.mil/rmf/index.html

15

Questions?