There are several STIGs that I have come across that have no default action and a parameter must be set with a “save”. I have created custom copies of these STIGS and when I enter and save the desired value - the save propagates - however, the custom copy never updates to get a “Click here…” action option. I looked for perhaps the new creation of a copy to the copy - and found nothing. Is there a specific process to getting a STIG with no action to have one? Here are the 2 I found thus far for reference. Thanks!
In the newer DISA STIG content with the “save” button, not all of the checks have remediation actions. In the case of the “Autoplay/autorun” check, we will need to add in support for setting a registry default value (in contrast to an explicitly named value).
The remediation action on the “Time before bad-logon counter” check is not available at this time because there are inter-dependencies with two other checks. It’s not straightforward to coordinate dependencies between fixlets at this time, which are pretty much independent of one another, and this leads to the possibility of failed remediation actions in certain cases. Ideally, all three settings would be managed in the same check, but in the DISA content the’re split out into separate checks. We’re still thinking through possible solutions to this kind of situation.
In cases where no remediation action is available in a check, it may still be possible to put together a custom action that will run the desired command. As someone working with the SCM content, would it be straightforward or difficult to write a custom action along these lines?
Great information - thank you! The Dependency issue - I understand. I recently made the suggestion of adding some notes within the STIG details about what is dependent on what other STIGS - as guidence.
Do you by chance have a list of the STIGS (newer set) that don’t have any remediation actions? As far as creating a custom action. With some effort, I could get something put together (might need some guidence). We are currently knee deep in the review process now - which is extremely time consuming (Wow). There are 4 of us on the team - spending about 4-6 hours a week, reviewing each STIG and building the process around them for deployment and compliance - as well as testing the catagories out on test systems.
Taking a stab at writing the custom action would most likely be looked at after the review and deploy timeline is well under way or complete (later this year). If you knew off hand (or had a way to report) on which STIGS didn’t have a remediation - that would help us know which ones to “table” for now. If no list exists - I can run through them and make a visual check for a “deploy” option. If a list exists - it just saves some time. Thanks for the quick reply.
Regarding the the newer STIGs without remediation actions, I believe that all of them have some checks with remediation actions and other checks without remediation actions; whether a check has one depends on how straightforward or difficult it is to implement a remediation action that accepts a parameter.
With regard to custom actions, I’d be happy to help out if I can.