New DISA STIGS released in January availability?

Usage and Config Security
1

(imported topic written by mgardner28)

When will the new DISA STIGS be available in TEM?

Thanks,

Mark

2

(imported comment written by SystemAdmin)

We’re working on a refresh of all DISA STIGS for Windows. A specific release date isn’t available, but the update should be within the next month or so.

3

(imported comment written by SystemAdmin)

BTW, which STIGS are you using/planning to use?

4

(imported comment written by mgardner28)

We have Windows 7, Windows Server 2008 domain controllers and member servers, Windows Server 2003 member servers and RHEL 5 in our environment.

Thanks,

Mark

5

(imported comment written by Eric Walker)

Hi mgardner28,

Sorry for the delay in getting back to you. Following are the Windows STIGs we will be releasing soon:

  • Windows 7
  • Windows XP
  • Windows Vista
  • Windows 2003 MS
  • Windows 2003 DC
  • Windows 2008 MS
  • Windows 2008 DC
  • Windows 2008 R2 MS
  • Windows 2008 R2 DC

The check coverage for these checklists is substantial but not complete. There are some checks in the DC checklists, in particular, that will need further exploration before we are able to implement them on a domain controller with a large number of users without overloading the BigFix client.

During 2012 we hope to pick up additional UNIX STIGs as well.

All the best,

Eric

6

(imported comment written by PD14)

Any estimate whether the release date for the Windows STIGs listed above will be during the month of March? Or do you believe it will not be until April?

Thanks for any help that you can provide.

7

(imported comment written by SystemAdmin)

Hi Eric Walker,

I noticed this morning new DISA STIG content available on the license page. I enabled this content and have received the new DISA STIG checks for Windows 2003 MS and Windows 2008 R2 MS. I have a few items that I am concerned with and hope that you will be able to answer.

  1. The old content for Windows 2003 MS (DISA STIG on Windows 2003 MS v6r1.18) had 272 checks…the new content (DISA STIG Checklist for Windows 2003 MS) has only 112 checks. It looks like the 112 checks in the new content are updated and/or new checks. What happened to the rest of the content? Are we expected to merge the two checklists provided by IBM? If so, how and how do you account for the checks that have been removed?

  2. Many of the new checks do not include actions. Some of these checks had actions in the older content, but now have no actions associated with them. I seem to see this detail in the majority of the new checks provided: “Remediation actions are not available at this time for checks that look at a registry value without providing a registry type”. Is this something IBM will be releasing later? If so, when?

  3. I have also noticed that the DISA Vulid (STIG-ID) shows as “Not available” on the new content, where as on the older content it showed the “V-xxxxx” ID. Any idea if this will be provided by IBM? If so, when?

Thank You,

Andrew

8

(imported comment written by Eric Walker)

Hi Andrew,

Thank you for sharing your concerns. Following are answers to your numbered questions:

  1. There are far fewer checks in the newer DISA checklists. This is due in part to the fact that with this release we have transitioned from content that had been translated by hand from the DISA STIGs over to their newer SCAP content. In maintaining our own in-house translation, we made a number of editorial decisions. One was to split large, complex checks into smaller ones that would be easier for customers to work with. So a DISA check that looked at 50 settings would be split into 50 checks in our hand-maintained content. The SCAP that they now provide is more explicit in how the check is to be carried out, and we make relatively fewer decisions in connection with it. So many of the checks are now composite where before they were split out. We prefer the smaller checks, but this detail in their implementation is one that now rests with DISA.

In addition, there are DISA rule IDs that appear only in one of the SCAP checklists or the older, corresponding STIG, but not in both. There is no recommended path for merging the older content with the newer content. The difference in the source content is simply too large.

For DC checklists, there were some user-related checks that we had to defer for critical client performance reasons which we plan to pick up in a forthcoming release. I have a spreadsheet that spells out the details of our check coverage if it will be helpful to you.

  1. For SCAP feeds, which now include DISA, we provide actions as a value-add. Production SCAP feeds are not currently built out to support remediation actions. There are two emerging standards, OVRL and ERI, which will deal with them in a safe manner. In the meantime we must find a way to safely derive remediation actions where possible – you cannot safely remediate a registry value, for instance, unless you know its type. In older, more simple SCAP feeds such as FDCC, it has been possible to automatically derive remediation actions without difficulty. The DISA SCAP content is more idiosyncratic, however, and where it would have been possible for a program to easily deduce a remediation action for a given FDCC check, the corresponding check in the DISA content will be far more complex and difficult to work with.

In the older hand-maintained content, the checks were very simple, and we had little difficulty providing safe remediation actions in the majority of cases. We are looking at maintaining a set of annotations to the DISA SCAP content that will overlay actions on top of the SCAP checks, but this is a nontrivial problem and one that must be done with care. There is no ETA at this point for when this will happen.

  1. We will plan to expose the DISA Vulids in a patch release in the next two or three months.

All the best,

Eric