Powershell tools to manage an manipulate STIGs, SCAP scans, XCCDFs, and CLKs Many things have changes and the readme needs to be updated.
- STIG (Manual XCCDF) - Refers to the full scope of settings required to make a system compliant
- Benchmark - This is a subset of the full STIG but it can be detected with an automated scanning tool. Things like registry entries and GPO settings are in this.
- SCC / SCAP Scanner - This is the automated scanner that uses the Benchmark file
- ACAS - DoD Nessus scanner that can also use the Benchmarks to conduct scans.
- XCCDF - Generally refers to the xccdf.xml generated by the SCAP scanner.
- CKL - Check list files created by DISA STIG Viewer. STIGs are imported into the viewer, then a checklist is created and finally the XCCDF results are imported on top of the new checklist. That will give you a propper checklist for your system.
- Download all STIGs and Benchmarks (manually)
- STIG-ZIP2STIG-XCCDF will extract all STIG XCCDF.xml files from the chosen directory
- STIG-XCCDF2CKL will launch STIG Viewer 2.8 and convert each of the STIGs to a CKL file
- STIG-Status will RECURSIVELY look for all CKL files and will:
- Analyze all statistics (CAT1,2,3 Open, Not a Finding, etc.)
- Creates associated reports in CSV
- If multiple versions are detected ie V1R13 and V1R14, it will ask if you want to upgrade the lower CKLs to the higher version.
- Pro-tip, you should scan a folder containing your results AND the newly downloaded STIGs in order to upgrade everything, but your score and STATs will be affected. After the upgrade, scan ONLY your reports folder for accurate stats.
- (In-progress) Ask if you want to import XCCDF results from ACAS or SCC, they will be imported on top of the existing CKLs. If no CKL is found for a system, it will make a new one.
- (Not implemented yet) Rename all files to Hostname - STIG - VxRy
- OneCKL2Many - For any manually STIGed system, most likey your settings will be the same on the other systems as well. So choose the CKL that you finished and then copy the results to all other CKLs of that type/OS.
- ???
- Profit!
A very abbreviated history, hopefully I get most of this right.
First there was CVE. The US Government (via NIST and Mitre) created CVE so that vendors could have a common ID for talking about a vulnerability. Overtime, vendors started using CVE instead of BugTraq and other proprietary IDs.
Then there was FISMA: a US law that required the US government to secure their computers. Everything was manual and audits took years.
Then there was OVAL. Let by NIST and Mitre and vendors, they came up with a way to describe vulnerabilities in XML so that vendors and government could have a common format to define a vulnerability so that vendors and open source people could automate around this standard.
At this point the gang at NIST and Mitre had a vision and momentum for defining IDs and standards around computer security.
We are now in 2007-ish. Millions of man-hours are wasted doing FISMA compliance. Directed by the OMB, NIST is tasked with finding a way to automate all of this. They create SCAP, which uses OVAL to describe configuration compliance conditions (since a vuln definition and a configuration compliance definition are really quite similar), they use CCE to ID the checks (just like CVE IDs a vuln), and they use XCCDF to create a list of checks, aka a checklist or benchmark. They use CPE as an ID for apps and OSes.
SCAP is just a name for the combination of: OVAL (for compliance checks, not vulns), CCE, XCCDF, CPE. Of course, SCAP is an actual standard written by NIST with the intention of certifying vendors who are compliant with it. And, despite being a pretty poorly run program, many vendors go through the painful process of getting certified (e.g. McAfee, Symantec, Tripwire, etc).
CIS then starts converting all of their checklists to "SCAP" (meaning OVAL and XCCDF). The DoD starts doing this too with the DISA STIG checklists. So, today, there are now a ton of OS and application security checklists that are "SCAP checklists".
Now, the funny thing about SCAP validation is that it is not just a protocol for defining how a checklists is created by also blends in the requirement that specific checklists (like the FDCC and USGCB checklists) be correctly executed to become certified. The reason for this is that SCAP was created to help US Government agencies pass FISMA compliance, so there has to be some sort of standard for measuring that compliance.