topic Re: DISA STIG Management in Tech Talk

DISA STIG Management

Kdaily — Mon, 09 Oct 2023 08:18:37 GMT

To anyone that works in the DoD space... how can you take a .ckl file and add the new STIG requirements to that ckl file to be reviewed so that you can avoid having to review ALL of the STIG requirements every quarter?

Re: DISA STIG Management

Samhain — Sun, 29 Oct 2017 17:45:46 GMT

You can't. Welcome to DOD internal written software.

You will need to generate the new checklist and copy/paste any findings/comments back over, keeping an eye open for changed items. Not too difficult if you are lucky enough to do this on a SCAP scan, but that's limited to something like 8 checklists total.

Now if someone was willing to pay me, I could build a new checklist manager that can compare an old+new checklist, create a "combined" checklist with proper formatting & a list of what's new, but it will take about 6 months. I would also need to work it on personal time, so... yeah, never gonna happen.

Re: DISA STIG Management

Kdaily — Sun, 29 Oct 2017 17:57:56 GMT

Hey Samhain, actually DISA released the new version of STIG Viewer last week and it does exactly what I was asking. Maybe my back and forth with them got them to do it... I have no idea but I think it was released on Oct. 23. I've tested it and it works perfect. Basically you make a new checklist and then import in the previous checklist. You're left with the delta as not reviewed.

Re: DISA STIG Management

Samhain — Mon, 30 Oct 2017 02:15:05 GMT

Yep. They did fix that "little" issue finally. I saw the release on Friday, but hadn't pulled it down yet. We aren't due for a full STIG review until next month, so wasn't in a rush.

Now if I can just figure out how to work with the XCCDF files directly in my own apps, I'll be set. I really want to automate the IIS 8.5 STIG for our web servers. It's a real pain hand-checking every setting.

Re: DISA STIG Management

akhilmi87 — Tue, 06 Oct 2020 08:18:06 GMT

May you please share the URL of this STIG Viwer. I really need help on this.

Re: DISA STIG Management

Kdaily — Tue, 06 Oct 2020 09:05:08 GMT

https://public.cyber.mil/stigs/srg-stig-tools/

Re: DISA STIG Management

akhilmi87 — Tue, 06 Oct 2020 09:19:33 GMT

thanks for this. I downloaded the Stig viewer. but unable to find an option to copy or import old ckl file into new ckl file. Can you please help on this ?

Re: DISA STIG Management

Kdaily — Tue, 06 Oct 2020 10:32:09 GMT

Open stig viewer and import your STIGs. Then checklist, create checklist. Once you have the checklist with the current STIGs you will go to import and choose xccdf. Then choose your d checklist and it will bring everything in.

Re: DISA STIG Management

akhilmi87 — Tue, 06 Oct 2020 12:17:08 GMT

Thanks Kdaily, it helped a lot.

Re: DISA STIG Management

Samhain — Tue, 06 Oct 2020 18:03:36 GMT

Be aware that the latest STIG viewers use the new vulnerability IDs and internal format structure, so old CKL files may not import in the new version correctly. You may need to dig up an older version of the viewer depending on how old the CKL file is.

Re: DISA STIG Management

akhilmi87 — Tue, 06 Oct 2020 18:10:34 GMT

In my case, old ckl files were generated on Jan 2019. Do u still see any concerns?

Re: DISA STIG Management

msg — Thu, 10 Dec 2020 23:49:55 GMT

This is the exact situation we find ourselves in - old CKL format not compatible with current updates as of this post. We've worked a lot of CKLs for machines beginning the task in Sept 2020. We just pulled recent STIG updates planning to complete the deltas by import of existing CKL over the current. As noted the new versions use the new Vuln IDs, etc., and we are unable to import our previous CKLs because they don't match. No content transferred.

Anyone know of a workaround/recommended process for this, or are we back to just running current SCAP scans, and copy/pasting the standouts manually reviewing the mapping sheet included within the STIG?

Re: DISA STIG Management

Samhain — Fri, 11 Dec 2020 00:16:05 GMT

You are basically stuck doing the copy/paste thing. I'm in the middle of an annual security review, and I've had to copy/paste on just about every STIG/SRG so far. Add into that the fact the our RMF system (eMass) hasn't applied the updates for new vulnerability IDs yet, and we are stuck. Luckily, the new IDs are supposed to go in over the weekend, but I will be stuck having to rehome all of our POAM references to the new IDs most likely.

Job security though, right?

Re: DISA STIG Management

msg — Fri, 11 Dec 2020 01:32:17 GMT

Okay, yeah, figured. Thanks for the confirmation.

Sheeze, I didn't think about rehoming the POAM refs. Not one of our tasks (yet), but I can see where this can ripple out.

Have you read anything on how exactly this move is to provide increased flexibility?

I wonder if it'd be worth (or still possible) working with the new CKLs in the .xml format in Notepad instead of STIG Viewer for the copy/paste ops. Are you just keeping the mapping sheet out while you roll through them? Could be done with side by side Notepad windows, the mapping sheet, and CTRL+F the way down each CKL after identifying the Vuln IDs not covered by current SCAP Benchmarks?

But yeah, hehe, job security.

Re: DISA STIG Management

msg — Fri, 11 Dec 2020 20:19:27 GMT

I just setup my first new CKL earlier to develop the workflow. I was originally planning to have to have the STIG mapping sheet out as reference, but I see now that in the new STIG header in STIG Viewer, they list the Legacy IDs for you. That'll be helpful. Just one less step.

I can see using a combination of filters and these legacy references to help with this.

I thought there'd be a way to do this with PowerShell, directly editing the .ckl file, but I'm no PS guru.

Re: DISA STIG Management

Kdaily — Fri, 11 Dec 2020 20:29:58 GMT

I reached out to DISA today to find out if there was anything other than a manual transition to the new versions and this is what I received.... Demanded to know who my government sponsor was... yet still answered the question (sort of).

Thank you for contacting DISA STIG Customer Support. We support only
government, military, or contractor support to the government.

Who is your DoD sponsor ?
Your DoD sponsor needs to be included in this email chain.

What DoD contract do you support?

--

Over 6 months ago we posted a critical update to the stig format on our Cyber X web page. That updated showed the direction we were going with the new STIG IDs

We also posted several test stigs for the community to review during this time period.

There is a mapping sheet in the stigs that were updated to the new format.

The stig viewer has never had the ability to import between new releases of content, only between versions.

There will be no update to the viewer

.

rlb0720 — Sun, 24 Jan 2021 16:06:44 GMT

Re: .

msg — Sun, 24 Jan 2021 16:56:12 GMT

@rlb0720 Did you figure out your question? I saw a lengthier post in the thread email notification, but content is missing in the post above.

You should be able to import content between CKLs created in the same Version. I believe the process would be something like:

Create the new CKL from the new STIG, and save it with its appropriate file name
Import the previous CKL (not the XCCDF file, that's for SCAP results in a later step)
Lastly, import the latest SCAP results XCCDF file to update the SCAP content in the new CKL.
- It will update the Finding Details field if there are changes, removing and replacing any existing content here.
- It will leave the Comments section alone, so you will want to review the previous and new CKL totals for changes and review for accuracy to make sure there are no Comments in place that no longer apply if a STIG that was earlier not addressed by SCAP now has been.

I've found that the use of the filters' Vulnerability parameter and typing the last three digits of a vuln ID is very handy for stripping down content.

You can also open multiple instances of STIG Viewer side by side to more easily compare two CKLs. Don't run them in full screen; there's no need. You can reduce the window width and still be able to easily view everything you need to work efficiently.

Re: .

msg — Thu, 25 Mar 2021 21:24:59 GMT

I just pulled down STIG Viewer 2.12 and it looks like it offers the capability of importing checklists created in previous versions now. Just did a couple of tests and looks like it works.

Anyone else able to confirm?

Re: DISA STIG Management

RoadDog — Tue, 07 Mar 2023 19:27:12 GMT

dawg! no one answered since 2017! I hope you found your answer. But anyways, you can do via Stigviewer.

in Stigviewer, upload current stig. Then make it a checklist (this step can be done in the stigviewer menu choices). Then import your checklist into this stigviewer checklist you just made. Note: If your checklist is too too many versions older than the current stig in your stigviewer it will not work....which is the problem I just found out that I have....which is why to relieve my frustration... I came here.