Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Kdaily
Kdaily
Viewer II
‎10-10-2017 03:51 PM
‎10-10-2017 03:51 PM

DISA STIG Management

To anyone that works in the DoD space... how can you take a .ckl file and add the new STIG requirements to that ckl file to be reviewed so that you can avoid having to review ALL of the STIG requirements every quarter?

Labels
Reply
0 Kudos
3 Replies
Samhain
Samhain
Newcomer I
‎10-29-2017 01:45 PM
‎10-29-2017 01:45 PM

Re: DISA STIG Management

You can't. Welcome to DOD internal written software.

 

You will need to generate the new checklist and copy/paste any findings/comments back over, keeping an eye open for changed items. Not too difficult if you are lucky enough to do this on a SCAP scan, but that's limited to something like 8 checklists total.

 

Now if someone was willing to pay me, I could build a new checklist manager that can compare an old+new checklist, create a "combined" checklist with proper formatting & a list of what's new, but it will take about 6 months. I would also need to work it on personal time, so... yeah, never gonna happen.

Reply
0 Kudos
Kdaily
Kdaily
Viewer II
‎10-29-2017 01:57 PM
‎10-29-2017 01:57 PM

Re: DISA STIG Management

Hey Samhain, actually DISA released the new version of STIG Viewer last week and it does exactly what I was asking. Maybe my back and forth with them got them to do it... I have no idea but I think it was released on Oct. 23. I've tested it and it works perfect. Basically you make a new checklist and then import in the previous checklist. You're left with the delta as not reviewed.
Reply
Samhain
Samhain
Newcomer I
‎10-29-2017 10:15 PM
‎10-29-2017 10:15 PM

Re: DISA STIG Management

Yep. They did fix that "little" issue finally. I saw the release on Friday, but hadn't pulled it down yet. We aren't due for a full STIG review until next month, so wasn't in a rush.

 

Now if I can just figure out how to work with the XCCDF files directly in my own apps, I'll be set. I really want to automate the IIS 8.5 STIG for our web servers. It's a real pain hand-checking every setting.

Reply
0 Kudos