17 Replies Latest reply: May 3, 2017 10:32 AM by pmn84561 RSS

STIGs available for Windows 2016?

cjsweeney2 Novice

Are there STIGs available for Windows 2016?

  • Re: STIGs available for Windows 2016?
    cstreck Expert

    Audit is in progress. The audit files themselves should be hitting the support portal within the next couple of weeks.

    • Re: STIGs available for Windows 2016?
      pmn84561 Novice

      Support told me this morning  they were released a few days ago and are in the "All Audits" file.  I checked I am not seeing them.  Has anyone else seen the audit files for Windows Server 2016 yet?

      • Re: STIGs available for Windows 2016?
        cstreck Expert

        STIGs are not in the archive yet.  Only the CIS Windows 2016.  I'd expect the STIG audit files to hit the archive by early next week.

         

        -chad

        • Re: STIGs available for Windows 2016?
          pmn84561 Novice

          Interesting,  I am not seeing those audits on the support website , "Tenable_CIS_Audit_Files.zip" or the "Audits.tar.gz" files.  According to the website the last update of the "Tenable_CIS_Audit_Files.zip" is 1/12/15.  I just downloaded both the files today.

          • Re: STIGs available for Windows 2016?
            cstreck Expert

            The individual entries on the download page can lag (quite a bit) in being updated.  Best method to get the most recent updates in audit files is this:

            • Log in to the support portal.
            • Select Downloads
            • Select Compliance and Audit Files
            • Select Download All Compliance and Audit files
            • Click through the License Agreement
            • Open the downloaded audits.tar.gz
            • Navigate to poral_audits/Windows

             

            Files in that archive are:

            • CIS_DC_SERVER_2016_Level_1_v1.0.0.audit
            • CIS_DC_SERVER_2016_Level_2_v1.0.0.audit
            • CIS_MS_SERVER_2016_Level_1_v1.0.0.audit
            • CIS_MS_SERVER_2016_Level_2_v1.0.0.audit

             

            -chad

            • Re: STIGs available for Windows 2016?
              pmn84561 Novice

               

              II downloaded the audits.tar.gz earlier and did a manual update per the user guide .  Wouldn't the audits show up to choose?  I was thinking they would show up automatically after updating with the .gz file.

               

              • Re: STIGs available for Windows 2016?
                pmn84561 Novice

                Perhaps that process only works for offline scanners and I will need to wait another day or so to see the updates show up and not have to add each file in individually.  I was under the impression 24hrs after release they would automatically show up if the scanner ran the update process.

                • Re: STIGs available for Windows 2016?
                  cstreck Expert

                  If you are talking Nessus, no.  The only time the audits show up in the UI as selectable would be during a feature release of Nessus.  This is something I'd like to see, is the audits be treated more like a plugin feed rather than a feature release.  In addition to that, the audits from the support portal have the variable default values applied, so you would not have the variable replacement option of the UI.

                   

                  If you are talking SC, I believe they go through a feed that has a review process, but not aware of how long until they get through the feed.  I am not aware of the manual process to upload the audits.tar.gz into SC, but that is me not being SC-fluent.

                   

                  Thanks,

                  -chad

  • Re: STIGs available for Windows 2016?
    zaneta22 Expert

    Are you looking for manual STIG or the benchmark?

  • Re: STIGs available for Windows 2016?
    cstreck Expert

    STIGs we do are based on the benchmarks posted at STIGs A-Z .

     

    For Windows 2016... http://iasecontent.disa.mil/stigs/zip/Feb2017/U_Windows_Server_2016_V1R1_STIG.ZIP

    • Re: STIGs available for Windows 2016?
      zaneta22 Expert

      Are the STIGs you provide available for export as an xml to be imported into other applications like STIG viewer?

      • Re: STIGs available for Windows 2016?
        cstreck Expert

        The audits that we provide for the DISA STIGS do not have any other format directly attached to them, but should have a link in the header and each result that should link to the source STIG.  If you download the source STIG and unzip it, there is an XML that should be able to be used directly with STIG viewer.

         

        So to clarify, we do not create STIGs, we create audit files that implement the DISA STIG checks into the Nessus audit language.

         

        Does this help?

         

        Thanks,

        -chad

        • Re: STIGs available for Windows 2016?
          zaneta22 Expert

          Does this XML have the actual results from the scan. I think there is some confusion as to whether or not this can be done with the audit files have an automatic feed. If the XML that can be downloaded has the actual results I think this is what most administrators are looking for because the manual checks that apply to policy to have to be completed.

          • Re: STIGs available for Windows 2016?
            cstreck Expert

            I agree there is confusion.  My perspective is the XML we are talking about is what the benchmarks are based on from DISA.  These XMLs have no results in them.  Nessus or SC can export .nessus format, which is XML and has results, but can not be imported into reporting tools without some manipulation.

             

            -chad

            • Re: STIGs available for Windows 2016?
              zaneta22 Expert

              Thank You. I believe that is the issue here. We are currently still importing the results because there are applications and sites where the xccdf file must be imported and we have not been able to do that with this file type. We need to be able to use them in other programs where we can set defaults like STIG viewer.