Re: Automated STIG checks

Eric R. Jones · ‎01-03-2022

For those who have to deal with STIGs, https://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide, do any of you know if there's an automated check like SCAPE for Windows machines.

I ran into some information on OVAL but that's pretty dated.

Marvin Rhoads · ‎01-04-2022

I've only ever gone through the STIG requirements manually one-by-one and validated the compliance that way.

It's also frustrating that (last I checked) the STIG requirements cover ASA but not Firepower / FTD deployments.

Mike.Cifelli · ‎01-04-2022

I am also with @Marvin Rhoads on this one. One by one fashion. From a switch perspective you would hope for same platforms/types that there would be some sort of baseline so when you manually run through the stigs once on one device, you can identify the stigs you had to implement, then just make/take a list of the hardening fixes, and apply those to the remaining same platforms without the need of going through each one again against each box.

Eric R. Jones · ‎01-04-2022

Yes I am resigned to doing them manually. I was 99.9% sure there isn't an automated way to handle it without shelling out for DNA and such. I have thought about using the Prime Compliance engine but it all boils down to the simple fact that STIGs change and once I finally get a template for Prime or the Compliance function setup I could have completed the process.

Thanks for the input.

ej

Marvin Rhoads · ‎01-05-2022

I remembered after posting that SolarWinds Network Configuration Manager (NCM) does have STIG compliance reports built in. However they haven't been kept up to date. Checking a current NCM (Version 2020.2.6 HF1), the STIG reports appear to be based on V8R19 from 2015. The numbering all changed in 2020 and none of the new STIGs are in NCM out of the box.

A third party has made available several reports based on the 2020 STIGs on Thwack, the SolarWinds user community:

https://thwack.solarwinds.com/product-forums/network-configuration-manager-ncm/f/forum/11364/cisco-stigs

It may help some folks.

Jaimes White · ‎05-25-2023

Originally used to do it manually one by one, and then use Prime to push config changes. A tool that we're using now is Squirrel Defender, mainly for our routing/switching platforms. I've seen some other organizations using SolarWinds Network Configuration Manager or writing Python scripts.

Eric R. Jones · ‎05-29-2023

We just looked up on the website and OMG! 1.17M?! yeah we put this out of our minds for now. Maybe other folks can purchase enough to bring the cost down.

Marvin Rhoads · ‎05-30-2023

Tools like that are typically targeted at big government organizations and their contractors who have a lot of taxpayer funding to spend securing their systems.

Gilbert Bollinger · ‎01-25-2024

We have customers who have 10 devices and others who are very large.

Jaimes White · ‎05-30-2023

If you're looking where I assume for where that number came from (https://www.squirrelcompliancysolutions.com/automated-network-compliance) I believe that those are the estimated numbers for what it would cost an organization to do the checks and implementation manually. We've got a network similar in size to one of the examples on that page. If you're on the federal side feel free to send me a message if you maybe have any specific questions or if you'd like their federal side account rep.

Gilbert Bollinger · ‎01-25-2024

I want to provide a clarification on the 1.17m. That's money saved due to using automation vs trying to STIG a device manually (manpower savings). We estimate that it takes 1-4 hrs per asset (based on customer feedback) and we can audit a device in about 3 seconds. Plus we provide remediation via automation that you can use to correct STIG findings (aka even more time saved). We're not just a reporting tool.

Disclosure: I work for Squirrel.