DISA STIGs part 1

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right welcome to part one of disa stigs whether you like them or not they're a necessary evil for a lot of environments [Music] all right so i'm gonna do this on a windows 10 vm just to kind of make it easy on my end you definitely don't have to do this you can do this natively on your windows machine but i think it's always best practice to do it in a vm so uh bear with me while this ovf which is prepackaged from microsoft uh loads up uh really nice on microsoft that they make a lot of development builds makes a life easy here granted it is going to have an expiration date but we're just going to use this for a quick example so um booting into this vm and apologies ahead of time i didn't think to increase resources to this vm so we're crunching on a single core here but we'll get through this and uh we'll jump right in to edge the greatest browser of all time uh not and jump into the stigs up at this url here and we're going to look at a couple things here i want to open up the scap menu here honorable mention to group policy objects there they come with the dod cyber exchange has some pre-configured gpos to help get your environment you know very very close to full compliance and we're also going to look here in the stixx document library and we're just going to grab windows 10 for this vm and you're going to see something interesting here you're going to see two windows 10 sticks a stick and a stick benchmark and they both have the same version uh in rev so we're going to go into more detail what the difference is but spoiler alert basically uh one is scap and which is the benchmark and one is the manual checks manual checks are more comprehensive they're all the checks and then scap content is just the automated parts of the checks and here we went straight to the scap library and you can see that you just have that one thing i was showing you the size is similar um the size is the same in regards to stick benchmark and so what that means is you know there's there's the scat protocol which is checking for a lot of the checks that are automated but not all the checks and uh we're also going to download the stig viewer for windows 64 but you'll notice that they make it for a lot of other operating systems as well and then we're also going to dip into the uh scc which is the scap compliance checker now you're gonna have to have uh cac access to download that so depending on your business unit your environment um your business might be granted this access to use this tool but we're going to go and review it thankfully i have access so going to go down and and notice that there's red hat and a lot of distros here thankfully you don't have to use openscap anymore you can use um this this native scc tool in red hat and others but we're downloading for windows so we'll get that going and get these things installed so you see here uh we have a number of things downloaded now um benchmarks uh the scap benchmarks rather the stig and uh the windows bundle for the sec tool and you might also see their unlocker so if you subscribe you won't miss out on part two where i actually go into the unlocker bundle and that's a neat little tool that allows you to customize scat benchmarks for your specific information system or environment so let's say a lot of the computer systems throughout your environment uh all have the same um deviations you can make a custom uh scat benchmark so that the the checks that fail that you have an authorized deviation for don't show up as red and just it helps with that percentile and not chasing down things so now we're installing sec and you set a little pop-up there um kind of funny thing is if you're already compliant you won't even have the choice to get past that so uh you might want you know obviously you want to do this to a machine that's not already set up that's not fully compliant or you're going to have to make a gpo and move this machine for a little while just to get past that to install these things and then obviously don't forget to get rid of that gpo later and so now it's installing it's going to hang up here for a little bit and kind of psych you out but um it'll it'll sort itself out and um complete and once we're done um check out the pdf here real quick um rtfm it's got all the things and um even that unlocker that will be in um part two so again shameless plug please subscribe so you don't miss part two that goes into how to use the unlocker to make those custom scap benchmarks for your environment and now let's check out the stig viewer so stick viewer is not so much an install but just a file that runs so you see the command prompt opens up and then here we go you might need uh jdk i believe for this to run um it'll give you a warning if you don't have the right java installed but we're going to go in and now load these benchmarks that we also downloaded as well benchmarks plural because i'm going to show you how the scap benchmarks almost look like the full complete deal and then we're also gonna upload these manual checks as well the sticks and and okay so because it was unzipped there's some other junk in there and it lets you know that didn't load everything but it pulls it out and you'll see here um i i select it and we're even going to scroll down all the way to the bottom here and look at this phone id and be like ah see you know 230 220 and now we'll go over to this um uh scap stick um benchmark and same vault id so you think oh it's the same thing right this is redundant it's just maybe a different version issue but now let's make a checklist from one which we're gonna do regardless because when you do your manual checks or when you also plug in your uh scap results you're gonna make a checklist so let's make a checklist for this other one as well and if you noted that was like 211 this is 285 so this is the manual checks here's the scat scap manual and um so you'll see that the mail checks have all the things um and you'll see this manual xccdf right here so the thing is the stigscap benchmark key takeaway there is the scap part which is the security content automation protocol this is the automated parts of the checks so not every check is automated and that could be for a number of reasons um some checks are just going to be inherently uh not not able to automate like make sure that system is in a locked uh area with uh restricted door access you know and you're not going to be able to automate that check from within the windows box um and then some of the automated checks there's just a little bit of lag between scap catching up to uh the stig and you'll as you update over time you'll see how it catches up but basically key takeaway there is the difference so now we're going in and looking at some of these checks and for example i'm checking out right here the bios mode and it doesn't match up to ufi here so we're going to mark this as open and you can see how the color change do you see those two above ones while i was rambling on i had made those not applicable so we're going to make a bunch more opens so you can see on this pie chart how it starts to populate and typically i guess some environments that definitely don't have availability of scc you're going to run through those manually and i'll give a little shout out to another youtube video where someone is showing how they use powershell to automate some of those chicks checks so uh that's a cool little takeaway and also if you're running tenable that's another great way to be able to automate these checks if you're already running that security tool and with tenable you have a choice of using their natively built audit files they're a bit more comprehensive but you also have a choice to import these xccds or rather these benchmarks and make it run those as well so a lot of options out there so i'm going to mess around with trying to get rid of some of these and i'll show you that it kind of works we can get rid of this content that we don't care about and oops a little crash we'll get back in there but you'll see that it did get rid of those top ones but um we'll stop playing that game but just a little demonstration that you know you can clean up your sec and just leave there what you want so we're going to select it as if we're just going to run a scan for windows 10 but remember we also downloaded updated benchmarks that didn't ship out with this sec build so let's update let's install the stixx cap and remember it's cap keyword here key acronym here is scap which is the automated protocol for the checks so that's what you're loading in here not the manual checks it'll fail out if you try to load the manual checks so now you notice that the version is newer here and the date's newer so we have the latest uh scap here and you have the drop down you have a lot of options here these new ones are pretty exciting um down here because now they're starting to finally integrate this to uh scan linux hosts you will need the plug-in to be installed and in my opinion it's still in development um i know there's a ticket in recently to get some fixes done it's not perfect yet but it's nice to see that they're starting to build support for uh nyx but we're going to do a windows local scan which because we're just going to scan this box right here let's kick it off and for some people that have always been using stig viewer and running through this manually you know sorry to rub this in your face again try to get your organization to have access to this uh tool or again if you have tenable um you can also automate these checks with tenable at least the like i was saying earlier the checks that are possible to be automated obviously you're not going to automate things like is this in a closed area with a you know a locked door you know so on and so forth so it's going to wrap up it's going to spit out with the pads where you can get the results but also it gives you html results so it's pretty neat so you have xcdf results that we're going to ingest into stick viewer later but you can also just go to view results and it spits out these html results and here's the like comprehensive results where it shows your passes and your fails and you just click on those and it'll send you down to further details which is down there so it's pretty neat and then we'll just go to the non-compliance one which just shows you all the fails so it saves you you know running through all of that so there's this option but i'm also going to show you how to ingest the scc xccdf results into stick viewer so we're gonna go into stick viewer here and we already have the uh manual um benchmarks loaded in here so now we're telling it to upload xcdf results we're gonna go to that path that it showed earlier and this is the default path again subscribe in the later video i'll show you how to go into the configuration settings and to customize the type of logs that come out and where they come out which is great for like seam ingestion but here we go we loaded up the automated results and you see all the green here are passes so this is all stuff that passed and you're going to see in the part chart to the left you have a lot of red and not reviewed so not reviewed is you know maybe there's some permissions issues should have ran this as administrator also not reviewed are going to be these manual checks like i was talking about earlier that's not really easily automated some not reviews are going to be because scap is still taking some time to catch up to it um you're gonna see i clicked there on that red one that's a cat one which is why it's red and a fail and then you have these uh yellowish orange ones which are uh cat two failures and now i'm going to show you how you can just make that not a finding sometimes you'll go in and check settings and for whatever reason the scap check failed but the setting is correct on manual verification so you'd select that as not a finding or or you might have some other compensating control and you can put that in the comments there and another good reason to go into unlocker later and make some custom scap benchmarks for your environment if you have a consistent uh variation on all your systems so um we're gonna punch in some other dumb comments here and bear with me on showing how this is uh not applicable which is really not the proper case here uh these comments aren't matching what i meant to demonstrate here which is for not applicable it might be because uh this is only for a domain connected machine and in this case this is just a a single standalone machine and so you might check it off is not applicable because uh it's it's assuming that the machine is domain connected so we're going to close that out after that that demonstration of going through um all these views and using that status menu up there to change with not reviews and whatnot and now we're going to save it we're going to save it and it comes out as a dot ckl file and this way you can you know send it up your chain um however your process is for people to review and sign off on these checks or maybe even just to make like a golden standard you can send this uh cko file to your ia team and your and your it team um to show them where systems should be like what the expectation is what what um not reviews are allowed and and um what not applicables and what are considered not findings and so on and so forth so kind of a way to send out to your team where your your benchmark should be so thanks for the view please comment below on any other details you'd like to see and i'll try my best to answer or better yet ensure to include it in the follow-up video speaking of which subscribe to catch part two that goes over the configuration settings for log output additional log outputs that help with troubleshooting and unlocker and maybe even dip into the powershell back-end to automate this

Info

Channel: TokenTech

Views: 2,675

Rating: undefined out of 5

Keywords:

Id: hDMDdxa2j9k

Channel Id: undefined

Length: 15min 17sec (917 seconds)

Published: Mon Feb 01 2021