Monday, July 18, 2011

What are STIGs and where are they found?

In looking at traffic sources for the blog, I've seen that people have reached this blog by searching for "what are STIGs?" or "where are STIGs found?" So, in a small effort to answer those questions, I thought I would answer as best as I could.

STIG stands for Security Technical Implementation Guide, and is the "configuration standards for DOD IA and IA-enabled devices/systems." (From DISA) STIGs contain the guidance necessary to harden or secure a specific device, piece of hardware, platform, operating system, server, cross-domain solution, and potentially an application. A joke in the industry is that if something can be plugged in (to the network,) there is a STIG for it. That saying is almost true. A "checklist" is usually coupled with a STIG, and gives instructions to manually check and configure compliance to a particular STIG. An example is that there is a Windows XP STIG which gives the guidance on how a Windows XP machine is to be configured in order to meet the DoD's security posture. The Windows XP checklist tells you specifically how to check to see if that machine is in compliance, and if not; how to fix it.

Gold Disk is the de facto host-based tool used to check operating system compliance with regards to Windows operating systems. Currently (as of this writing) there is no support for Windows Server 2008 R2 and Windows 7. Running Gold Disk will show you how your operating system fares against the particular checklist. According to the FAQ on DISA's site, Gold Disk is being phased out in favor of SCAP-compliant tools.

There are Security Readiness Review (SRR) Scripts that help automate checking controls for a few of the checklists. A couple of the SRR Scripts I have used with some regularity are the MS SQL scripts, Oracle SQL Scripts and Unix scripts.

A note on Gold Disk and some SRR scripts: Many of the actual scripts (and some of the STIGs that contain FOUO content) are housed in a CAC-enabled site in order to control their usage.  You will need a CAC in order to retrieve those documents/scripts.

So, where are STIGs found? The STIGs are found on the STIG home page, which is part of the Information Assurance Support Environment (IASE).  The sponsor for IASE is the Defense Information System Agency (DISA.)

STIGs and tools are updated on a regular basis to address to platforms, new vulnerabilities, and new patches for those platforms.  Older technologies are retired, and periodically, new STIGs are released in order to address new technologies.

No comments:

Post a Comment