DISA Posts Revised Files to Test New STIG Group and Rule IDs

DISA has posted the following additional content for testing new Security Technical Implementation Guide (STIG) and Security Requirements Guide (SRG) Group and Rule IDs:

  • Apple OS X 10.13 TEST STIG – Ver 2, Rel 0.1
  • Apple OS X 10.14 TEST STIG – Ver 2, Rel 0.1
  • BlackBerry Enterprise Mobility Server 2.x TEST STIG – Ver 2, Rel 0.1
  • Canonical Ubuntu 16.04 TEST STIG – Ver 2, Rel 0.1
  • Canonical Ubuntu 18.04 LTS TEST STIG – Ver 2, Rel 0.1
  • SLES 12 TEST STIG – Ver 2, Rel 0.1
  • Samsung Android OS 9 with Knox 3.x TEST STIG – Ver 2, Rel 0.1
  • Voice Video Endpoint TEST SRG – Ver 2, Rel 0.1
  • Voice Video Session Management TEST SRG – Ver 2, Rel 0.1

The following new and updated SCAP 1.2 content has also been posted:

  • Canonical Ubuntu 16.04 TEST STIG Benchmark – Ver 2, Rel 0.1
  • RHEL 7 TEST STIG Benchmark – Ver 3, Rel 0.5
  • SLES 12 TEST STIG Benchmark – Ver 2, Rel 0.1

As noted previously, to provide increased flexibility for the future, DISA is updating the systems that produce STIGs and SRGs. The initial modification will be to change Group and Rule IDs (Vul and Subvul IDs). The previous Group and Rule IDs will be retained through the update as “legacy” IDs, presented as XCCDF ident elements. See the example below:

<Group id="V-204392">
  <title>SRG-OS-000257-GPOS-00098</title>
  <description>…</description>
  <Rule id="SV-204392r85825_rule" weight="10.0" severity="high">
    <version>RHEL-07-010010</version>
    <title>The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.</title>
    <description>…</description>
    <reference>…</reference>
    <ident system="http://cyber.mil/legacy">SV-86473</ident>
    <ident system="http://cyber.mil/legacy">V-71849</ident>
    <ident system="http://cyber.mil/cci">CCI-001494</ident>
    <ident system="http://cyber.mil/cci">CCI-001496</ident>
    <ident system="http://cyber.mil/cci">CCI-002165</ident>
    <ident system="http://cyber.mil/cci">CCI-002235</ident>

These updates will necessitate a new version number for every STIG as it is converted to the new format. For example, if the old version/release of a STIG is V2R6, the updated version/release will be V3R1.

DISA has posted manual STIGs on DoD Cyber Exchange in the new format for review and testing, along with several automated benchmarks. A new XSL stylesheet is included in the STIGs to handle the “legacy” identifiers.

For those who do not have a CAC with DoD Certificates, the STIGs are available at https://public.cyber.mil/stigs/downloads/.

If you have any comments after reviewing these samples, please email them to disa.stig_spt@mail.mil and note in the subject line STIG Testing Comments.