Qualys Blog

www.qualys.com
Tim White

Qualys Policy Compliance Notification: Policy Library Update

Qualys’ library of built-in policies makes it easy to comply with commonly adhered to security standards and regulations. Qualys provides a wide range of policies, including many that have been certified by CIS as well as ones based on security guidelines from vendors such as Microsoft and VMware.

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library monthly.

This release includes new policies and updates covering:

  • Initial coverage for DISA STIG on Windows
  • SCM for Windows Server 2016
  • New CIS versions for CentOS, Windows Server 2008 R2/2012 R2
  • Several updates to minor versions for Vendor Recommended and CIS policies.

New CIS Benchmarks

CIS Benchmarks are developed through consensus, providing an industry recognized collection of best practice controls. Qualys is committed to broad coverage of the CIS Benchmarks and regularly releases certified policies as well as contributing to the development of new benchmarks through the CIS Community.

Qualys’ Certification Page at CIS has been updated.

Recent additions to the policy library include the following certified CIS Benchmarks:

  • CIS Benchmark for CentOS Linux 6, v2.0.2
  • CIS Benchmark for CentOS Linux 7, v2.1.1
  • CIS Benchmark for Microsoft Windows Server 2008 R2, v3.0.1
  • CIS Benchmark for Microsoft Windows Server 2012 R2, v2.2.1

New Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs)

The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA has played a critical role enhancing the security posture of DoD’s security systems by providing the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to “lock down” information systems/software that might otherwise be vulnerable to a malicious computer attack.

The DoD requires that all Information Assurance assets must be hardened and assessed for their secure configurations against the DISA STIGs. Many contracting organizations doing work with the DoD are also mandated to meet these configuration guidelines.

The breadth and depth of STIG content provides comprehensive guidance to prevent security breaches through vulnerability mitigation and as such, many organizations are adopting DISA STIGs for internal corporate IT control standards.

Policy Compliance Supports DISA STIG Guidelines:

With this release of the Policy Compliance Library updates, We have added support for the automated assessment of DISA STIGs standards. We are supporting STIG guidelines for the commonly used operating system, and have added support in this release for the following guidelines:

  • DISA Security Technical Implementation Guide (STIG) for Windows 2008 (non-R2) MS, V6R35
  • DISA Security Technical Implementation Guide (STIG) for Windows Server 2008 R2 DC, V1R21
  • DISA Security Technical Implementation Guide (STIG) for Windows Server 2008 R2 MS, V1R21
  • DISA Security Technical Implementation Guide (STIG) Windows Server 2012 (non-R2) MS, V2R7
  • DISA Security Technical Implementation Guide (STIG) for Windows 7, V1R25
  • DISA Security Technical Implementation Guide (STIG) Windows Server 2012 R2 MS, V2R7

We will continue releasing new guides and updates for DISA STIGs moving forward as part of our monthly Library Update process.

The advantages of using out of the box STIG guidelines through Qualys Policy Compliance –

Qualys native signatures are provided rather than leveraging native SCAP content provided by DISA, these controls are tested on the related technologies and the assets in Qualys labs to provide better accuracy and performance.

Qualys controls such as those in the DISA STIGs, are mapped to General Control Objectives based on NIST 800.53 and referenced to regulations and frameworks such as NIST, PCI-DSS, HIPAA and ISO. This enables customers to view compliance against these controls and other standards from the point of view of one or more regulations or audit frameworks.

New Microsoft SCM Policies

  • Microsoft Security Compliance Manager (SCM) Baseline for Windows Server 2016

Updated Library Policies

  • CIS Benchmark for IBM AIX 7.1, v1.1.0
  • CIS Benchmark for Cisco IOS 15, V4.0.0
  • Security Configuration and Compliance Policy for Cisco IOS XE
  • CIS Benchmark for Oracle Enterprise Linux 6, v1.0.0
  • CIS Benchmark for Oracle Linux 7, v2.0.0
  • CIS Benchmark for Red Hat Enterprise Linux 7, v2.1.1
  • CIS Benchmark for Ubuntu 14.04 LTS Server, v1.0.0

Recently Released Technologies

  • Windows 2016
  • SQL Server 2016
  • PostgreSQL (coming with Qualys 8.10.0 release)
  • IIS 10
  • MacOS X 10.12

Coming Next Month

The following policies and updates are currently planned for release to the policy library next month:

New Policies:

  • CIS Benchmark for Microsoft IIS 10 v1.0.0
  • CIS benchmark for Internet Explorer 10, v1.1.0
  • CIS benchmark for Internet Explorer 11, v1.0.0
  • DISA STIG for Windows 10 V1R8
  • Qualys – Security Configuration and Compliance Policy for SQL Server 2016

Updates:

  • CIS Benchmark for CIS Apache HTTP Server 2.2 Benchmark v3.4.0
  • CIS Benchmark for CIS Apache HTTP Server 2.4 Benchmark 1.3.0
  • CIS Benchmark for CIS Oracle Solaris 10 Benchmark v5.2.0
  • CIS Benchmark for IIS 7.x v1.8.0
  • CIS Benchmark for IIS 8.x v1.5.0
  • DISA STIG for Windows 7 V1R25
  • DISA STIG for Windows Server 2012 (non-R2) Member Server V2R7
  • DISA STIG for Windows Server 2012 R2 Member Server V2R7
  • DISA STIG for Windows Server 2008 R2 Member Server V1R21

If you have any questions, please contact your TAM or Technical Support.  See all library updates.

Leave a Reply