No, But Why? - Automating STIG Configuration Compliance

Configuration files are not always easy to check for security compliance, so why not add another offline capability to do just that.

April 10, 2022

Results from a Validated Configuration File

Configuration Checking Headaches

Configuration checking can be annoying. A technician might need to purchase some specialized technology suite, or they'll need to use some proprietary format of automations scripting, or someone needs to install some specific software library. All of these requirements can be problematic due to funding, security restrictions, or closed networks.

That led to the idea for an entirely-offline and low-resource STIG-based configuration checker. With a few embedded JS libraries, the linked project results in a method for performing low-effort STIG checking against text-based configuration files. If something fails a pre-configured check, a technician only has to check the outliers.

The Results

The code should work with any fairly-modern JavaScript-enabled web browser. Load a JSON version of a STIG checklist, or convert a STIG CKL file to JSON. Load a configuration file that should be checked against the STIG checklist. Save the results as a valid CKL file for further adjustments in a STIG viewer program. If needed, edit the automated checks for each STIG rule and save a new JSON file with those changes. STIG compliance can even be done in bulk; zip a folder of configuration files and it'll output another zipped file with a summary report. The project includes a sample configuration and a sample STIG JSON checklist.

Automated Checks Notation

The SCAP Match String uses some basic text matching with REGEX capabilities to operate.

Plain text without '#' symbols will be matched verbatim or by using REGEX and are useful for single-line configuration items. A '!' symbol will result in a finding if the item is found in a configuration.

A '#' symbol is used to find repeated configuration items or groups of configurations. The first # indicates the line to search for, and the '##' indicates the configuration item that must exist or a number-limit value.

When using a '#' symbol, a letter f or c is used to control matching type or number requirements. An '#f' will show a success if each found group has a matching configuration item such as 3 of 3 items.

If using a '#' symbol with a c, such as '#c', this will show a success only if the amount of matches equal the allowed number as defined by the SCAP check text.

Example 1: To search for 'service timestamps log datetime localtime', the SCAP text would be 'service timestamps log datetime localtime' (without single quotes).

Example 2: To check if every applicable interface has 'switchport access vlan 1000', the SCAP text would be '#finterface Gig.*/0/##switchport access vlan 1000'.

Example 3: To ensure that only one local user exists, the SCAP text would be '#cusername.*##1' (for two users, the ##1 would be changed to ##2).

Example 4: For a non-applicable STIG Rule, the SCAP text would simply be '#n'.

Project Source:

https://github.com/jawcode/jsConfigSTIGCheck