Some say they can secure the unsecureable,
manage the unmanageable,
and that even Chuck Norris is forced to be compliant.

 

All we know is, they are called… the STIGs.

 

Updated June 29, 2015

 

The Department of Defense’s Defense Information Systems Agency (DISA) has a set of security regulations that help set a baseline standard for DoD networks, systems, and applications. If you’re responsible for a DoD network, these STIGs (Security Technical Implementation Guides) will help guide your network management, configuration, and monitoring strategies across access control, operating systems, applications, network devices, and even physical security.

 

SolarWinds Log & Event Manager can help with DISA STIG compliance via our real-time monitoring of related events across systems, network devices, applications, and security tools. Use LEM to address DISA STIG requirements for both log analysis and broader network security.


For configuration auditing, be sure to check out The specified item was not found. about NCM’s DISA STIG resources as well.

 

At a high level related to STIGs, you can use SolarWinds Log & Event Manger to monitor and audit:

  • Logs relevant to STIG best practices auditing (across OS, applications, and devices)
  • Changes to device, system, and user account configuration settings
  • Installation of unapproved software
  • Access and changes to sensitive/classified files
  • Creation/deletion/modification of user accounts
  • Modifications to databases and possible attack indicators
  • Access and usage of USB storage (including file/process information) and USB network devices
  • Successful and failed authentication attempts
  • Authentication from unapproved guest/anonymous accounts
  • Authentication to/from unexpected accounts/locations/machines (or using unexpected authentication methods)
  • Network access via VPN and other remote access methods
  • Data from firewalls, routers, and intrusion detection systems that can indicate out of compliance protocols and ports are being accessed
  • Alerts from firewalls, anti-virus, intrusion detection systems, and other security monitoring tools that can indicate attacks, vulnerabilities, scans, and other network security issues
  • Vulnerability assessment tool reports

 

LEM includes out of the box reports and rules that directly address DISA STIGs. You can also customize your LEM Console to monitor different types of data in real-time, and use the Console to search for historical events.


Rules

 

Many of LEM’s out of the box rules can be used to address STIGs, especially anything related to monitoring for change activity and security events. You’ll need to create and customize copies specific to your environment; check out this video in the resource center about creating and using out of the box rules for more detail on how. It’s important to remember that LEM’s correlation engine is flexible, so just because you don’t see something you’re interested in doesn’t mean it can’t be done, as long as what you’re looking for is reported in the log data.

LEM-rule-templates.png


Specific rules and groups of rules of interest:

  • Compliance > DISA STIG: this category groups together STIG rules of interest into one easy category
  • Activity Types > Active Responses: these rules provide examples of automated detection and response.
  • Endpoint Monitoring: these rules include detection of issues on the workstation/server level using the LEM Agent. Most useful here will be security processes and USB device access.
  • Security > Vulnerability: these rules integrate with your vulnerability assessment reporting, to alert on new vulnerabilities/issues being found.
  • Authentication: these rules monitor authentication-related activity, including duplicate logons, logon failures to critical accounts, and unauthorized logons.
  • Change Management: these rules monitor for all kinds of change management activity (accounts, users, groups, policies) and include many rules specific to active directory. There are also reports that cover these same categories, so you’ll want to focus on what’s of most use to you in real time (generally, anything that’s operationally valuable like account lockouts, or high priority like device configuration changes).
  • Activity Types > Database Auditing: these rules will monitor certain types of database activity, including changes and errors. If you’re using a separate database activity monitoring tool, use these as examples of things to look for.
  • Activity Types > Network: these rules monitor every day network activity for anomalies, such as port scans, SQL injection, and suspicious network traffic.
  • Security > Malware : these rules monitor for traditional AV issues like left alone (uncleaned) viruses and AV update failures, along with worm detection from other network activity.


Reports

 

With LEM Reports, you can run reports interactively, schedule reports to run unattended, and open, filter, and save filtered reports (including saving a filtered report as a new custom report). For auditing, you’ll generally want to schedule reports, and use Rules and the Console to do most of your day to day time-sensitive monitoring.


We've created a Category of reports that will show only the STIG reports. To see reports most related to STIGs:

  1. Go to Manage > Categories
  2. Check off DISA STIG on the left (you'll see a preview of the included reports on the right)
  3. Click OK
  4. In the Category dropdown on the top right, select "Industry Reports" to filter your view only to the selected Categories (i.e. STIG).

 

LEM-industry-reports.png

 

Within the STIG industry category, you'll see these general categories and types of reports:

 

  • Event Summary reports. These statistical reports will help you identify anomalies more quickly, whether they be quantity or type of alert.
  • Incident, Inferred Alerts, and SolarWinds Actions. The Incident/Inferred reports are used to document events that you’ve chosen to escalate within the LEM correlation engine, and commonly used for reporting issues that need to be identified and tracked. The Actions report will document any responses you’ve taken, automatically or interactively.
  • Authentication master and/or associated detailed reports. These reports will show all authentication related events including logon, logoff, logon failure, guest account access, and access to LEM itself.  The Master report will include everything, but if you choose to run the detailed reports, be sure to include User Log On AND Log On Failure along with Guest Login. You may also want to create a customized version of these reports that only show administrative access accounts, to audit and monitor them separately.
  • Change Management reports. These reports break down change management events, with a lot of attention paid to specific Active Directory account/domain modifications. Almost everything here is relevant to the STIGs, including creation, deletion, enable, disable of accounts and groups. The Resource Configuration reports may be an all-encompassing alternative if you don’t want to see everything broken out individually.
  • File Audit Events master and/or detail reports. These reports will show file and object access, generally provided by Windows file auditing or host-based intrusion detection tools. If you choose not to run the master report (which is inclusive of all file access reported), you will definitely want to pay close attention to the File Audit, Delete, Move, Read, and Write reports. Since these reports can be quite large and file auditing quite noisy, you may also want to customize these reports to only monitor for access to specific sensitive or system files, accounts, or devices.
  • Machine Audit master and/or detail reports. These reports will show process and service tracking, along with software installation/updates, and system status information. If you choose not to run the master report, you’ll definitely want to run the software install/update, system status, USB-Defender, and File System Audit reports, and possibly the Service Audit reports.
  • Malicious Code master and/or detail reports. These reports will show activity primarily from anti-virus and anti-malware software. Since these should be limited, the master report is the simplest way to go.
  • Network Events master and/or detail reports. These reports will show security attack and scan-related activity. There are a lot of detailed reports, but you’ll especially want to run the Attack Behavior – Access, Attack Behavior – Denial/Relay, and Suspicious Behavior reports.
  • Network Traffic Audit master and/or detail reports. These reports will probably be your most noisy (next to Authentication), but will show all firewall/router ACL traffic, proxy/web server traffic, and potentially other traffic depending on sources. The Network Traffic Audit master report is going to be pretty busy, so if you choose to run detail reports, you may want to also create versions that audit for specific issues – unexpected ports, specific IP addresses, etc.
  • Resource Configuration master and/or detail reports. These reports will overlap with the Change Management Reports in many cases, so if you schedule those, these may be redundant for your needs. Here, you’ll find policy and change management oriented data.

 

If anything changes regarding DISA STIGs, this post will be updated.