How to Use STIGviewer and Increase Security

Published:28 December 2022 - 7 min. read

Azure Cloud Labs: these FREE, on‑demand Azure Cloud Labs will get you into a real‑world environment and account, walking you through step‑by‑step how to best protect, secure, and recover Azure data.

Security Technical Implementation Guides (STIGs) provide a widely accepted set of steps to improve the security of assets in your organization. But on their own, STIGs can be pretty intractable to read and manage as a Security-Operations (SecOps) engineer. Worry not, though. STIG Viewer has got your back.

STIG Viewer is a human-friendly tool to create and manage checklists, mitigate open vulnerabilities and track security reviews of your technology assets.

Read on and learn how to make the most of STIGs with STIG Viewer!

Prerequisites

This tutorial will be a hands-on demonstration. To follow along, you will need the following:

Downloading the STIG Viewer

Understanding what is inside an XCCDF formatted STIG can be a pain as it is not the same as opening a simple .doc or .pdf file and reading it. But you can rest easy so long as you have the STIG Viewer.

To download the STIG Viewer:

1. Open your favorite web browser, and visit the DISA website.

2. Look for and click the appropriate version of STIG Viewer to download for your computer, depending on your operating system.

But for this tutorial, choose STIG Viewer 2.17-Win64, as 2.17 is the latest version at this time of writing. \

Downloading the STIG Viewer
Downloading the STIG Viewer

3. Once downloaded, extract the content of the .zip file.

Extracting the .zip file
Extracting the .zip file

4. Now, look for and double-click the STIG Viewer.exe file to launch the STIG Viewer tool. Launching the STIG Viewer tool Launching the STIG Viewer tool

Launching the STIG Viewer tool
Launching the STIG Viewer tool

If the executable file works, the STIG Viewer tool opens, as shown below.

Viewing STIG Viewer main window
Viewing STIG Viewer main window

Viewing STIG Contents in the STIG Viewer

With your STIG Viewer running, you are ready to start working with STIGs, like analyzing vulnerabilities. But first, you must import a STIG in your STIG Viewer.

To view the content of a STIG:

1. On your STIG Viewer, click the File menu and select Import STIG to initiate importing a STIG.

Initiating importing a STIG on STIG Viewer
Initiating importing a STIG on STIG Viewer

2. Next, look for and select the STIG you like to import. But for this tutorial, hold the CTRL key as you select the Windows 10 and RHEL STIGs to import both, and click Open.

You can import a STIG as a single XML file or zip bundle. The bundle contains other useful files for the implementation of a STIG.

Selecting STIGs to import
Selecting STIGs to import

3. Once imported, select a STIG from the STIG Explorer, as shown below. Doing so enables the adjacent checkbox and brings up a list of vulnerabilities in the vulnerability table (middle panel).

Vulnerabilities are also called Rules in the context of STIG Viewer.

Viewing the contents of a STIG
Viewing the contents of a STIG

The vulnerability table allows you to see the vulnerability a particular rule is meant to patch, the name of the rule, and its numerical identifier, as in the screenshot below.

Viewing the vulnerability table
Viewing the vulnerability table

4. Select an item in the vulnerability table (middle panel) to dig deeper into the rules that make up a STIG, which displays in the right panel.

Viewing vulnerability details
Viewing vulnerability details

5. Now, look closer into the details of the vulnerability, and you will find the following:

  • The severity and classification of a vulnerability.Various relevant identifiers.The rational and expected implementation of some of the guidelines.

Viewing the Contents of a STIG: Viewing the details of a vulnerability
Viewing the Contents of a STIG: Viewing the details of a vulnerability

Creating a Checklist from a STIG

Aside from the ability to view the rules in a STIG, the STIG Viewer also lets you curate a custom checklist. You can use this checklist to review the security posture of a machine or set of machines.

To create a checklist from a STIG, follow these steps:

1. Click the Checklist menu, and choose Create Checklist – Check Marked STIG(s) to create a checklist from the selected STIG in the STIG Explorer tab. This action selects all the rules in the STIG.

Creating a checklist from the select STIG
Creating a checklist from the select STIG

Once created, you will see a new tab called New Checklist, as shown below, with all the same vulnerabilities listed in the vulnerability table. But this time, a Status column is added.

Viewing the New Checklist tab
Viewing the New Checklist tab

2. Next, select a vulnerability from the vulnerability table, and select a different status (i.e., Not Applicable), as shown below.

Below, you can see the vulnerability turns grayed out after changing the status. This action marks a rule as Not Applicable to your environment.

Changing vulnerability status
Changing vulnerability status

3. After the status change, select a desired category from the Severity Override drop-down menu to change the severity of a rule. But for this tutorial, choose the CAT III severity category.

Adjusting vulnerability severity
Adjusting vulnerability severity

4. Now, input a rationale in the pop-up window, and click OK to apply the change. This note justifies the severity change of a rule.

Justifying a severity change
Justifying a severity change

At this point, you can see below there is one rule with Not Applicable status and 256 with Not Review status.

Viewing overall total changes in the checklist
Viewing overall total changes in the checklist

Cherry-picking a Checklist with the Filter Panel

Building and working with a checklist via a series of filters is often faster than individually reviewing not-applicable rules. Perhaps you prefer to create a checklist housing only Category I rules. If so, applying filters will do the trick.

To create a filtered checklist, follow these steps:

1. Click on the Filter Panel toggle list at the bottom of the New Checklist tab to expand the panel and expose more filtering options.

Expanding the Filter Panel
Expanding the Filter Panel

2. Next, configure the filter as follows:

  • Click the drop-down field, and choose CAT I as the filter to only select rules with severity equal to CAT I.

  • Ensure the filter type is set to Inclusive(+) Filter to add matching rules to the resulting checklist

  • Click Add to add the selected filter to the filters already applied when you created the checklist.

Creating a CAT I filter
Creating a CAT I filter

Once the filter is created, you will notice the number of rules in the checklist automatically reduce, as shown below.

Viewing the filter effect
Viewing the filter effect

3. Lastly, click the File menu, and select Save Checklist to save the work you have done so far as a checklist file on disk, as shown below.

With this checklist file, you do not have to recreate the checklist when you need it in the future.

Saving a checklist
Saving a checklist

Saved checklist files have the .ckl extension, as shown below.

Verifying the saved checklist file
Verifying the saved checklist file

Performing an Asset Review from a Loaded Checklist

Checklists allow you to review and document the state of an asset against a set of rules. In this example, you will confirm the state of a finding on an asset and update the checklist accordingly.

1. Close and re-open the STIG Viewer first to ensure you do not have any active checklist.

2. Next, click the Checklist menu, and select Open Checklist from File to look for a checklist you like to use.

Opening a checklist file
Opening a checklist file

3. Locate and select the checklist you just created, and click Open.

Selecting a checklist file to open
Selecting a checklist file to open

Once opened, the checklist file loads in a new tab in STIG Viewer, as shown below.

Viewing the loaded checklist file
Viewing the loaded checklist file

4. Now, expand the Target Data panel, and populate the relevant fields, or click Get Host Data to automatically populate the fields if the machine under review is the local machine.

Once populated, you are now ready to progressively review the individual findings in the Vulnerability table.

Reviewing an Asset: Adding asset data
Reviewing an Asset: Adding asset data

5. Select a rule from the Vulnerability table, as shown below, and carry out the Check Text section steps to verify the rule’s status on the machine.

These steps let you check if an antivirus solution (Windows Defender) is running on the machine as a service.

Selecting a rule to check
Selecting a rule to check

The results should either be a list as in the screenshot below, confirming the finding is mitigated on your machine or empty, in which case you may be non-compliant.

Checking the status of a rule
Checking the status of a rule

6. Finally, right-click on the rule to set the status to match the assessment result. For this tutorial, set the status to Not a Finding since an antivirus solution is installed.

Congratulations! You have successfully reviewed and changed the state of an asset from the STIG Viewer checklist.

Clearing Local Data Cache for a Clean Slate

STIG Viewer maintains a local cache for the currently loaded STIGs to help you return to the same STIGs when you re-open the program. But you may want to clear the cache so you can start work on a separate set of STIGs or keep the list of loaded STIGs short and manageable.

1. Select STIG Explorer to leave the checklist editing workspace.

Exiting the checklist tab
Exiting the checklist tab

2. Next, click the Options menu, and select Delete Local Data Cache to delete the local data cache. Deleting the local data cache Deleting the local data cache

Deleting the local data cache
Deleting the local data cache

3. When prompted, click OK to confirm the deletion.

Confirming cache deletion
Confirming cache deletion

Personalizing STIG Viewer via the Preferences Tab

Besides the functionalities, STIG Viewer lets you change the interface’s look to add a personal feel as you work on STIGS.

1. Click the Options menu and select Preferences to access STIG Viewer’s preferences.

Accessing STIG Viewer’s preferences
Accessing STIG Viewer’s preferences

2. In the Preferences window, click the Font drop-down menu and select one that suits your taste under the General tab. You can also change other visual elements, such as the Font Size and the overall Visual Style.

Changing the general UI settings
Changing the general UI settings

3. Navigate to the Checklist tab, and modify preferences related to the presentation of checklists on your screen. Select the corresponding drop-down field, like for the Not A Finding status and change the color, and close the Preferences window.

By all means, go nuts, and make the STIG Viewer UI your own.

Changing the color for a status
Changing the color for a status

4. Finally, navigate your checklist tab, and select the CAT I filter tab.

Notice the rule’s text with the Not a Finding (NF) status in the table shares the same color as the one in the pie graph, as shown below.

Viewing the effects of a color change
Viewing the effects of a color change

Conclusion

Increasing security when an opportunity comes is always a good thing. And in this tutorial, you have learned to maximize the value of STIG Viewer to improve the security posture of your assets.

As cool as STIG Viewer may be, manual work can sometimes be tedious. Why not get familiar with a handy Security Content Automation Protocol(SCAP)? Start automating tasks with OpenSCAP!

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!