Configuration Baselines and Assessment Tools

​TOOL

​DESCRIPTION

NSA​

​STIG

​USGCB

​CIS

​IAVM

​Windows 7

​Windows Server 2008/2008R2

​RHEL

​CentOS

​Fedora Linux

​OpenSuSE

​Debian

​Ubuntu

​Apple OS X

​ACAS (Nessus)

​

​

​x

​

​

​x

​x

x​ ​

​x

​

​

​

​

​

​

OpenSCAP

​​​

​

​

​

​

​

​

​

​x

​x

​

​

​

​

​

​SCAP Compliance Checker (SCC)

​The Security Content Automation Protocol (SCAP) Compliance Checker (SCC) is a SCAP 1.0 Validated Scanner, with support for SCAP versions 1.1 and 1.2, and an Open Vulnerability Assessment Language (OVAL) adopter, capable of performing compliance verification using SCAP content, and authenticated vulnerability scanning using OVAL content.

​

​x

​

​

​

​x

​x

​x

​

​

​

​

​

​

STONIX​

https://github.com/CSD-Public/stonix

​x

​x

​x

​x

​

​

​x

​v6, v7

​v7

​v20, v21

​12.2

​(stable)

​14.04

​v10.9, v10.10

​OpenVAS

​Open source vulnerability scanner and manager that was forked from Nessus in 2005. Able to detect more than 35,000 vulnerabilities.

​

​

​

​

​

​

​

​

​

​

​

​

​

​

Configuration Baselines:

• Army Golden Master (AGM). See AGM Site on AKO.
• NSA
• DISA IASE Security Technical Implementation Guides (STIG), Security Requirements Guides (SRG)
• DoD Secure Host Baseline Repository. ​​​
• USGCB
• Center for Internet Security (CIS) Benchmarks
• CIS Hardened Images​
• PCI DSS
• NERC CIP​
• HIPAA

Checklists and Assessment Tools

GSA and OMB required NIST validation of configuration and vulnerability scanners. The list of NIST validated configuration and vulnerability scanners is here:  ​​https://nvd.nist.gov/SCAP-Validated-Tools.

• Army Information Assurance (IA) Self-Assessment Tool​
• SANS
• Center for Intenet Security (CIS) Controls V7. Many experts have suggested that successfully implementing even the first five or six Controls will mitigate 85% or more of cybersecurity incidents​. Adopting all 20 controls will prevent upwards of 97 percent of attacks.​
• CIS-CAT Lite
• CIS Controls Self-Assessment Tool (CIS CSAT).

Source Code Inspection:

• GitLab Static Application Security Testing (SAST)
• ​HP Fortify
• Coverity Scan
• Checkmarx
• Rogue Wave

Web Application:

• http://www.arachni-scanner.com/
• Zed Attack Proxy (ZED)
• HP WebInspect (now Micro Focus)

Forensics:

• Backtrack
• ​Dshell​. An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures. ​

Reports:

• ​Verizon Data Breach Investigations Report​
  ​