Policy Compliance Library Updates, September 2020

Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from OS and application vendors and other industry best practices.

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library every month.

The September release includes support for 7 new technologies, 1 CIS Benchmark policy, 2 new vendor policies, 2 new Industry and Best Practice policies, and provides updates to several existing policies in the Qualys Content Library.

Qualys’ Certification Page at CIS has been updated.

New Technologies

• Apache Cassandra 3.x
• ArubaOS 8.x
• Arista 4.x
• Cisco SD-WAN
• Windows 2012 Server Certification Authority
• Windows 2016 Server Certification Authority
• Windows 2008 Server Certification Authority

New CIS Benchmark Policy

CIS Benchmarks are developed through consensus, providing an industry recognized collection of best practice controls. Qualys is committed to providing broad coverage of the CIS Benchmarks with regular releases of CIS certified policies in Policy Compliance and by contributing to the development of new benchmarks through the CIS Community.

This release contains the following new CIS Benchmark policy:

• CIS Benchmark for Windows 10 Release 2004, v1.9.0

New Vendor Policies

• Microsoft Security Baseline for Windows 10 Release 2004
• Microsoft Security Baseline for Windows 10 Release 1909

New Mandate Policy

• National Cyber Security Center (NCSC) Secure configuration for Windows 10 (Release 1809)

New Industry and Best Practice Policies

• Qualys Security Configuration and Compliance policy for Viptela vEdge 18.4.0.1
• Qualys Security Configuration and Compliance policy for Amazon Linux 2018

Deprecated Policies

The following policies are deprecated in the September 2020 package:

• DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 6, V1R24
• DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 7, V2R6
• DISA Security Technical Implementation Guide (STIG) for Oracle Enterprise Linux 6, V1R17
• DISA Security Technical Implementation Guide (STIG) for Oracle Enterprise Linux 7, V1R1
• DISA Security Technical Implementation Guide (STIG) for Ubuntu 16, V1R3
• DISA Security Technical Implementation Guide (STIG) for SUSE Linux Enterprise 12.x, V1R5
• DISA Security Technical Implementation Guide (STIG) for Windows 7, V1R29
• DISA Security Technical Implementation Guide (STIG) for Windows 8.1, V1R20
• DISA Security Technical Implementation Guide (STIG) for Windows 10, V1R21
• DISA Security Technical Implementation Guide (STIG) for Windows Server 2008 non-R2 DC, V6R45
• DISA Security Technical Implementation Guide (STIG) for Windows Server 2008 non-R2 MS, V6R44
• DISA Security Technical Implementation Guide (STIG) for Windows Server 2008 R2 DC, V1R32
• DISA Security Technical Implementation Guide (STIG) for Windows Server 2008 R2 MS, V1R31
• DISA Security Technical Implementation Guide (STIG) for Windows Server 2012 (non-R2) DC, V2R19
• DISA Security Technical Implementation Guide (STIG) for Windows Server 2012 (non-R2) MS, V2R17
• DISA Security Technical Implementation Guide (STIG) for Windows Server 2012 R2 DC, V2R19
• DISA Security Technical Implementation Guide (STIG) for Windows Server 2012 R2 MS, V2R17
• DISA Security Technical Implementation Guide (STIG) for Windows Server 2016 DC, V1R10
• DISA Security Technical Implementation Guide (STIG) for Windows Server 2016 MS, V1R10
• DISA Security Technical Implementation Guide (STIG) for Windows Server 2019 DC, V1R3
• DISA Security Technical Implementation Guide (STIG) for Windows Server 2019 MS, V1R3
• DISA Security Technical Implementation Guide (STIG) for Internet Explorer 11, V1R18
• DISA Security Technical Implementation Guide (STIG) for Google Chrome, V1R18
• DISA Security Technical Implementation Guide (STIG) for Mozilla FireFox, V4R28
• DISA Security Technical Implementation Guide (STIG) for Oracle Database 11.2g, V1R17
• DISA Security Technical Implementation Guide (STIG) for Oracle Database 12c, V1R16
• DISA Security Technical Implementation Guide (STIG) for Microsoft SQL Server 2014 Instance, V1R9
• DISA Security Technical Implementation Guide (STIG) for Microsoft SQL Server 2016 Database, V1R5
• DISA Security Technical Implementation Guide (STIG) for Microsoft SQL Server 2016 Instance, V1R8
• CIS Benchmark for Docker Benchmark, v1.2.0 [Scored, Level 1 – Docker – Linux, Level 2 – Docker – Linux, Level 1 – Linux Host OS and Level 2 – Linux Host OS]

Updated Library Policies

• Policy update to add Not Scored checks in the CIS Docker policy:
  • CIS Benchmark for Docker Benchmark, v1.2.0
• Policy re-release to add support for Palo Alto Networks PAN-OS 9.x:
  • DISA Security Technical Implementation Guide (STIG) for Palo Alto Networks ALG, V1R5
  • DISA Security Technical Implementation Guide (STIG) for Palo Alto Networks NDM, V1R4
  • DISA Security Technical Implementation Guide (STIG) for Palo Alto Networks IDPS, V1R4
• Policy refresh to add support for new DISA STIG standard release:
  • DISA Security Technical Implementation Guide (STIG) for RHEL 7 Version 2 Release 8
  • DISA Security Technical Implementation Guide (STIG) for RHEL 6 Version 1 Release 26
  • DISA Security Technical Implementation Guide (STIG) for Windows 7 Version 1 Release 32
  • DISA Security Technical Implementation Guide (STIG) for Windows 8.1 Version 1 Release 23
  • DISA Security Technical Implementation Guide (STIG) for Windows 10 Version 1 Release 23
  • DISA Security Technical Implementation Guide (STIG) for Windows 2008 R2 DC Version 1 Release 34
  • DISA Security Technical Implementation Guide (STIG) for Windows 2008 R2 MS Version 1 Release 33
  • DISA Security Technical Implementation Guide (STIG) for Windows 2008 non-R2 DC Version 6 Release 47
  • DISA Security Technical Implementation Guide (STIG) for Windows 2008 non-R2 MS Version 6 Release 46
  • DISA Security Technical Implementation Guide (STIG) for Windows 2012 R2 and non-R2 DC Version 2 Release 21
  • DISA Security Technical Implementation Guide (STIG) for Windows 2012 R2 and non-R2 MS Version 2 Release 19
  • DISA Security Technical Implementation Guide (STIG) for Windows 2016 Version 1 Release 12
  • DISA Security Technical Implementation Guide (STIG) for Windows 2019 Version 1 Release 5
  • DISA Security Technical Implementation Guide (STIG) for MSSQL 2014 Instance Version 1 Release 10
  • DISA Security Technical Implementation Guide (STIG) for MSSQL 2016 Database Version 1 Release 6 and Instance Version 1 Release 10
  • DISA Security Technical Implementation Guide (STIG) for Oracle 11.2g Version 1 Release 19
  • DISA Security Technical Implementation Guide (STIG) for Oracle 12c Version 1 Release 18
  • DISA Security Technical Implementation Guide (STIG) for Internet Explorer 11 Version 1 Release 19
  • DISA Security Technical Implementation Guide (STIG) for Google Chrome Version 1 Release 19
  • DISA Security Technical Implementation Guide (STIG) for Mozilla Firefox Version 4 Release 29
  • DISA Security Technical Implementation Guide (STIG) for Ubuntu 16.x Version 1 Release 5
  • DISA Security Technical Implementation Guide (STIG) for OEL 6 Version 1 Release 19
  • DISA Security Technical Implementation Guide (STIG) for OEL 7 Version 1 Release 2
  • DISA Security Technical Implementation Guide (STIG) for SuSE 12 Version 1 Release 6
• Policy re-release for regex changes (CID 8748):
  • CIS Benchmark for Sybase ASE 15.0, v1.1.0
• Policy update for multiple control configuration changes:
  (Removed controls: 10503, 3170, 13172, 13198
  Newly added controls: 1091, 15037, 16809, 18218, 18292, 9976, 9977)
  • Qualys Security Configuration and Compliance Policy for FireEye CMS 7.x (OCA)
  • Qualys Security Configuration and Compliance Policy for FireEye CMS 8.x (OCA)
• Policy update for control configuration changes (CID 5058 and 5157):
  • CIS Benchmark for IBM AIX 7.1, v1.1.0
• Policy update for control configuration changes (CID 8777 and 8779):
  • CIS Benchmark for Oracle Solaris 11.4, v1.0.0
• Policy update for control configuration changes (CID 11916)
  • CIS Benchmark for Palo Alto Firewall 7, v1.0.0
  • CIS Benchmark for Palo Alto Firewall 8, v1.0.0
  • CIS Benchmark for Palo Alto Firewall 9, v1.0.0
• Policy update for control configuration changes (CID 14737)
  • CIS Benchmark for Oracle Database 12c on Linux, V3.0.0
  • CIS Benchmark for Oracle Database 12c on Windows, V3.0.0

Coming Next Month

The following policies and updates are currently planned for release to the policy library next month:

New Coverage:

• CIS Benchmark for Kubernetes v1.5.1
• CIS Benchmark for Ubuntu 20 v1.0.0
• DISA Security Technical Implementation Guide (STIG) for F5 BIG IP 11
• Qualys Security Configuration and Compliance Policy for F5 BIG-IP 12.x, 13.x and 14.x
• Qualys Security Configuration and Compliance Policy for Arista Network Devices
• Qualys Security Configuration and Compliance Policy for ArubaOS 8.x
• Qualys Security Configuration and Compliance Policy for IBM z/OS Security Server RACF 2.x
• Qualys Security Configuration and Compliance Policy for Riverbed SteelHead Interceptor 7.x
• Qualys Security Configuration and Compliance Policy for Microsoft Exchange 2019

Policy Updates:

• CIS Benchmark for Amazon Linux v2.1.0
• DISA Security Technical Implementation Guide (STIG) for Cisco IOS XE RTR Version 1 Release 4
• Qualys Security Configuration and Compliance Policy for ArubaOS 6.x
• Qualys Security Configuration and Compliance Policy for Riverbed SteelHead RiOS 9.x

If you have any questions, please contact your TAM or Technical Support. See all library updates.