Policy Compliance Library Updates, August 2021

Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from OS and application vendors and other industry best practices.

The August release includes 5 CIS Benchmark policies, 1 new mandate-based policy, 1 new vendor policy, 14 DISA STIG policies, and provides updates to several existing policies in the Qualys Content Library.

Qualys’ Certification Page at CIS has been updated.

New CIS Benchmark Policies

CIS Benchmarks are developed through consensus, providing an industry recognized collection of best practice controls. Qualys is committed to providing broad coverage of the CIS Benchmarks with regular releases of CIS certified policies in Policy Compliance and by contributing to the development of new benchmarks through the CIS Community.

This release contains the following new CIS Benchmark policies:

• CIS Benchmark for Kubernetes V1.20
• CIS Benchmark for MySQL Enterprise Edition 8.0 v1.1.0
• CIS Benchmark for Oracle Linux 7 v3.1.1
• CIS Benchmark for Ubuntu Linux 16.04 LTS v2.0.0
• CIS Benchmark for VMware ESXi 7.0 v1.1.0

New Mandate-based Policy

• Cybersecurity Maturity Model Certification (CMMC) v1.0 for Containers

New Vendor Policy

• Microsoft Security baseline for Windows 10, version 21H1

New DISA STIG Policies

• DISA Security Technical Implementation Guide (STIG) for Active Directory Domain – Ver 2, Rel 13
• DISA Security Technical Implementation Guide (STIG) for Active Directory Forest – Ver 2, Rel 8
• DISA Security Technical Implementation Guide (STIG) for Cisco NX-OS Switch L2S, Ver1 Rel 1
• DISA Security Technical Implementation Guide (STIG) for Cisco NX-OS Switch NDM, Ver 2 Rel 2
• DISA Security Technical Implementation Guide (STIG) for Cisco NX-OS Switch RTR, Ver 2 Rel 1
• DISA Security Technical Implementation Guide (STIG) for Kubernetes – Ver 1, Rel 2
• DISA Security Technical Implementation Guide (STIG) for Microsoft Windows 10 – Ver 2, Rel 2
• DISA Security Technical Implementation Guide (STIG) for Microsoft Windows 2012 and 2012 R2 DC – Ver 3, Rel 2
• DISA Security Technical Implementation Guide (STIG) for Microsoft Windows 2012 and 2012 R2 MS – Ver 3, Rel 2
• DISA Security Technical Implementation Guide (STIG) for Microsoft Exchange 2016 Edge Transport Server – Ver 2, Rel 2
• DISA Security Technical Implementation Guide (STIG) for Microsoft Exchange 2016 Mailbox Server Ver 2, Rel 4
• DISA Security Technical Implementation Guide (STIG) for Oracle WebLogic Server 12c – Ver 2, Rel 1
• DISA Security Technical Implementation Guide (STIG) for Solaris 11 SPARC – Ver 2, Rel 4
• DISA Security Technical Implementation Guide (STIG) for Solaris 11 X86 – Ver 2, Rel 4

Deprecated Policies

The following policies are deprecated in the August 2021 package:

Databases:

• Security Configuration and Compliance Policy for MySQL 8

Linux:

• CIS Benchmark for Ubuntu Linux 16.04 LTS, v1.1.0 [Scored, Level 1]
• CIS Benchmark for Ubuntu Linux 16.04 LTS, v1.1.0 [Scored, Level 2]
• CIS Benchmark for Ubuntu Linux 16.04 LTS, v1.1.0 [Scored, Level 1 and Level 2]
• CIS Benchmark for Oracle Linux 7, v3.0.0 [Automated and Manual, Level 1]
• CIS Benchmark for Oracle Linux 7, v3.0.0 [Automated and Manual, Level 2]
• CIS Benchmark for Oracle Linux 7, v3.0.0 [Automated and Manual, Level 1 and Level 2]

Windows:

• DISA Security Technical Implementation Guide (STIG) for Windows 10, V2R1
• DISA Security Technical Implementation Guide (STIG) for Windows Server 2012 (non-R2) DC, V3R1
• DISA Security Technical Implementation Guide (STIG) for Windows Server 2012 (non-R2) MS, V3R1
• DISA Security Technical Implementation Guide (STIG) for Windows Server 2012 R2 DC, V3R1
• DISA Security Technical Implementation Guide (STIG) for Windows Server 2012 R2 MS, V3R1

Applications:

• DISA Security Technical Implementation Guide (STIG) for Oracle WebLogic Server 12c, V1R6
• CIS Benchmark for VMware ESXi 7.0, V1.0.0 [Automated and Manual, Level 1]
• CIS Benchmark for VMware ESXi 7.0, V1.0.0 [Automated and Manual, Level 1 and Level 2]

Updated Library Policies

The following updated policies have been updated in this month’s package:

• Policy update to correct the key value ‘Does not contain’ to ‘Contains’ option for the CID 9380:
  • CIS Benchmark for SUSE Linux Enterprise 15 v1.0.0

• Policy update for change in the regex for CID 17284
  • CIS Benchmark for Ubuntu Linux 18.04 LXD Container, v1.0.0
  • CIS Benchmark for Ubuntu Linux 18.04 LXD Host, v1.0.0
  • CIS Benchmark for Ubuntu Linux 18.04 LTS, v2.1.0
  • CIS Benchmark for Ubuntu Linux 20.04 LTS, v1.1.0
  • CIS Benchmark for Debian Family Linux, v1.0.0
  • CIS Benchmark for Debian Linux 10, v1.0.0

• Policy update for change in the regex for CID 15037:
  • Security Configuration and Compliance Policy for Comware 5 (OCA)
  • Security Configuration and Compliance Policy for Comware 7 (OCA)

• Policy re-release for changes in cover page and description:
  • Qualys Security Configuration and Compliance Policy for IBM z/OS Security Server RACF 2.x

• Policies updated to change the ‘Setting not found’ values as per the default values for /etc/ssh/sshd_config parameters:
  • CIS Benchmark for CentOS Linux 6, v3.0.0
  • CIS Benchmark for CentOS Linux 7, v3.1.1
  • CIS Benchmark for CentOS Linux 8, v1.0.0
  • CIS Benchmark for Oracle Linux 6, v2.0.0
  • CIS Benchmark for Oracle Linux 8, v1.0.0
  • CIS Benchmark for Red Hat Enterprise Linux 6, v3.0.0
  • CIS Benchmark for Red Hat Enterprise Linux 7, v3.1.1
  • CIS Benchmark for Red Hat Enterprise Linux 8, v1.0.1

Coming Next Month

The following policies and updates are currently planned for release to the policy library next month:

New Coverage:

• CIS Benchmark for Cisco IOS 12 v4.0.0
• CIS Benchmark for Docker v1.3.1
• CIS Benchmark for CentOS Linux 8, v1.0.1
• CIS Benchmark for Oracle Linux 8, v1.0.1
• CIS Benchmark for Microsoft Windows 10 Enterprise Release 21H1 v1.11.0
• Cyber Essentials Mandate Policy for Network devices
• CMMC policy for Network Devices
• CMMC policy for databases
• CRI Cyber Profile for Databases
• Cyber Essentials Mandate Policy for Databases
• DISA Security Technical Implementation Guide (STIG) for A10 NDM – Ver 1, Rel1
• DISA Security Technical Implementation Guide (STIG) for A10 ALG – Ver 2, Rel1
• DISA Security Technical Implementation Guide (STIG) for Apple OS X 10.14 – Ver 2, Rel 4
• DISA Security Technical Implementation Guide (STIG) for Apple OS X 10.15 – Ver 1, Rel 5
• DISA Security Technical Implementation Guide (STIG) for Apple macOS 11 (Big Sur) – Ver 1, Rel 3
• DISA Security Technical Implementation Guide (STIG) for Canonical Ubuntu 18.04 LTS – Ver 2, Rel 4
• DISA Security Technical Implementation Guide (STIG) for IBM AIX 7.x STIG – Ver 2, Rel 3
• DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2016 – Ver 2, Rel 2
• DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2019 – Ver 2, Rel 2
• DISA Security Technical Implementation Guide (STIG) for Oracle Linux 6 – Ver 2, Rel 4
• DISA Security Technical Implementation Guide (STIG) for Oracle Linux 7 – Ver 2, Rel 4
• DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 7 – Ver 3, Rel 4
• DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 8 – Ver 1, Rel 3
• DISA Security Technical Implementation Guide (STIG) for SUSE Linux Enterprise Server (SLES) 12 – Ver 2, Rel 4
• Qualys Security Configuration and Compliance Policy for NetApp ONTAP 9.x

If you have any questions, please contact your TAM or Technical Support. See all library updates.