Policy Compliance Library Updates, April 2024
Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations most used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS security guidelines from OS and application vendors, and other industry best practices.
Qualys’ Certification Page at CIS has been updated.
CIS Benchmark Policies
Center for Internet Security (CIS) Benchmark policies are technical guidelines for organizations to improve their cybersecurity posture by aligning with recommended secure configurations. This reduces the risk of cyberattacks like data breaches by leveraging industry best practices.
DISA STIG Policies
STIG stands for Security Technical Implementation Guide, which is a set of cybersecurity guidelines published by the Defense Information Systems Agency (DISA). This equips them with the necessary tools to adhere to rules, regulations, best practices, and federal laws, facilitating compliance and bolstering cybersecurity measures.
Qualys Policies
Qualys oversees the discovery and resolution of technical issues while implementing robust policy frameworks. Researchers within Qualys actively identify cybersecurity misconfigurations and enact technical policies to fortify systems and safeguard against potential threats.
Safeguard Computer Security Evaluation Matrix (SCSEM)
It typically comprises a structured set of criteria, guidelines, and metrics designed to measure various aspects of security, such as confidentiality, integrity, availability, and compliance.
Compliance Standards
Compliance standards are regulatory frameworks safeguarding sensitive data and ensuring privacy and security. They offer guidelines and best practices for organizations to achieve compliance and mitigate risks in handling sensitive information.
New Policies/Mandates
Listed below are the number of policies and mandates deployed in April 2024:
CIS Benchmark Policies | 15 |
DISA STIG Policy | 8 |
Industry Best Practices Policy | 1 |
Listed below are the newly published policies and mandates:
CIS Benchmark Policies | • CIS Benchmark for Google Container-Optimized OS, v1.1.0 • CIS Debian Linux 11 STIG Benchmark v1.0.0 • CIS Benchmark for IBM i V7R4M0, v1.0.0 • CIS Benchmark for IBM DB2 11.x, v1.1.0 • CIS Benchmark for Microsoft Windows Server 2012 non-R2, v3.0.0 • CIS Apple macOS 12.0 Monterey Benchmark v3.0.0 • CIS Benchmark for ISC BIND DNS Server 9.9, v3.0.1 • CIS Benchmark for Oracle Linux 7, v4.0.0 • CIS Benchmark for CentOS Linux 7, v4.0.0 • CIS Benchmark for Amazon Linux 2, v3.0.0 • CIS Benchmark for Microsoft Windows 11 Enterprise, v3.0.0 • CIS Microsoft Intune for Windows 11 Benchmark, v3.0.1 • CIS Microsoft Intune for Windows 10 Benchmark, v3.0.1 • CIS Benchmark for Google Chrome, v3.0.0 • CIS IBM AIX 7.2 Benchmark, v1.0.0 |
DISA STIG Policies | • DISA Security Technical Implementation Guide (STIG) for VMware vSphere ESXi 8.0, V1R1 • DISA Security Technical Implementation Guide (STIG) for VMware vSphere 8.0 Virtual Machine, V1R1 • DISA Security Technical Implementation Guide (STIG) for Oracle MySQL 8.0, V1R5 • DISA Security Technical Implementation Guide (STIG) for Palo Alto Networks ALG, V2R4 • DISA Security Technical Implementation Guide (STIG) for Apache 2.4 Server for UNIX, V2R6 • CIS Benchmark for Microsoft Windows Server 2012 R2, v3.0.0 • DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Defender Firewall with Advanced Security, V2R2 • DISA Security Technical Implementation Guide (STIG) for Active Directory Domain, V3R3 |
Industry and Best Practices Policies | • CISA Top Ten Cybersecurity Misconfigurations for Windows |
Deprecated Policies
Listed below are deprecated policies from your Policy Library:
Network Devices | • DISA Security Technical Implementation Guide (STIG) for Palo Alto Networks ALG, V2R3 |
Database | • CIS Benchmark for IBM DB2 11.x, v1.0.0 • DISA Security Technical Implementation Guide (STIG) for Oracle MySQL 8.0, V1R3 |
Operating System | • CIS Apple macOS 12.0 Monterey Benchmark v2.0.0 • CIS Benchmark for Amazon Linux 2, v2.0.0 • CIS Benchmark for CentOS Linux 7, v3.1.2 • CIS Benchmark for Microsoft Windows 11 Enterprise, v2.0.0 • CIS Benchmark for Microsoft Windows Server 2012 non-R2, v2.4.0 • CIS Benchmark for Oracle Linux 7, v3.1.1 • CIS Microsoft Intune for Windows 10 Benchmark, v2.0.0 • CIS Microsoft Intune for Windows 11 Benchmark, v2.0.0 |
Application | • CIS Benchmark for Google Chrome, v2.1.0 • DISA Security Technical Implementation Guide (STIG) for Active Directory Domain, V3R2 • DISA Security Technical Implementation Guide (STIG) for Apache 2.4 Server for UNIX, V2R5 • DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Firewall with Advanced Security, V2R1 |
Policy Updates
We have updated your Policy Library. The following policies and mandates have been re-released as part of our customer CRM.
Policy | Update |
DISA SUSE Linux Enterprise Server 12 STIG – Ver 2, Rel 13 | Policy re-release to add control 26677 and 1234. |
CIS Benchmark for Oracle Linux 9, v1.0.0 | Policy re-release to add CID: 1091 and remove CID: 10733. |
CIS Benchmark for Amazon Linux 2023, v1.0.0 | Polich re-release for CIS Benchmark for Amazon Linux 2023, v1.0.0. |
CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0 | Policy re-release for multiple CID changes. The affected policies are, • 1616: Status of the ‘Grace period set to lock accounts after password expiration’ setting • 7412: Status of the ‘periodically scheduled (crontab)’ aide check • 9699: Status of the Datagram Congestion Control Protocol (DCCP) • 9700: Status of FileVault disabled users • 9701: Status of the Transparent Inter-Process Communication (TIPC) protocol • 10673: Status of the ‘permission’ set for all logfiles in ‘/var/log’ directory • 9705: Status of the cramfs Filesystems (modprobe) • 18164: Status of “NOPASSWD!authenticate” kernel module setting from all files inside sudoers.d dir • 9710: Status of the squashfs Filesystems (modprobe) • 11415: Status of the NOPASSWD and !authenticate options in the file ‘/etc/sudoers’ • 12878: List of runtime audit rules for ‘/var/run/faillock/’ directory, using auditctl • 13244: Status of ‘/var’ partition using mount command. • 19619: Ensure audispd-plugins package is installed. • 16065: Status of Ownership and Permission of the audit log file. • 21409: Status of setting XDCMP is not enabled in /etc/gdm3/custom.conf file. • 24928: Status of the Existence of ‘dbs_oracle.sql’ file. • CID 19659 regex chaining to active |
CIS Benchmark for Red Hat Enterprise Linux 8, v3.0.0[ Automated and Manual, Level 1 and Level 2] | Policy re-release for CIS Benchmark for Red Hat Enterprise Linux 8, v3.0.0. |
DISA Security Technical Implementation Guide (STIG) for Cisco IOS XE Router NDM, V2R7 | Policy re-release for DISA Security Technical Implementation Guide (STIG) for Cisco IOS XE Router NDM, V2R7. |
DISA Security Technical Implementation Guide (STIG) for IIS 10 Server, V2R8 | Policy re-release DISA Security Technical Implementation Guide (STIG) for IIS 10 Server, V2R8. |
DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 7, V3R14 | Policy re-release for DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 7, V3R14. |
CIS Benchmark for Apache HTTP Server 2.4, v2.1.0 | Policy re-release for CIS Benchmark for Apache HTTP Server 2.4, v2.1.0. |
Proposed Upcoming Policies
We plan to release the following policies and updates next month:
- Qualys S&C Policy for Azure Database for PostgreSQL
- CIS Openshift Container Platform v1.5.0
- CIS Apache Tomcat 10 Benchmark v1.1.0
- CIS Apple macOS 11.0 Big Sur v4.0.0
- CIS Azure Kubernetes Service (AKS) Benchmark v1.4.0
- DISA Apple macOS 13 (Ventura) STIG – Ver 1, Rel 3
- PCI-DSS (Payment Card Industry Data Security Standard) Ver 4.0 Policy for Linux
- CIS MongoDB 7 Benchmark v1.0.0
- Add Safari 17 support to CIS Safari benchmark
- CIS Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE) benchmark v1.4.0
- CIS Google Kubernetes Engine (GKE) Benchmark v1.5.0
- CIS Azure Kubernetes Service(AKS) v1.4.0
- CIS Oracle Solaris 11.4 Benchmark v1.1.0
- PCI-DSS (Payment Card Industry Data Security Standard) Ver 4.0 Policy for Database
- PCI-DSS (Payment Card Industry Data Security Standard) Ver 4.0 Policy for Network
- DISA Canonical Ubuntu 20.04 LTS STIG – Ver 1, Rel 11
- DISA VMware vSphere 8.0 STIG vcenter_V1R1
- CIS Microsoft Windows 10 Enterprise Benchmark v3.0.0
- CIS Microsoft Windows Server 2022 Benchmark v3.0.0
- CIS PostgreSQL 14 Benchmark v1.2.0
- Qualys S&C Policy for Aruba EdgeConnect OS 9.x
- CIS Kubernetes Benchmark v1.9.0
- CIS VMware ESXi 7.0 Benchmark v1.4.0
- CIS VMware ESXi 8.0 Benchmark v1.1.0
- Active Directory Misconfiguration Risk Assessment
- DISA Security Technical Implementation Guide (STIG) for Microsoft Windows 11, V1R5
- DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2016 MS,V2R7
- DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2016 DC,V2R7
- CIS Microsoft SQL Server 2022 Benchmark v1.1.0
- CIS Cisco IOS XE 17.x Benchmark v2.1.0
- CIS Cisco IOS XE 16.x Benchmark v2.1.0
- NERC-CIP for Linux
- Qualys S&C Policy for Kali GNU/Linux 2023.x & 2024.x
Learn More
Discover how the Qualys Enterprise TruRisk Platform can help you reduce cyber risk and improve business outcomes through precise remediation activities. Learn more here.
Additional Information
Feel free to contact your TAM or Qualys Technical Support if you have questions.
Find all policy library updates here.
Check out Qualys’ updated Certification Page at CIS here.