Policy Compliance Library Updates, April 2024

Kanchan Yewale

Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations most used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS security guidelines from OS and application vendors, and other industry best practices. 

Qualys’ Certification Page at CIS has been updated.  

CIS Benchmark Policies

Center for Internet Security (CIS) Benchmark policies are technical guidelines for organizations to improve their cybersecurity posture by aligning with recommended secure configurations. This reduces the risk of cyberattacks like data breaches by leveraging industry best practices.

DISA STIG Policies

STIG stands for Security Technical Implementation Guide, which is a set of cybersecurity guidelines published by the Defense Information Systems Agency (DISA). This equips them with the necessary tools to adhere to rules, regulations, best practices, and federal laws, facilitating compliance and bolstering cybersecurity measures.

Qualys Policies

Qualys oversees the discovery and resolution of technical issues while implementing robust policy frameworks. Researchers within Qualys actively identify cybersecurity misconfigurations and enact technical policies to fortify systems and safeguard against potential threats.

Safeguard Computer Security Evaluation Matrix (SCSEM)

It typically comprises a structured set of criteria, guidelines, and metrics designed to measure various aspects of security, such as confidentiality, integrity, availability, and compliance.

Compliance Standards

Compliance standards are regulatory frameworks safeguarding sensitive data and ensuring privacy and security. They offer guidelines and best practices for organizations to achieve compliance and mitigate risks in handling sensitive information.

New Policies/Mandates 

Listed below are the number of policies and mandates deployed in April 2024: 

CIS Benchmark Policies 15
DISA STIG Policy 8
Industry Best Practices Policy 1

Listed below are the newly published policies and mandates:  

CIS Benchmark Policies • CIS Benchmark for Google Container-Optimized OS, v1.1.0
• CIS Debian Linux 11 STIG Benchmark v1.0.0
• CIS Benchmark for IBM i V7R4M0, v1.0.0
• CIS Benchmark for IBM DB2 11.x, v1.1.0
• CIS Benchmark for Microsoft Windows Server 2012 non-R2, v3.0.0
• CIS Apple macOS 12.0 Monterey Benchmark v3.0.0
• CIS Benchmark for ISC BIND DNS Server 9.9, v3.0.1
• CIS Benchmark for Oracle Linux 7, v4.0.0
• CIS Benchmark for CentOS Linux 7, v4.0.0
• CIS Benchmark for Amazon Linux 2, v3.0.0 
• CIS Benchmark for Microsoft Windows 11 Enterprise, v3.0.0
• CIS Microsoft Intune for Windows 11 Benchmark, v3.0.1
• CIS Microsoft Intune for Windows 10 Benchmark, v3.0.1
• CIS Benchmark for Google Chrome, v3.0.0
• CIS IBM AIX 7.2 Benchmark, v1.0.0
DISA STIG Policies • DISA Security Technical Implementation Guide (STIG) for VMware vSphere ESXi 8.0, V1R1
• DISA Security Technical Implementation Guide (STIG) for VMware vSphere 8.0 Virtual Machine, V1R1
• DISA Security Technical Implementation Guide (STIG) for Oracle MySQL 8.0, V1R5
• DISA Security Technical Implementation Guide (STIG) for Palo Alto Networks ALG, V2R4
• DISA Security Technical Implementation Guide (STIG) for Apache 2.4 Server for UNIX, V2R6
• CIS Benchmark for Microsoft Windows Server 2012 R2, v3.0.0
• DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Defender Firewall with Advanced Security, V2R2
• DISA Security Technical Implementation Guide (STIG) for Active Directory Domain, V3R3
Industry and Best Practices Policies • CISA Top Ten Cybersecurity Misconfigurations for Windows

Deprecated Policies 

Listed below are deprecated policies from your Policy Library:  

Network Devices • DISA Security Technical Implementation Guide (STIG) for Palo Alto Networks ALG, V2R3
Database • CIS Benchmark for IBM DB2 11.x, v1.0.0 
• DISA Security Technical Implementation Guide (STIG) for Oracle MySQL 8.0, V1R3
Operating System • CIS Apple macOS 12.0 Monterey Benchmark v2.0.0
• CIS Benchmark for Amazon Linux 2, v2.0.0
• CIS Benchmark for CentOS Linux 7, v3.1.2
• CIS Benchmark for Microsoft Windows 11 Enterprise, v2.0.0
• CIS Benchmark for Microsoft Windows Server 2012 non-R2, v2.4.0 
• CIS Benchmark for Oracle Linux 7, v3.1.1
• CIS Microsoft Intune for Windows 10 Benchmark, v2.0.0
• CIS Microsoft Intune for Windows 11 Benchmark, v2.0.0 
Application • CIS Benchmark for Google Chrome, v2.1.0 
• DISA Security Technical Implementation Guide (STIG) for Active Directory Domain, V3R2
• DISA Security Technical Implementation Guide (STIG) for Apache 2.4 Server for UNIX, V2R5
• DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Firewall with Advanced Security, V2R1

Policy Updates 

We have updated your Policy Library. The following policies and mandates have been re-released as part of our customer CRM.

Policy Update  
DISA SUSE Linux Enterprise Server 12 STIG – Ver 2, Rel 13Policy re-release to add control 26677 and 1234.
CIS Benchmark for Oracle Linux 9, v1.0.0Policy re-release to add CID: 1091 and remove CID: 10733.
CIS Benchmark for Amazon Linux 2023, v1.0.0Polich re-release for CIS Benchmark for Amazon Linux 2023, v1.0.0.
CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0  Policy re-release for multiple CID changes. The affected policies are,
• 1616: Status of the ‘Grace period set to lock accounts after password expiration’ setting
• 7412: Status of the ‘periodically scheduled (crontab)’ aide check
• 9699: Status of the Datagram Congestion Control Protocol (DCCP)
• 9700: Status of FileVault disabled users
• 9701: Status of the Transparent Inter-Process Communication (TIPC) protocol
• 10673: Status of the ‘permission’ set for all logfiles in ‘/var/log’ directory
• 9705: Status of the cramfs Filesystems (modprobe)
• 18164: Status of “NOPASSWD!authenticate” kernel module setting from all files inside sudoers.d dir
• 9710: Status of the squashfs Filesystems (modprobe)
• 11415: Status of the NOPASSWD and !authenticate options in the file ‘/etc/sudoers’
• 12878: List of runtime audit rules for ‘/var/run/faillock/’ directory, using auditctl
• 13244: Status of ‘/var’ partition using mount command.
• 19619: Ensure audispd-plugins package is installed.
• 16065: Status of Ownership and Permission of the audit log file.
• 21409: Status of setting XDCMP is not enabled in /etc/gdm3/custom.conf file.
• 24928: Status of the Existence of ‘dbs_oracle.sql’ file.
• CID 19659 regex chaining to active
CIS Benchmark for Red Hat Enterprise Linux 8, v3.0.0[ Automated and Manual, Level 1 and Level 2]Policy re-release for CIS Benchmark for Red Hat Enterprise Linux 8, v3.0.0.
DISA Security Technical Implementation Guide (STIG) for Cisco IOS XE Router NDM, V2R7Policy re-release for DISA Security Technical Implementation Guide (STIG) for Cisco IOS XE Router NDM, V2R7.
DISA Security Technical Implementation Guide (STIG) for IIS 10 Server, V2R8Policy re-release DISA Security Technical Implementation Guide (STIG) for IIS 10 Server, V2R8.
DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 7, V3R14Policy re-release for DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 7, V3R14.
CIS Benchmark for Apache HTTP Server 2.4, v2.1.0Policy re-release for CIS Benchmark for Apache HTTP Server 2.4, v2.1.0.

Proposed Upcoming Policies

  We plan to release the following policies and updates next month: 

  • Qualys S&C Policy for Azure Database for PostgreSQL
  • CIS Openshift Container Platform v1.5.0
  • CIS Apache Tomcat 10 Benchmark v1.1.0
  • CIS Apple macOS 11.0 Big Sur v4.0.0
  • CIS Azure Kubernetes Service (AKS) Benchmark v1.4.0
  • DISA Apple macOS 13 (Ventura) STIG – Ver 1, Rel 3
  • PCI-DSS (Payment Card Industry Data Security Standard) Ver 4.0 Policy for Linux
  • CIS MongoDB 7 Benchmark v1.0.0
  • Add Safari 17 support to CIS Safari benchmark
  • CIS Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE) benchmark v1.4.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.5.0
  • CIS Azure Kubernetes Service(AKS) v1.4.0
  • CIS Oracle Solaris 11.4 Benchmark v1.1.0
  • PCI-DSS (Payment Card Industry Data Security Standard) Ver 4.0 Policy for Database
  • PCI-DSS (Payment Card Industry Data Security Standard) Ver 4.0 Policy for Network
  • DISA Canonical Ubuntu 20.04 LTS STIG – Ver 1, Rel 11
  • DISA VMware vSphere 8.0 STIG vcenter_V1R1
  • CIS Microsoft Windows 10 Enterprise Benchmark v3.0.0
  • CIS Microsoft Windows Server 2022 Benchmark v3.0.0
  • CIS PostgreSQL 14 Benchmark v1.2.0
  • Qualys S&C Policy for Aruba EdgeConnect OS 9.x
  • CIS Kubernetes Benchmark v1.9.0
  • CIS VMware ESXi 7.0 Benchmark v1.4.0
  • CIS VMware ESXi 8.0 Benchmark v1.1.0
  • Active Directory Misconfiguration Risk Assessment
  • DISA Security Technical Implementation Guide (STIG) for Microsoft Windows 11, V1R5
  • DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2016 MS,V2R7
  • DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2016 DC,V2R7
  • CIS Microsoft SQL Server 2022 Benchmark v1.1.0
  • CIS Cisco IOS XE 17.x Benchmark v2.1.0
  • CIS Cisco IOS XE 16.x Benchmark v2.1.0
  • NERC-CIP for Linux
  • Qualys S&C Policy for Kali GNU/Linux 2023.x & 2024.x

Learn More 

Discover how the Qualys Enterprise TruRisk Platform can help you reduce cyber risk and improve business outcomes through precise remediation activities. Learn more here.  

Additional Information 

Feel free to contact your TAM or Qualys Technical Support if you have questions. 

Find all policy library updates here

Check out Qualys’ updated Certification Page at CIS here.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *