How to quickly scan your machine (for free) to make a DISA Checklist CKL using the SCAP Compliance Checker (SCC)

If you have ever been told “I need a DISA checklist on your servers/devices for accrediting the network”, this is for you! This is a quick step-by-step on how to scan your server, virtual machine, or workstation with the free SCAP Compliance Checker (SCC). You can download the application for free. Load up the benchmarks to use against your devices. And quickly get results in minutes. Then turn that into a checklist quite easily. See the steps below.

The free DISA SCAP Compliance Checker (SCC) v5.7

Step 1: Download SCC on your machine

Go to https://public.cyber.mil/stigs/scap/ and look for the SCAP TOOLS listing. “SCC” is listed in a bunch of spots for different operating systems. We downloaded the Windows one for this article. Get the application and install it using defaults.

If you are needing to scan Linux hosts, make sure you download the Unix SSH Remote SCAP plugin and install that also. That is also on https://public.cyber.mil/stigs/scap/ under the SCAP TOOLS listing. You may have to show more than 10 entries in the SCAP TOOLS table or type into the Search box for “plugin”.

Step 2: Get the Proper DISA Benchmark

On that same URL as above, you can list benchmarks to use for checking security settings on your machine. You scan using the benchmark(s), check the security options and settings of your machine against the benchmark(s), then the results are in an XML format to use.

We downloaded all of the benchmarks just to have them, and then we loaded them using the Install button at the top right of the SCC application.

Benchmarks you can use for the SCC application at https://public.cyber.mil/stigs/scap/

Step 3: Find the Proper Profile in the Benchmark

Now with the benchmarks loaded, we need to find the one we require for our scans. The benchmarks are based on operating system and application you wish to scan, so make sure to use the ones you need that match your operating system and/or applications as well.

There are a lot of extra Windows benchmarks as that is a common OS for servers, desktops, and laptops. It includes scans for MS Edge, Firewall, and other applications on the Windows machines.

You can have multiple benchmarks to use for a scan if you need them. Definitely choose all the Windows ones if you are scanning a Windows desktop or laptop machine. Then see the results and match to what you have on your machines for the next scans.

Selecting the Oracle Linux 8 benchmark to use for a scan

Step 4: Choose your Scan, Host, Benchmark, Options

You can scan your local machine easily if you have the proper benchmark loaded. Just select the benchmark(s), run the Local Scan and let it finish.

For this example, I am choosing the scan type UNIX SSH Remote Scan just to show how that works. And I added a new UNIX Host using the button on the far left. I entered the IP, SSH port 22, and Authentication Type of “SSH as non-root, then Sudo: With Password” as that is how I am connecting.

You can test out your connection to make sure it works if you choose this type of scan and are running from the GUI. Then save for a Unix / Linux host. Check the host entry/entries you wish to use for this scan as well before leaving this screen.

Create a Unix hosts listing, have a master password for it to keep it safe, and use for scanning Linux machines

I selected my benchmark for Oracle Linux 8. Make sure all other SCAP listings not being used are UNCHECKED or it will try to scan your machine with those benchmarks. Make sure you only have the benchmark(s) selected what you want to use.

Now in the top right corner, I chose the Profile “MAC-3 Sensitive” as well as that matched my type of machine and accreditation boundary. Check with your cyber professionals to see what MAC level you should scan for if possible. The default is MAC-1 Classified which requires great security.

Choosing a scan profile for your SCC scan of your machine

Also under the Options menu in SCC, you can set a few things like output folders, types, results to use, etc. You will want to get a scan working, and then play with options to see what you want to set AFTER you know the scan works for you correctly. We have these set for Output Options to push results into a particular folder by subdirectories.

Output options for scans from DISA SCC tool

STEP 5: Scan and Export XCCDF XML Results

With the correct Host checked and the correct benchmark(s) checked (I chose Oracle_Linux_8_STIG checked by DISA, not the DISA+NIWC Enhanced), I clicked the Start Scan button and let it runs its course. It may take a bit for this to run, so give it time and watch the screen for updates. You will see the status window appear and it will let you know what it is doing as it does it.

When done, it will put results into the proper folders you have set in the options mentioned above. And show you a results screen like below.

SCC scan results showing the file locations to use

I chose the DISA not DISA+NIWC as it keeps the version and release of the XML and resulting CKL file matching DISA checklists in sync. The NIWC one makes a CKL / SCAP content with its own title, version, and release information with a “derived from” message. Then references the DISA checklist it is based on. They do appear to be the same entries from our initial study.

Using the DISA one also lets OpenRMF OSS and OpenRMF Professional keep the checklist up-to-date in a single click with our Upgrade process when a new DISA checklist version/release comes out.

Step 6: Load Results into OpenRMF

Now go to OpenRMF OSS or OpenRMF Professional and upload that .xml file into your system package / accreditation. Then see the results! You also can load the .xml into the DISA STIGViewer if you need to and make a .ckl file just the same. And can load that CKL checklist file into OpenRMF products as well for tracking and to have one central location to use for all checklist content for your entire team.

The raw SCC SCAP results XML file loaded into OpenRMF OSS for a checklist

Note that some of the .XML files from newer scans and benchmarks have “ SCAP Benchmark” on the title of the results in the actual XML around line 6. Until there is a fix in for OpenRMF OSS, you have to adjust the title to take out that new title entry they added recently. See below for a good example of an adjusted title. These should work fine in OpenRMF Professional.

<cdf:title>Oracle Linux 8 STIG</cdf:title>

Optional: The CSCC command line SCC tool

If you really want to be creative, you can use the cscc tool to do command line scans. It is easier to do in a Windows environment IMO. However, it is doable with other Linux OSes as well. You just need to supply a password for ssh access as explained above.

There are some really good videos by the NIWC folks to get you started as well.

Other Scanners to use

Besides the OpenSCAP scanner we talked about earlier, the US Government has a tool called EvaluateSTIG that is pretty popular for our OpenRMF Professional customers as well. It lets you scan, creates checklist files, and has a way to automatically answer manual checklist entries as well.

The new SCC tool v5.7 also has a way for you to allow answer files. That would be a next step for you to check out.

Special Thanks to…

The Folks at NIWC for making this great free application. You can see videos on this tool at https://www.niwcatlantic.navy.mil/scap/videos/ as well.

And once again, my partner in crime Dave Gould for helping me understand this application. How the benchmarks relate to the checklists. How the benchmarks may not be the same version number as the DISA checklists but fill out the information. And how to get the results in XML or CKL and use them.