Findings (MAC III - Administrative Sensitive)
STIG Viewer Version 2.11 Change Log 67.5 KB 10 Aug 2020. STIG Viewer Video — 14 Jun 2018. Storage Area Network STIG - Ver 2, Rel 4 1.1 MB 26 Jul 2019. The STIG Viewer does not open or make use of any network connections; The input to the STIG Viewer is an XCCDF XML file, other file types are rejected. STIG Viewer is optimized to XCCDF Formatted STIGs produced by DISA for DoD (meaning: don’t try to use another file format) Installing the STIG Viewer 2.x. The purpose of the STIG Viewer is to provide an intuitive graphical user interface that allows ease of access to the STIG content along with additional search and sort functionality unavailable with the current method of viewing the STIGs using a style sheet in a web browser. STIG Viewer also supports additional functionality. STIG Viewer features.
| Finding ID | Severity | Title | Description |
|---|---|---|---|
| V-44745 | High | The running of outdated plugins must be disabled. | Running outdated plugins could lead to system compromise through the use of known exploits. Having plugins that updated to the most current version ensures the smallest attack surfuce possible. If ... |
| V-44749 | High | Plugins requiring authorization must ask for user permission. | Policy allows Google Chrome to run plugins that require authorization. If you enable this setting, plugins that are not outdated will always run. If this setting is disabled or not set, users will ... |
| V-44777 | Medium | Incognito mode must be disabled. | Incognito mode allows the user to browse the Internet without recording their browsing history/activity. From a forensics perspective, this is unacceptable. Best practice requires that browser ... |
| V-44737 | Medium | Default search provider must be enabled. | Policy enables the use of a default search provider. If you enable this setting, a default search is performed when the user types text in the omnibox that is not a URL. You can specify the ... |
| V-44757 | Medium | 3D Graphics APIs must be disabled. | Disable support for 3D graphics APIs. Enabling this setting prevents web pages from accessing the graphics processing unit (GPU). Specifically, web pages cannot access the WebGL API and plugins ... |
| V-44733 | Medium | The default search providers name must be set. | Specifies the name of the default search provider that is to be used, if left empty or not set, the host name specified by the search URL will be used. This policy is only considered if the ... |
| V-44735 | Medium | The default search provider URL must be set to perform encrypted searches. | Specifies the URL of the search engine used when doing a default search. The URL should contain the string '{searchTerms}', which will be replaced at query time by the terms the user is searching ... |
| V-44773 | Medium | Search suggestions must be disabled. | Search suggestion should be disabled as it could lead to searches being conducted that were never intended to be made. Enables search suggestions in Google Chrome's omnibox and prevents users from ... |
| V-44759 | Medium | Google Data Synchronization must be disabled. | Disables data synchronization in Google Chrome using Google-hosted synchronization services and prevents users from changing this setting. If you enable this setting, users cannot change or ... |
| V-44793 | Medium | Browser history must be saved. | This policy disables saving browser history in Google Chrome and prevents users from changing this setting. If this setting is enabled, browsing history is not saved. If this setting is disabled ... |
| V-44791 | Medium | Safe Browsing must be enabled, | Enables Google Chrome's Safe Browsing feature and prevents users from changing this setting. If you enable this setting, Safe Browsing is always active. If you disable this setting, Safe Browsing ... |
| V-44795 | Medium | Default behavior must block webpages from automatically running plugins. | This policy allows you to set whether websites are allowed to automatically run plugins. Automatically running plugins can be either allowed for all websites or denied for all websites. If this ... |
| V-44711 | Medium | Firewall traversal from remote host must be disabled. | Remote connections should never be allowed that bypass the firewall, as there is no way to verify if they can be trusted. Enables usage of STUN and relay servers when remote clients are trying to ... |
| V-44775 | Medium | Importing of saved passwords must be disabled. | Importing of saved passwords should be disabled as it could lead to unencrypted account passwords stored on the system from another browser to be viewed. This policy forces the saved passwords to ... |
| V-44799 | Medium | Session only based cookies must be disabled. | Policy allows you to set a list of URL patterns that specify sites which are allowed to set session only cookies. If this policy is left not set the global default value will be used for all sites ... |
| V-44771 | Medium | Metrics reporting to Google must be disabled. | Enables anonymous reporting of usage and crash-related data about Google Chrome to Google and prevents users from changing this setting. If you enable this setting, anonymous reporting of usage ... |
| V-44805 | Medium | Browser must support auto-updates. | One of the most effective defenses against exploitation of browser vulnerabilities is to ensure the version of the browser is current. Frequent updates provide corrections to discovered ... |
| V-52795 | Medium | URLs must be whitelisted for plugin use | This policy allows you to set a list of URL patterns that specify sites which are allowed to run plugins. If this policy is not set, plugins could be run from any website, including potentially ... |
| V-44763 | Medium | AutoFill must be disabled. | This AutoComplete feature suggests possible matches when users are filling in forms. It is possible that this feature will cache sensitive data and store it in the user's profile, where it might ... |
| V-44723 | Medium | Site tracking users location must be disabled. | Website tracking is the practice of gathering information as to which websites were accesses by a browser. The common method of doing this is to have a website create a tracking cookie on the ... |
| V-44727 | Medium | Extensions installation must be blacklisted by default. | Extensions are developed by third party sources and are designed to extend Google Chrome's functionality. An extension can be made by anyone, to do and access almost anything on a system; this ... |
| V-44729 | Medium | Extensions that are approved for use must be whitelisted. | The whitelist should only contain organizationally approved extensions. This is to prevent a user from accidently whitelisitng a malicious extension. This policy allows you to specify which ... |
| V-44787 | Medium | Automated installation of missing plugins must be disabled. | The automatic search and installation of missing or not installed plugins should be disabled as this can cause significant risk if a unapproved or vulnerable plugin were to be installed without ... |
| V-44769 | Medium | Network prediction must be disabled. | Disables network prediction in Google Chrome and prevents users from changing this setting. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If ... |
| V-44741 | Medium | The Password Manager must be disabled. | Enables saving passwords and using saved passwords in Google Chrome. Malicious sites may take advantage of this feature by using hidden fields gain access to the stored information. If you enable ... |
| V-44765 | Medium | Cloud print sharing must be disabled. | Policy enables Google Chrome to act as a proxy between Google Cloud Print and legacy printers connected to the machine. If this setting is enabled or not configured, users can enable the cloud ... |
| V-44789 | Medium | Online revocation checks must be done. | By setting this policy to true, the previous behavior is restored and online OCSP/CRL checks will be performed. If the policy is not set, or is set to false, then Chrome will not perform online ... |
| V-44761 | Medium | The URL protocol schema javascript must be disabled. | Each access to a URL is handled by the browser according to the URL's 'scheme'. The 'scheme' of a URL is the section before the ':'. The term 'protocol' is often mistakenly used for a 'scheme'. ... |
| V-75165 | Medium | Access to history URL must be disabled. | Regardless of controls in place to safeguard the Chrome browser history users may still delete individual items via the Chrome://History URL. In order to protect against this occurrence access to ... |
| V-44719 | Medium | Sites ability to show pop-ups must be disabled. | Chrome allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. If you enable this policy setting, most unwanted ... |
| V-44753 | Medium | Background processing must be disabled. | Determines whether a Google Chrome process is started on OS login that keeps running when the last browser window is closed, allowing background apps to remain active. The background process ... |
| V-44751 | Low | Third party cookies must be blocked. | Third party cookies are cookies which can be set by web page elements that are not from the domain that is in the browser's address bar. Enabling this setting prevents cookies from being set by ... |
| V-44713 | Low | Sites ability for showing desktop notifications must be disabled. | Chrome by default allows websites to display notifications on the desktop. This check allows you to set whether or not this is permitted. Displaying desktop notifications can be allowed by ... |
STIG Viewing Tools
XCCDF formatted SRGs and STIGs are intended be ingested into an SCAP validated tool for use in validating compliance of a Target of Evaluation (TOE). As such, getting to the content of a XCCDF formatted STIG to read and understand the content is not as easy as opening a .doc or .pdf file and reading it. The process can be a little confusing and trying. Below are tools which can be used to view the STIGs and a Whitepaper describing the STIG Viewing processes.
DISA has produced standalone versions of STIG Viewer for the Windows, Linux, and macOS platforms on 64-bit x86 processors. With the end of free support for Java 8 in early 2019, Oracle Corporation changed the licensing and distribution model for Java software. Users without supported Java 8 SE environments should use the standalone versions of STIG Viewer. Users with supported Java 8 SE environments may still use the current JAR file. DISA will base future STIG Viewer development on open-source software developed by the OpenJDK and OpenJFX projects.
Stig Viewer Download
| Title | Size | Updated |
|---|---|---|
| STIG Viewer User Guide (May 2021) | 1.86 MB | 22 Apr 2021 |
| STIG Viewer 2.14 Hashes | 1.36 KB | 22 Apr 2021 |
| STIG Viewer 2.14-Mac | 62.15 MB | 22 Apr 2021 |
| STIG Viewer 2.14-Linux | 71.57 MB | 22 Apr 2021 |
| STIG Viewer 2.14-Win64 | 61.03 MB | 22 Apr 2021 |
| STIG Viewer 2.14 | 712.99 KB | 22 Apr 2021 |
| How to Create and SRG-STIG ID Mapping Spreadsheet | 298.21 KB | 03 Feb 2021 |
| STIG Viewer Version 2.11 Change Log | 67.5 KB | 10 Aug 2020 |
| Vendor STIG Acronym List | 178.74 KB | 16 Jan 2020 |
| HOW_TO_VIEW_SRGs_and_STIGs | 79.49 KB | 30 Nov 2018 |
| STIG Viewer Video | — | 14 Jun 2018 |
| STIG Sorted by STIG ID | 103.46 KB | 30 Mar 2015 |
| STIG Sorted by Vulnerability ID | 101.59 KB | 30 Mar 2015 |
Stig Viewer
SRG/STIG Applicability Guide and Collection Tool
The purpose of the SRG/STIG Applicability Guide and Collection Tool is to assist the SRG/STIG user community in determining what SRGs and/or STIGs apply to a particular situation or Information System (IS) and to create a fully formatted document containing a “Collection” of SRGs and STIGs applicable to the situation being addressed.
The ISs or situations covered include a Base/Camp/Post/or Station (B/C/P/S), facility, Program /Service/major application, enclave, network, system, device, or vendor’s product.
The Collection document can serve as an artifact in the System Authorization and Risk Management processes.
Stig Viewer Exe
The SRG/STIG Applicability Guide and Collection Tool will be updated periodically to include the most recent new SRG/STIG releases and sunset products.
For assistance, please contact disa.stig_spt@mail.mil
Disa Stig Viewer
| Title | Size | Updated |
|---|---|---|
| SRG-STIG Applicability Guide - User Guide v1.5 | 2.64 MB | 12 May 2021 |
| STIG Applicability Guide-Linux | 38.61 MB | 12 May 2021 |
| STIG Applicability Guide-Mac | 33.81 MB | 12 May 2021 |
| STIG Applicability Guide-Windows | 36.89 MB | 12 May 2021 |