Nessus (aka ACAS in the DoD) audit files are included in this repository. Compliance checks are available for:
There are two ways you can check compliance with the provided audit files:
- Use Nessus
- Use a the provided Compliance PowerShell script (Nessus not required)
- Download the above .audit files
- For each audit file make a new Policy Compliance Auditing scan
- Configure the correct set of machines to scan and provide the correct credentials for the scan
- On the Compliance tab, select Windows and then select Upload a custom Windows audit file
- Run the scan and review the results
A paid version of Nessus Professional or Nessus Manager must be used in order to use .audit files with Nessus. The .audit files have been tested and work on Nessus Professional version 6.7. They may work on older versions as well but they have not been tested. Alternatively, you can use the provided PowerShell script to locally scan a single system.
The Test-Compliance command in the Compliance PowerShell module can be used to verify compliance against using any of the above listed .audit files. This PowerShell script makes it simple to scan a single standalone system and verify a configuration has been applied to a system in a non-domain context. Note that Nessus is not required to be installed on the system that is being checked with the script. The following instructions can be used to execute a compliance check locally.
- Open a PowerShell prompt as an administrator
- Change directory to the Compliance\Scripts directory (e.g. cd Secure-Host-Baseline\Compliance\Scripts)
- Import the Compliance PowerShell module to load the code into the PowerShell session:
Import-Module -Name .\Secure-Host-Baseline\Compliance\Scripts\Compliance.psm1 - Copy and paste the desired line(s) below into the PowerShell prompt and press Enter twice
Test-Compliance -Path '..\..\Adobe Reader\Compliance\AdobeReaderDC.audit'Test-Compliance -Path '..\..\Chrome\Compliance\GoogleChrome.audit'Test-Compliance -Path '..\..\EMET\Compliance\EMET_5.5.audit'Test-Compliance -Path '..\..\Internet Explorer\Compliance\InternetExplorer11.audit'Test-Compliance -Path '..\..\Windows\Compliance\Windows10.audit'-
Test-Compliance -Path '....\Windows Firewall\Compliance\WindowsFirewall.audit'```
The Compliance script supports a -Verbose option that show details for checks that fail. Without the verbose option a simple pass/fail is displayed for each compliance check as shown in the image below.
Verbose example:
Test-Compliance -Path '..\..\Adobe Reader\Compliance\AdobeReaderDC.audit' -Verbose
Verbose example with capturing the output into a file:
Test-Compliance -Path '..\..\Adobe Reader\Compliance\AdobeReaderDC.audit' -Verbose .\*>ComplianceReport.txt
After capturing the output into a file, the failed STIG checks can be filtered using this PowerShell command:
Select-String -Path .\ComplianceReport.txt -Pattern 'FAILED'