Import SCAP (XML) and Update It

Update the Project-wide Settings

  1. Open the ~/Slang/Windows10STIG in VS Code (File, Open Folder)
  2. You should see a lot of folders in the Explorer. Scroll to the bottom and open the project.slang file.
  3. Since you are going to update this guidance and make it your own, we recommend:
    • Change the title and description to indicate this is your version of the STIG.
    • Change the id_namespace. This should be a valid reverse-DNS style string (letters, numbers, periods, hyphens only) associated with you or your organization. For example, if you worked for acme.com, you could use com.acme or com.acme.compliance.
  4. Save!

Customize a Rule

Open V-220748\SV-220748r569187_rule.slang in VS Code and:

  1. Change the title to The system must be configured to audit Account Logon - Credential Validation successes and failures.
  2. Delete tags that aren’t meaningful to you and improve the description.
  3. Scroll all the way down to the common.oval check. The definition_summary indicates that Success or Success and Failure would be acceptable. We’re going to change that!
  4. Delete the imported OVAL check (from common.oval to the end) and start typing windows. to see a list of suggested checks
    • Choose windows.audit_policy.subcategory
    • Click [CTRL]+[space] to see suggestions, select credential_validation, and then [CTRL]+[space] and select success and failure. The checks section should look like this:
      checks:
      - windows.audit_policy.subcategory:
          credential_validation: success and failure
      
  5. Save!

Add a New Rule

  1. Create a new folder Auditing containing a new file dpapi_auditing.slang with the following content:
     Rule:
       title: The system must be configured to audit DPAPI Activity failures.
       checks:
         - windows.audit_policy.subcategory:
             dpapi_activity: failure only
    
  2. Don’t forget to save!

Remove a Rule

We’re going to remove V-220924\SV-220924r569187_rule.slang, a Smart-card rule.

The simplest way to remove the rule would be to simply delete the file. Feel free to do that and skip the rest of this section or… leave the file in place and continue this section to remove it via a Slang Profile.

If you aren’t familiar with Slang profiles, take a look at the Slang Profiles Quickstart.

  1. Create a new file in main project folder (next to project.slang) called profile.my_company.slang with the following content:
    Profile:
      title: My Company Profile
      select_all_rules_except:
        - SV-220924r569187_rule.slang
    
  2. Edit the title and Save!

Export Slang

  1. From the Terminal (CTRL+`), run slang export Windows10STIG windows.10.stig.xml to export your Slang project to SCAP (XML).
  2. Now, you should see a new folder in your project, exported_scap containing windows.10.stig.xml.
  3. If you have access to a Windows 10 device to scan against and have completed the Testing QuickStart, run slang export Windows10STIG windows.10.stig.xml --scan_config TestStig --profile profile.my_company.slang to export and test your project using the profile you created.
    When you review the results, look for your DPAPI rule! Filter to “NOT SELECTED” and you should see the “Smart Card” rule we removed.

Congratulations! You have customized a STIG and have an SCAP (XML) file you can run using any standards-compliant assessment engine.

Questions? Feedback?

Please contact your account executive or reach out here!