Well! Back from the holidays… and time to get your act together! Today we are going to see a post that I am sure can help many of us, The idea is to use an open-source tool that allows us to analyze the configurations and security of remote computers.

Although it is true that there are some similar tools, I bring you the one that I have been using for some time to carry out analyses on equipment. SCAP Compliance Checker which is open source, allows us to verify whether a local or remote system complies with established security regulations and policies. Scans the operating system (and some application/service) looking for misconfigurations or lack of security. Of course,, after analyzing the equipment, will make us a beautiful report, with scores and indications of the items that pass or fail the assessment, as well as instructions for its correction. The idea is the same as always, improve our protection against potential vulnerabilities and threats. Last, developed by NIST (National Institute of Standards and Technology) of the USA.

The idea of this post is to see how this type of tools that help us simply to improve our security, We'll see how to download it, Install, We will perform a scan and see the report it generates, By Equipment & Service, where not only the team will score us, but it will indicate the items that we have passed and which we have not, offering us the detail of how to make the appropriate correction.

We will be able to download the https://public.cyber.mil/stigs/scap/ > “SCAP TOOLS”, we can install it on Mac OS X, Raspbian, RHEL, Oracle Linux, SLES, Solaris, Ubuntu, UNIX and Windows. We will install it as we usually do, depends on our OS, with 'rpm -i', Double click on “.exe”…

We will be able to perform scans of remote Linux or Windows machines from Windows; and from Linux we can scan remote Linux computers.

We will install the DISA STIG SCAP Content, which are STIG guides in adapted format, and thanks to this we will be able to analyze compliance and configurations in local or remote systems. STIGs are technical safety implementation guides, published by DISA (Defense Information Systems Agency) of the U.S. Department of Defense. Provide detailed guidelines and recommendations for securing the configuration of different systems.

After opening it, in Windows we will have GUI, On Linux it will be via command line (/OPT/SCC/CSCC –config). First we will have to configure it, we will be able to scan the local team, or select a Windows remote computer, Linux… or several, from an OU, Text file… Second, we will select the SCAPs we want to use for the scan, we will select at least the OS of the remote computer (we will be able to install more SCAP Content from its website) and we will answer (optionally) If you have questions. To connect to Windows, WMI will usually be used with credentials with permissions, and for Linux computers, remote computers would need the UNIX Remote Scanning Plugin.

And third, We can now press to start the scan!

After a few minutes it will indicate that it has already ended and we will be able to see the results of the Session, where we briefly see the equipment analyzed, with your profile, Your Score, The items passed and the failed ones. We will be able to see the summary from the website,

This summary, in a somewhat more elegant way, allows us to browse and see the results in different formats, We can then roll up our sleeves… since in this case we can see what we have misconfigured in the Windows 11 and Windows Server 2022, as well as look at your Internet Explorer, Firefox, Acrobat Reader or IIS.

We can see the score of this example machine, We have a very detailed inventory, If we keep going down, surprises come…

It will be ordered based on different severities that we want to comply with, the items that we do not comply with (and those who do),

If we click on any of them, We'll see how it tells us that we can correct the problem. In this case that I do not meet a minimum length requirement of 14 characters in the passwords the computer and with a GPO I would have solved it.

In short,, Free Tools, that will allow us to look for bad configurations in equipment, Lack of good practices, Raise the hardening of the equipment to see if we meet safety minimums… everything to avoid scares… 😉 Remember that there are CCN-CERT type guides that can help us a lot in business to avoid ramsomwares, Data theft or loss… And I already fell, A hug and don't forget to supervitamin and mineralize!

Take care of yourselves,