Baselines in SCAP/Nessus audit format

%3CLINGO-SUB%20id%3D%22lingo-sub-2359663%22%20slang%3D%22en-US%22%3EBaselines%20in%20SCAP%2FNessus%20audit%20format%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2359663%22%20slang%3D%22en-US%22%3EAre%20the%20latest%20Windows%2010%20baselines%20available%20in%20a%20format%20that%20can%20be%20ingested%20by%20Nessus%20for%20compliance%20checking%3F%20SCAP%3F%20I%20know%20these%20used%20to%20be%20available%20from%20Nessus%20directly%20but%20have%20since%20been%20removed.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2380575%22%20slang%3D%22en-US%22%3ERe%3A%20Baselines%20in%20SCAP%2FNessus%20audit%20format%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2380575%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F243489%22%20target%3D%22_blank%22%3E%40Ryan%20Means%3C%2FA%3E%26nbsp%3Bnot%20at%20this%20time.%26nbsp%3B%20We%20are%20evaluating%20the%20possibility%20of%20something%20in%20the%20future%20but%20still%20in%20the%20information%20gathering%20stage.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor
Are the latest Windows 10 baselines available in a format that can be ingested by Nessus for compliance checking? SCAP? I know these used to be available from Nessus directly but have since been removed.
7 Replies

@Ryan Means not at this time.  We are evaluating the possibility of something in the future but still in the information gathering stage.

What about publishing the baselines in DSC format, would speed up proof reading and versioning ?

@FLeven it's not a request we get often at all.  Typically customers will use the method posted here (Quickstart - Convert Group Policy into DSC - PowerShell | Microsoft Docs) to fill this need

Yes, as the still open issues show, it is not without flaws and why should the customer take the responsibility for converting security baselines, that should be job of the software vendor ? Shouldn't be everything from the baseline already be in the OS itself, secure by default ... As I proposed on the mentioned Repo: convert it, test it , commit it. Please offer long due alternatives to Grouppolicy's and give customers a reason to switch to a modern configuration management.

@FLeven we will discuss internally but cannot commit to anything at this point

@FLeven - IIRC the last time I looked into it (a couple of years ago), DSC could not reliably handle Advanced Auditing settings nor most Security Options (esp. the items persisted in inaccessible areas of the registry and/or in undocumented formats).

Implementations I've seen in the past had bugs and/or took dependencies on US-English. 

That said, that might have been addressed in the interim.

I know, take a look at the policy analyzer, regarding US-dependent.

What would be the official way to do automated reporting on "security" compliance based on GPO's to ensure an environment stays perfectly as it was designed, to not loose any kind of certification I went through ?
I went for a time with pester tests (16K items plus incl. baselines + custom), DSC at least would combine configuration/reporting and offer a SQL-Database to work with.

www.000webhost.com