DISA recently released their SCAP Compliance Checker (SCC) tool for free to the public! This used to only be available to DoD, gov, or contractor use. Now, it’s available for anyone to use to evaluate the hardening of their machines!
**What is it?**
SCAP (Security Content Automation Protocol) is an automated program used to scan a machine (locally or remotely) to determine security posture based on STIGs. STIGs (Security Technical Implementation Guidelines) are really just checklists of what to check, what constitutes an open or closed vulnerability, and how to remediate it.
Before, if someone without a government or military sponsor wanted to evaluate their systems, they would have open the STIG and manually go through each check one by one to determine if it was open (some STIGs consist of hundreds of items). There are some open-source tools like [OpenSCAP](https://www.open-scap.org/) for Linux systems that work OK, but nothing really for Windows (or that could scan both Linux and Windows from the same console).
**Should I use this?**
If you are curious about your security posture, I suggest you at least give it a try! While hardening a system to 100% SCAP or STIG compliance in a homelab or home server environment is a little silly, you can take a look at what’s open and make a determination if it’s worth remediating. As I stated before, you’re able to scan Windows and Linux systems from the same console (when using the Windows client) so this can be a great on-stop security report for your environment.
The DISA SCAP tool (and associated benchmarks) are located here: [https://public.cyber.mil/stigs/scap/](https://public.cyber.mil/stigs/scap/)