Skip to content

Commit

Permalink
inspec2xccdf: Check Text, Fix Text, and MISC→Mitigations (#226)
Browse files Browse the repository at this point in the history 
* .gitignore *.swp (vim) and .raketasks~

* inspec2xccdf: Add support for the Check Text, Fix Text, and MISC→Mitigations fields in the DISA STIGViewer.

* Move utilities into inspec. Update the conversion from inspec to xccdf for newer inspec runs.

* Update tests to work without Utils

* Add test for v4.28 inspec result output json

Co-authored-by: Kyle Fagan <kfagan@mitre.org>
  • Loading branch information
@janeuner
janeuner and Kyle Fagan authored Aug 11, 2021
1 parent 3cd5ad4 commit dc0e419
Show file tree
Hide file tree
Showing 10 changed files with 1,224 additions and 900 deletions.
21 changes: 14 additions & 7 deletions .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ jobs:
strategy:
fail-fast: false
matrix:
platform: [ ubuntu-16.04, ubuntu-latest, macos-latest, windows-latest ]
platform: [ ubuntu-latest, macos-latest, windows-latest ]
ruby: [ 2.7 ]
runs-on: ${{ matrix.platform }}

Expand Down Expand Up @@ -57,7 +57,8 @@ jobs:
inspec_tools inspec2ckl -j examples/sample_json/rhel-simp.json -o inspec2ckl_test_1.ckl
inspec_tools inspec2ckl -j test/data/inspec_1.json -o test/data/inspec2ckl_test_2.ckl
inspec_tools inspec2xccdf -j examples/sample_json/rhel-simp.json -a lib/data/attributes.yml -o inspec2xccdf_test.xml
inspec_tools inspec2xccdf -j examples/sample_json/rhel-simp.json -a examples/inspec2xccdf/xccdf_compliant_attribute.json -m examples/inspec2xccdf/metadata.json -o inspec2xccdf_11.xml
inspec_tools inspec2xccdf -j examples/sample_json/rhel-simp.json -a examples/inspec2xccdf/xccdf_compliant_attribute.json -m examples/inspec2xccdf/metadata.json -o inspec2xccdf_11_1.xml
inspec_tools inspec2xccdf -j examples/sample_json/inspec-v4.28.0.json -a examples/inspec2xccdf/xccdf_compliant_attribute.json -o inspec2xccdf_11_2.xml
inspec_tools compliance -j examples/sample_json/single_control_results.json -f examples/sample_yaml/threshold.yaml
env:
CHEF_LICENSE: "accept"
Expand All @@ -72,20 +73,26 @@ jobs:
env:
CHEF_LICENSE: "accept"
- name: Validate Output CKL with xmllint
if: matrix.platform == 'ubuntu-latest' || matrix.platform == 'ubuntu-16.04'
if: matrix.platform == 'ubuntu-latest'
uses: ChristophWurst/xmllint-action@v1
with:
xml-file: inspec2ckl_test_1.ckl
xml-schema-file: test/schemas/U_Checklist_Schema_V2-3.xsd
- name: Validate Output CKL with xmllint
if: matrix.platform == 'ubuntu-latest' || matrix.platform == 'ubuntu-16.04'
if: matrix.platform == 'ubuntu-latest'
uses: ChristophWurst/xmllint-action@v1
with:
xml-file: test/data/inspec2ckl_test_2.ckl
xml-schema-file: test/schemas/U_Checklist_Schema_V2-3.xsd
- name: Validate XCCDF 1.1 with xmllint
if: matrix.platform == 'ubuntu-latest' || matrix.platform == 'ubuntu-16.04'
- name: Validate XCCDF 1.1 with xmllint (Inspec Version < 4.28)
if: matrix.platform == 'ubuntu-latest'
uses: ChristophWurst/xmllint-action@v1
with:
xml-file: inspec2xccdf_11.xml
xml-file: inspec2xccdf_11_1.xml
xml-schema-file: test/schemas/xccdf_114/xccdf-1.1.4.xsd
- name: Validate XCCDF 1.1 with xmllint (Inspec Version > 4.28)
if: matrix.platform == 'ubuntu-latest'
uses: ChristophWurst/xmllint-action@v1
with:
xml-file: inspec2xccdf_11_2.xml
xml-schema-file: test/schemas/xccdf_114/xccdf-1.1.4.xsd
2 changes: 2 additions & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
*.gem
*.rbc
*.swp
.bundle
.config
.idea
.yardoc
.rake_tasks~
_yardoc
Gemfile.lock
coverage
Expand Down
16 changes: 8 additions & 8 deletions .rubocop_todo.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# This configuration was generated by
# `rubocop --auto-gen-config`
# on 2021-05-27 14:19:48 UTC using RuboCop version 1.14.0.
# on 2021-05-11 19:56:27 UTC using RuboCop version 1.14.0.
# The point is for the user to remove these configuration records
# one by one as the offenses are removed from the code base.
# Note that changes in the inspected code, or installation of new
Expand All @@ -13,30 +13,30 @@ Lint/FloatComparison:
- 'lib/utilities/inspec_util.rb'
- 'lib/utilities/xccdf/xccdf_score.rb'

# Offense count: 41
# Offense count: 42
# Configuration parameters: IgnoredMethods, CountRepeatedAttributes.
Metrics/AbcSize:
Max: 182

# Offense count: 9
# Configuration parameters: CountComments, CountAsOne.
Metrics/ClassLength:
Max: 296
Max: 550

# Offense count: 18
# Offense count: 17
# Configuration parameters: IgnoredMethods.
Metrics/CyclomaticComplexity:
Max: 30

# Offense count: 49
# Offense count: 66
# Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods.
Metrics/MethodLength:
Max: 46
Max: 44

# Offense count: 15
# Offense count: 14
# Configuration parameters: IgnoredMethods.
Metrics/PerceivedComplexity:
Max: 31
Max: 30

# Offense count: 2
# Configuration parameters: AllowedNames.
Expand Down
158 changes: 158 additions & 0 deletions examples/sample_json/inspec-v4.28.0.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,158 @@
{
"name": "example_id",
"title": "bTitle",
"maintainer": "The Authors",
"copyright": "The Authors",
"copyright_email": "you@example.com",
"license": "Apache-2.0",
"summary": "bDescription",
"version": "0.1.0",
"supports": [],
"controls": [
{
"title": "Ensure configuration is set in situations",
"desc": "Identify the threat actor and threat vector.\n \n Describe the mitigation.\n \n Note the external dependencies of the configuration.",
"descriptions": {
"default": "Identify the threat actor and threat vector.\n \n Describe the mitigation.\n \n Note the external dependencies of the configuration.",
"rationale": "",
"check": "Describe preconditions for conducting the check.\n \nList each step of the check.\n\nIdentify mitigating factors.\n\nDefine success or failure conditions.",
"fix": "Describe preconditions for changing the configuration.\n\nList each step of applying the configuration.\n\nIdentify risks to confidentialty, integrity, or availability associated with applying the configuration."
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "low",
"gtitle": "SRG-APP-000220-ZZZ-567890",
"gid": "gid_unused",
"rid": "r1_rule",
"stig_id": "stig_id_unused",
"fix_id": "fix_id_unused",
"cci": [
"CCI-001499",
"CCI-000197"
],
"legacy": [
"V-72845",
"SV-87497"
],
"nist": [
"CM-5 (6)",
"IA-5 (1) (c)"
]
},
"code": "control 'X-123456' do\n title 'Ensure configuration is set in situations'\n desc \"Identify the threat actor and threat vector.\n \n Describe the mitigation.\n \n Note the external dependencies of the configuration.\n \"\n desc 'rationale', ''\n desc 'check', \"Describe preconditions for conducting the check.\n \nList each step of the check.\n\nIdentify mitigating factors.\n\nDefine success or failure conditions.\n\"\n desc 'fix', \"\n Describe preconditions for changing the configuration.\n\n List each step of applying the configuration.\n\n Identify risks to confidentialty, integrity, or availability associated with applying the configuration.\n \"\n impact 0.5\n tag severity: 'low'\n tag gtitle: 'SRG-APP-000220-ZZZ-567890'\n tag gid: 'gid_unused'\n tag rid: 'r1_rule'\n tag stig_id: 'stig_id_unused'\n tag fix_id: 'fix_id_unused'\n tag cci: ['CCI-001499', 'CCI-000197']\n tag legacy: ['V-72845', 'SV-87497']\n tag nist: ['CM-5 (6)', 'IA-5 (1) (c)']\nend\n",
"source_location": {
"ref": "./controls/g1Identifier.rb",
"line": 3
},
"id": "X-123456"
},
{
"title": "Ensure a log metric filter and alarm exist for AWS Config\nconfiguration changes",
"desc": "Real-time monitoring of API calls can be achieved by directing\nCloudTrail Logs to CloudWatch Logs and establishing corresponding metric\nfilters and alarms. It is recommended that a metric filter and alarm be\nestablished for detecting changes to CloudTrail's configurations.",
"descriptions": {
"default": "Real-time monitoring of API calls can be achieved by directing\nCloudTrail Logs to CloudWatch Logs and establishing corresponding metric\nfilters and alarms. It is recommended that a metric filter and alarm be\nestablished for detecting changes to CloudTrail's configurations.",
"rationale": "",
"check": "N/A",
"fix": "ft2FixText"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium",
"gtitle": "g2Title",
"gid": "g2Identifier",
"rid": "r2_rule",
"stig_id": "r2Version",
"fix_id": "f2Identifier",
"cci": [
"CCI-001495",
"CCI-000196"
],
"legacy": [
"identVLegacy3",
"identVLegacy4"
],
"nist": [
"AU-9",
"IA-5 (1) (c)"
]
},
"code": "control 'g2Identifier' do\n title \"Ensure a log metric filter and alarm exist for AWS Config\nconfiguration changes\"\n desc \"Real-time monitoring of API calls can be achieved by directing\nCloudTrail Logs to CloudWatch Logs and establishing corresponding metric\nfilters and alarms. It is recommended that a metric filter and alarm be\nestablished for detecting changes to CloudTrail's configurations.\"\n desc 'rationale', ''\n desc 'check', 'N/A'\n desc 'fix', 'ft2FixText'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'g2Title'\n tag gid: 'g2Identifier'\n tag rid: 'r2_rule'\n tag stig_id: 'r2Version'\n tag fix_id: 'f2Identifier'\n tag cci: ['CCI-001495', 'CCI-000196']\n tag legacy: ['identVLegacy3', 'identVLegacy4']\n tag nist: ['AU-9', 'IA-5 (1) (c)']\nend\n",
"source_location": {
"ref": "./controls/g2Identifier.rb",
"line": 3
},
"id": "g2Identifier"
},
{
"title": "Ensure a log metric filter and alarm exist for AWS Config\nconfiguration changes",
"desc": "Real-time monitoring of API calls can be achieved by directing\nCloudTrail Logs to CloudWatch Logs and establishing corresponding metric\nfilters and alarms. It is recommended that a metric filter and alarm be\nestablished for detecting changes to CloudTrail's configurations.",
"descriptions": {
"default": "Real-time monitoring of API calls can be achieved by directing\nCloudTrail Logs to CloudWatch Logs and establishing corresponding metric\nfilters and alarms. It is recommended that a metric filter and alarm be\nestablished for detecting changes to CloudTrail's configurations.",
"rationale": "",
"check": "N/A",
"fix": "ft3FixText"
},
"impact": 0.5,
"refs": [],
"tags": {
"severity": "medium",
"gtitle": "g3Title",
"gid": "g3Identifier",
"rid": "r3_rule",
"stig_id": "r3Version",
"fix_id": "f3Identifier",
"cci": [
"CCI-001495",
"CCI-000196"
],
"legacy": [
"identVLegacy5",
"identVLegacy6"
],
"nist": [
"AU-9",
"IA-5 (1) (c)"
]
},
"code": "control 'g3Identifier' do\n title \"Ensure a log metric filter and alarm exist for AWS Config\nconfiguration changes\"\n desc \"Real-time monitoring of API calls can be achieved by directing\nCloudTrail Logs to CloudWatch Logs and establishing corresponding metric\nfilters and alarms. It is recommended that a metric filter and alarm be\nestablished for detecting changes to CloudTrail's configurations.\"\n desc 'rationale', ''\n desc 'check', 'N/A'\n desc 'fix', 'ft3FixText'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'g3Title'\n tag gid: 'g3Identifier'\n tag rid: 'r3_rule'\n tag stig_id: 'r3Version'\n tag fix_id: 'f3Identifier'\n tag cci: ['CCI-001495', 'CCI-000196']\n tag legacy: ['identVLegacy5', 'identVLegacy6']\n tag nist: ['AU-9', 'IA-5 (1) (c)']\nend\n",
"source_location": {
"ref": "./controls/g3Identifier.rb",
"line": 3
},
"id": "g3Identifier"
}
],
"groups": [
{
"title": null,
"controls": [
"X-123456"
],
"id": "controls/g1Identifier.rb"
},
{
"title": null,
"controls": [
"g2Identifier"
],
"id": "controls/g2Identifier.rb"
},
{
"title": null,
"controls": [
"g3Identifier"
],
"id": "controls/g3Identifier.rb"
}
],
"inputs": [],
"sha256": "4e73883fc2f0d7c85e953346717c149539978c2780bc52c99276e3d6d6fe0567",
"status_message": "",
"status": "loaded",
"generator": {
"name": "inspec",
"version": "4.28.0"
}
}
Loading

0 comments on commit dc0e419

Please sign in to comment.