search

Cingulara / openrmf-api-template

The Template API for the OpenRMF tool, lets you upload a CKL file to save as a template with metadata.
GNU General Public License v3.0
3 stars 2 forks source link

[FEATURE] STIG Update - DISA Announces Changes to STIG Vulnerability Identifiers #30

Closed Cingulara closed 4 years ago

Cingulara commented 4 years ago

Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like Make the below work for older and new STIG manual XCCDF files.

Additional context In order to provide increased flexibility for the future, DISA is updating the systems that produce Security Technical Implementation Guides (STIGs) and Security Requirements Guides (SRGs). The initial modification is changing Group and Rule IDs (Vul and Subvul IDs). The previous Group and Rule IDs will be retained through the update as "legacy" IDs, presented as XCCDF ident elements. See the below example:

<Group id="V-204392"> <title>SRG-OS-000257-GPOS-00098</title> <description>…</description> <Rule id="SV-204392r85825_rule" weight="10.0" severity="high"> <version>RHEL-07-010010</version> <title>The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.</title> <description>…</description> <reference>…</reference> < ident system="http://cyber.mil/legacy">SV-86473</ident > < ident system="http://cyber.mil/legacy">V-71849</ident > < ident system="http://cyber.mil/cci">CCI-001494</iden t> < ident system="http://cyber.mil/cci">CCI-001496</iden t> < ident system="http://cyber.mil/cci">CCI-002165</ident > < ident system="http://cyber.mil/cci">CCI-002235</ident >

These updates will necessitate a new version number for every STIG as it is converted to the new format. For example, if the old version/release of a STIG is V2R6, the updated version/release will be V3R1.

DISA will make two manual STIGs (Microsoft Windows Server 2019 and Red Hat Enterprise Linux 7) available in the new format, along with associated automated benchmarks. A new XSL stylesheet is included to handle the "legacy" identifiers. The next release of STIG Viewer will also be able to handle the "legacy" identifiers.

Cingulara commented 4 years ago

Example from https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems is the Win 2016 STIG at V1 R10, but our templates have V1 R9.

Cingulara commented 4 years ago

This area in the Manual STIG is what we need to look at, assuming the Manual STIG is what we use for the Checklist/SCAP scan. Check the version. And then check the first thing after "Release:" and make sure it is an Integer with int.TryParse().

<plain-text id="release-info">Release: 19 Benchmark Date: 25 Oct 2019</plain-text> <version>1</version>

Cingulara commented 4 years ago

I pull the newest CKL template now in version 0.12 beta for the templates when uploading a SCAP Scan. I have 2 windows 10 templates for the manual XCCDF files DISA puts out. And it grabs version 1 release 20 now instead of release 19.