Importing ckl from Powerstig

[mareban]

Hello,

We've installed openrmf 1.5.4 and imported ckl files from Powerstig of some windows 2019 servers (standard and core) !

All is fine except for the compliance report that is empty for all system !!

Is powerstif supported, do we miss something in our configuration, do we need to upload some files to have beautiful compliance reports, or is it a bug please ?

Thanks for your help and this GREAT project.

[mareban]

Hi again,

FYI, this is the message we've got :

openrmf-checklist-nats-message-client | 2021-07-27 16:02:56.3677||INFO|openrmf_msg_checklist|Sending back compressed Checklist Data | openrmf-compliance-api | Connection Disconnected: openrmf-compliance-api | Connection Closed: openrmf-compliance-api | control not found: AC-16 openrmf-compliance-api | control not found: SC-11 openrmf-compliance-api | control not found: SI-13 openrmf-compliance-api | control not found: AC-9 openrmf-compliance-api | control not found: AU-13 openrmf-compliance-api | control not found: PL-7 openrmf-compliance-api | control not found: SA-13 openrmf-compliance-api | control not found: SA-14 openrmf-compliance-api | control not found: PE-19 openrmf-compliance-api | control not found: SC-6 openrmf-compliance-api | control not found: SC-16 openrmf-compliance-api | control not found: SC-25 openrmf-compliance-api | control not found: SC-26 openrmf-compliance-api | control not found: SC-35 openrmf-compliance-api | control not found: SC-27 openrmf-compliance-api | control not found: SC-29 openrmf-compliance-api | control not found: SC-30 openrmf-compliance-api | control not found: SC-31 openrmf-compliance-api | control not found: SC-32 openrmf-compliance-api | control not found: SC-34 openrmf-compliance-api | control not found: AU-14 openrmf-compliance-api | control not found: AC-23 openrmf-compliance-api | control not found: AC-24 openrmf-compliance-api | control not found: AC-25 openrmf-compliance-api | control not found: AU-15 openrmf-compliance-api | control not found: AU-16 openrmf-compliance-api | control not found: CP-11 openrmf-compliance-api | control not found: CP-12 openrmf-compliance-api | control not found: CP-13 openrmf-compliance-api | control not found: IA-9 openrmf-compliance-api | control not found: IA-10 openrmf-compliance-api | control not found: IA-11 openrmf-compliance-api | control not found: IR-9 openrmf-compliance-api | control not found: IR-10 openrmf-compliance-api | control not found: MP-8 openrmf-compliance-api | control not found: RA-6 openrmf-compliance-api | control not found: SA-18 openrmf-compliance-api | control not found: SA-19 openrmf-compliance-api | control not found: SA-20 openrmf-compliance-api | control not found: SA-21 openrmf-compliance-api | control not found: SC-36 openrmf-compliance-api | control not found: SC-37 openrmf-compliance-api | control not found: SC-38 openrmf-compliance-api | control not found: SC-40 openrmf-compliance-api | control not found: SC-41 openrmf-compliance-api | control not found: SC-42 openrmf-compliance-api | control not found: SC-43 openrmf-compliance-api | control not found: SC-44 openrmf-compliance-api | control not found: SI-14 openrmf-compliance-api | control not found: SI-15 openrmf-compliance-api | control not found: PE-20 openrmf-compliance-api | control not found: SA-22 openrmf-compliance-api | control not found: SI-17 openrmf-compliance-api | control not found: PL-9 openrmf-compliance-api | 2021-07-27 16:02:56.5629||INFO|openrmf_api_compliance.Controllers.ComplianceController|Called GetCompliancBySystem(60fd5e5c322e8600012eb3d4, high, True) successfully |

Thanks for your support .

[Cingulara]

I don't know what "Powerstig" is honestly. I am thinking you are referring to https://github.com/microsoft/PowerStig. @degthat8412 have you ever used this on Windows boxes?

I would need to see what it gives you and compare the CKL to the CKL structure from DISA like the files at https://github.com/Cingulara/openrmf-web/tree/master/examples we have for examples. The CKL structure, the VULN structure, the CCIs linking and then the controls that match to the CCIs for NIST 800-53 rev4 that DISA puts out in their listing. That is what this works on. And see it work start to finish in order to help you with this question. I have not used it and would only be guessing at this point.

If you edit the CKL files via the OpenRMF web tool, do you see the full checklists and the open items? And the VULN info as well as CCIs listed with NIST controls for the VULNs listed per checklist?

[mareban]

Hi,

Thanks for your reply ! We are using Powerstig from Microsoft and generate the .ckl with the the New-StickCheckList command with the U_MS_Windows_Server_2019_STIG_V2R2_Manual-xccdf.xml manual benchmark ! The .ckl is well imported in openrmf (i can see status, choose cat-, ...), but the compliance remains empty :-( and cannot see CCI and controls that match (control not found in the logs ??)

As i understand, Powerstig (used in Azure) are not tested and maybe not supported ?

Thanks for your help.

myserver.Windows19-2.2.ckl.txt

I added .txt to be able to upload

[Cingulara]

In a regular checklist like the ones I pointed to (https://raw.githubusercontent.com/Cingulara/openrmf-web/master/examples/win12domaincontroller.ckl) you can see a CCI_REF attribute and then the actual CCI number. That number is what links controls to the NIST 800-53 via the DISA CCI referencing NIST controls to CCIs. In the ckl file you sent me I see 0 CCI items listed. Maybe that is an option to use or generate them? But w/o them you will never have the compliance work at all. There are no CCIs to glue VULN to NIST controls.

You need to see how to get CCIs to show up in CKL file listings for vulnerabilities.

<STIG_DATA>
  <VULN_ATTRIBUTE>CCI_REF</VULN_ATTRIBUTE>
  <ATTRIBUTE_DATA>CCI-000366</ATTRIBUTE_DATA>
</STIG_DATA>

[mareban]

Thanks for your reply :-)

https://www.powershellgallery.com/packages/PowerSTIG/4.1.1/Content/Module%5CSTIG%5CFunctions.Checklist.ps1, starting line number 313 in Get-VulnerabilityList function :

**# Some Stigs have multiple Control Correlation Identifiers (CCI) $(

Extract only the cci entries

                $CCIREFList = $vulnerability.Rule.ident |
                Where-Object {$PSItem.system -eq 'http://iase.disa.mil/cci'} |
                Select-Object 'InnerText' -ExpandProperty 'InnerText'

                foreach ($CCIREF in $CCIREFList)
                {
                    [PSCustomObject]@{Name = 'CCI_REF'; Value = $CCIREF}
                }
            )**

So to have CCI reported in OpenRMF, it should be in the .ckl file generated by New-StigCheckList, and CCIs are in the STIG U_MS_Windows_Server_2019_STIG_V2R2_Manual-xccdf.xml from DISA :-) !

I'll try to dig further and check on Powerstig side.

Thank you for your help.

[Cingulara]

We rely on CCIs so those have to be in the CKL to make the Compliance run work. Or it will show nothing as you saw. So yes whatever generates the CKL has to do it.

DISA open sourced their SCAP scanner also to use. We read those XCCDF results in also. Public.cyber.mil website has that info.

On Tue, Jul 27, 2021 at 6:19 PM mareban @.***> wrote:

Thanks for your reply :-)

https://www.powershellgallery.com/packages/PowerSTIG/4.1.1/Content/Module%5CSTIG%5CFunctions.Checklist.ps1, starting line number 313 in Get-VulnerabilityList function :

**# Some Stigs have multiple Control Correlation Identifiers (CCI) $(

Extract only the cci entries

$CCIREFList = $vulnerability.Rule.ident | Where-Object {$PSItem.system -eq 'http://iase.disa.mil/cci'} | Select-Object 'InnerText' -ExpandProperty 'InnerText'

            foreach ($CCIREF in $CCIREFList)
            {
                [PSCustomObject]@{Name = 'CCI_REF'; Value = $CCIREF}
            }
        )**

So to have CCI reported in OpenRMF, it should be in the .ckl file generated by New-StigCheckList, and CCIs are in the STIG U_MS_Windows_Server_2019_STIG_V2R2_Manual-xccdf.xml from DISA :-) !

I'll try to dig further and check on Powerstig side.

Thank you for your help.

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub https://github.com/Cingulara/openrmf-web/issues/229#issuecomment-887872082, or unsubscribe https://github.com/notifications/unsubscribe-auth/AK776OLIVJOHXTOXT5UX7B3TZ4WGNANCNFSM5BAYH37A .

-- Dale Bingham CTO and Chief Technology Evangelist Cingulara https://www.cingulara.com 410-984-0001

[mareban]

Thx :-) , we 've started by using SCC (Security Compliance Checker), but Powerstig has remediation using DSC (Desired State Config) to apply the changes and cover a bit more like IIS/SQL servers for example !

Many thanks for your help.

[Cingulara]

Yeah I have not used that PowerSTIG thing as of yet but will need to try. If it can link up the CCIs then it would be great. If you can match the benchmark STIG IDs to the checklist IDs of vulnerabilities that would be the trick.

[DaleBinghamSoteriaSoft]

@mareban going back to an older issue here...

did you ever get PowerSTIG to create a checklist file with proper CCI references? @degthat8412 and I may have to look into how that is not working this coming month. That would be yet another way here to use it.

And we can add an 11th type of format to OpenRMF Professional as well.

[DaleBinghamSoteriaSoft]

The STIGs and checklists need CCIs to relate to controls here. The CKL format needs to be correct.