Import of SCAP (DISA STIG) scans to create and update Checklists

[degthat8412]

Need to be able to update checklists with updated scap scan information.

[Cingulara]

I need to know the process, a group of examples, and how the data would relate and be matched up with whatever host and whatever checklist.

On Fri, Apr 5, 2019 at 9:39 PM degthat8412 notifications@github.com wrote:

Need to be able to update checklists with updated scap scan information.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Cingulara/openstig-web/issues/45, or mute the thread https://github.com/notifications/unsubscribe-auth/Ar__OZayAJpwvbBUo9_NfbjyRQNvlj-Vks5vd_rvgaJpZM4cf8s6 .

-- Dale Bingham CTO and Chief Technology Evangelist Cingulara https://www.cingulara.com 410-984-0001

[degthat8412]

Working that to add as well. Just putting in the ticket to add the info to. But this is already started with the IA controls page with the identified checklists. We talked about this on the phone.

On Fri, Apr 5, 2019 at 9:42 PM Cingulara CTO notifications@github.com wrote:

I need to know the process, a group of examples, and how the data would relate and be matched up with whatever host and whatever checklist.

On Fri, Apr 5, 2019 at 9:39 PM degthat8412 notifications@github.com wrote:

Need to be able to update checklists with updated scap scan information.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Cingulara/openstig-web/issues/45, or mute the thread < https://github.com/notifications/unsubscribe-auth/Ar__OZayAJpwvbBUo9_NfbjyRQNvlj-Vks5vd_rvgaJpZM4cf8s6

.

-- Dale Bingham CTO and Chief Technology Evangelist Cingulara https://www.cingulara.com 410-984-0001

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Cingulara/openstig-web/issues/45#issuecomment-480464059, or mute the thread https://github.com/notifications/unsubscribe-auth/An9657nq0fsI3kmIt_gaGmsEuioI2P0hks5vd_uSgaJpZM4cf8s6 .

-- David Gould CEO / Cyber Security Professional DGOULD at Tutelasec.com CISSP/CEH/MCSE/VCP

[Cingulara]

Yep. Sanitized examples to use here eventually also.

On Fri, Apr 5, 2019 at 10:05 PM degthat8412 notifications@github.com wrote:

Working that to add as well. Just putting in the ticket to add the info to. But this is already started with the IA controls page with the identified checklists. We talked about this on the phone.

On Fri, Apr 5, 2019 at 9:42 PM Cingulara CTO notifications@github.com wrote:

I need to know the process, a group of examples, and how the data would relate and be matched up with whatever host and whatever checklist.

On Fri, Apr 5, 2019 at 9:39 PM degthat8412 notifications@github.com wrote:

Need to be able to update checklists with updated scap scan information.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Cingulara/openstig-web/issues/45, or mute the thread <

https://github.com/notifications/unsubscribe-auth/Ar__OZayAJpwvbBUo9_NfbjyRQNvlj-Vks5vd_rvgaJpZM4cf8s6

.

-- Dale Bingham CTO and Chief Technology Evangelist Cingulara https://www.cingulara.com 410-984-0001

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub < https://github.com/Cingulara/openstig-web/issues/45#issuecomment-480464059 , or mute the thread < https://github.com/notifications/unsubscribe-auth/An9657nq0fsI3kmIt_gaGmsEuioI2P0hks5vd_uSgaJpZM4cf8s6

.

-- David Gould CEO / Cyber Security Professional DGOULD at Tutelasec.com CISSP/CEH/MCSE/VCP

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Cingulara/openstig-web/issues/45#issuecomment-480465485, or mute the thread https://github.com/notifications/unsubscribe-auth/Ar__OSTw22KB9-lqL36ZPY1HpRCWwUhEks5veAD0gaJpZM4cf8s6 .

-- Dale Bingham CTO and Chief Technology Evangelist Cingulara https://www.cingulara.com 410-984-0001

[Cingulara]

Initial whiteboard write up as well:

[Cingulara]

Something like what Gloo Enterprise shows:

[Cingulara]

Also need to show a report / list of what changed from the import as a result.

[Cingulara]

The steps to work are grouped below with a snapshot of the XML to read through and act on. This is for a NEW checklist made from a SCAP scan in a system.

Step 1:

• Read in the XML file from the SCAP in the XCCDF format only

Step 2:

• there is a cdf:TestResult area under the cdf:Benchmark tag
• read in each cdf:rule_result under the TestResult area
• there is the idref field that matches to the rule Id field from the VULN in each checklist (i.e. SV-78007r1_rule)
• the cdf:result will have pass or fail for that rule
• save all that rule result data into a list to use for that VULN based on the rule idref field
• use a RegEx like SV-/d+r/d+ or something similar to just get the SV-xxx rule information (worst case, .Replace() with "" empty string)

Step 3:

• match the cdf:title in the SCAP scan xml file to the iSTIG STIG_INFO SID_DATA title value to make sure the checklist you create is the right one
• read the Checklist file into memory in an XML structure (already in the app)
• do a search on the checklist Rule_ID in the VULN STIG_DATA fields based on the SV-xxxxxx rule you got from the rule_result listing (should only match 1 at most)
• if the cdf:result for that rule is a fail mark the field of that VULN as Open
• if the cdf:result for that rule is a pass mark the field of that VULN as NotAFinding

Step 4:

• when done all Group entries, save this Artifact record w/ checklist data as you would a regular CKL file upload against the system
• save the latest SCAP XML with the record

Rule-Result area:

Checklist File Area:

[Cingulara]

The above works for a new checklist. To update an existing checklist with an imported SCAP you would do the same matching of cdf:Group and cdf:rule_result type of data, but you would do it against the known good XML structure of the existing checklist.

• Read in the SCAP
• get all your cdf:rule_result entries for SV-xxxxxrn_rule and the pass/fail
• get your current checklist XML
• see what changes would happen and send that back to the browser
• default only the ones that say pass to be checked off as applying per @degthat8412 comment below
• get an OK on the ones to change and save just that data back (some may be where they should be and the SCAP needs to be overwritten or discarded for that entry)
• reload the checklist page with the latest data
• save the latest SCAP XML with the record

[amkuchta]

I would caution against matching on cdf:Group, and would instead suggest using cdf:Rule. The reasons for this are two-fold:

1. cdf:Group is not necessarily unique across STIGs; Win2019 and Win10 may share V-#### IDs, for example. cdf:Rule is unique to each STIG
2. cdf:Rule includes the revision of the STIG, so you can check that you are doing a true apples-to-apples comparison when importing SCAP data, not overlaying old data on to a new STIG (or new data on to an old STIG)

[degthat8412]

If you are importing a SCAP scan into a checklist to "update", may only want to change or update what is passed. If a user has already made manual changes to mitigate an open finding and lower the risk CAT level, you do not want to overwrite it. On a newly created checklist that is blank then everything result wise should be imported.

David Gould

[Cingulara]

Updated the long description above from @amkuchta and @degthat8412 info and made it much simpler. Working that now. Need to design the 'go get a blank template from the approved list of checklists' piece. The upload piece will go into the ...drum roll...upload API.

[Cingulara]

This is working well.

I need to test uploading a XCCDF w/o a valid Template and what that will fail to do.

[Cingulara]

Initial Create is working. Going to add the "update a checklist for all passing" to v 0.10