microsoft / PowerStig

STIG Automation
https://www.powershellgallery.com/packages/PowerSTIG
Other
548 stars 115 forks source link

Errors compiling MOF from STIG 2016 V1R10 #565

Open chrissten opened 4 years ago

chrissten commented 4 years ago

I'm trying to compile a MOF against the latest Server 2016 V1 R10 STIG.

To Reproduce

  1. Download U_MS_Windows_Server_2016_STIG_V1R10_Manual-xccdf.xml
  2. Run ConvertTo-PowerStigXml -Path "U_MS_Windows_Server_2016_STIG_V1R10_Manual-xccdf.xml" -Verbose -CreateOrgSettingsFile
  3. See error-->

AccessControlDSC\NTFSAccessControlEntry : At least one of the values ', , ' is not supported or valid for property 'FileSystemRights' on class 'NTFSAccessControlEntry'. Please specify only supported values: AppendData, ChangePermissions, CreateDirectories, CreateFiles, Delete, DeleteSubdirectoriesAndFiles, ExecuteFile, FullControl, ListDirectory, Modify, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions, Synchronize, TakeOwnership, Traverse, Write, WriteAttributes, WriteData, WriteExtendedAttributes. At C:\Program Files\WindowsPowerShell\Modules\PowerSTIG\4.2.0\DSCResources\Resources\windows.AccessControl.ps1:80 char:33 + NTFSAccessControlEntry + ~~~~~~ + CategoryInfo : InvalidOperation: (:) [Write-Error], ParentContainsErrorRecordException + FullyQualifiedErrorId : UnsupportedValueForProperty,AccessControlDSC\NTFSAccessControlEntry

athaynes commented 4 years ago

@chrissten The convert module is is a best effort to extract the data from the xccdf. The output usually needs a little bit of polish due to the random changes that show up in each version of the xccdf. That is why we don't publish it to the gallery as part of the module release. Additionally with the Windows Server 2016 STIG, DISA merged the MS and DC STIG back into a single xccdf, so you need to split it into the MS and DC file with Split-StigXccdf. Split-StigXccdf is also a best effort module so the output needs to be reviewed as well before passing it to ConvertTo-PowerStigXml.

What I normally do is run a convert like you did (after splitting the file into MS/DC) and then just copy the results over the previous version of the processed STIG file. That will let git show me what is different in the new file and helps quickly identify any issues in the conversion process that need to be addressed. Make sure to discard the change to the old file in git

The error you are getting is caused by the conversion process not extracting the ACE from the xccdf. in 1.9 of the STIG that was V-73249, so have a look there to see what is happening.

We haven't documented the convert process, because we have been looking at different ways to sustainably address the randomness of the xccdf raw data strings. If you look in StigData\Archive\Windows.Server.2016, you will see log files that align to each stig. These log files are how we track the variation in each STIG and the convert module reads this file in and when a STIG ID matches, it replaces the randomly changed text (text between :: and :: ) in the xccdf with the properly formatted (Based on previous version of the STIG) text (text after the second ::) so that the convert functions regex receives the data in the expected format.

It sounds more complicated than it is, but we don't have any control over the format we receive and don't want to permanently modify the data that DISA provides because they are the STIG authority. I am not sure if that helps or not, but I wanted to give you a better explanation as to why we don't publish the convert process in the release and why we haven't really documented to process.

All that being said, thank you for jumping in and and trying to tackle this STIG. If you want to keep pressing forward on that, it would be a huge help if you create the initial wiki page you referenced in #566 so that we can get an outsiders perspective on the convert process to see if we can open that up to the rest of the community.