search

mitre / heimdall2

Heimdall Enterprise Server 2 lets you view, store, and compare automated security control scan results.
Other
206 stars 59 forks source link

XCCDF Mapper with RHEL 7 SCAP Scan Input #2399

Open jkufro opened 3 years ago

jkufro commented 3 years ago

@jrwhite17

XCCDF Issue - supporting files.zip

I realize that Heimdall Tools is being re-written in TS, but I figured it was worth documenting this issue because we have a use case that is currently blocked by the Ruby implementation and could possibly be present in the TS version as well.

The basic use case is:

  1. use the SCAP Compliance Checker tool to scan resources
  2. export those scans to XCCDF
  3. translate the scans to HDF
  4. upload those scans to Heimdall

We are currently blocked at step 2 of that workflow. I have run the SCAP Compliance Checker against an example RHEL7 VM with the U_RHEL_7_V3R4_STIG_SCAP_1-2_Benchmark.xml (attached in ZIP) and exported that from the SCAP tool in XCCDF format. When I run that XML file (example-rhel7-SCAP-scan.xml - attached in ZIP) through the XCCDF mapper on the master branch, I get the following error:

Screen Shot 2021-10-21 at 12 12 11 PM

In my local testing I ended up revising the to_hdf method to the below code snippet and was able to produce the example-rhel7-SCAP-scan.json file (included in ZIP). It seems like the to_hdf method just needs to be more flexible around fields that might not exist in the XCCDF file.

def to_hdf
  controls = []
  @groups.each_with_index do |group, i|
    @item = {}
    @item['id'] = group['Rule']['id'].split('.').last.split('_').drop(2).first.split('r').first.split('S')[1]
    @item['title']               = group['Rule']['title'].to_s
    @item['desc']                = group['Rule']['description'].to_s.split('Satisfies').first
    @item['descriptions']        = []
    @item['descriptions']        << desc_tags(group['Rule']['description'], 'default')
    @item['descriptions']        << desc_tags('NA', 'rationale')
    @item['descriptions']        << desc_tags(group['Rule']['check']['check-content-ref']['name'], 'check')
    @item['descriptions']        << desc_tags(group['Rule']['fixtext']['text'], 'fix')
    @item['impact']              = get_impact(group['Rule']['severity'])
    @item['refs']                = NA_ARRAY
    @item['tags']                = {}
    @item['tags']['severity']    = nil
    @item['tags']['gtitle']      = group['title']
    @item['tags']['satisfies']   = satisfies_parse(group['Rule']['description'])
    @item['tags']['gid']         = group['Rule']['id'].split('.').last.split('_').drop(2).first.split('r').first
    ident = group['Rule']['ident']
    ident = [ident] if ident.is_a? Hash
    @item['tags']['legacy_id']   = ident[2]['text'] if ident[2]
    @item['tags']['rid']         = ident[1]['text'] if ident[1]
    @item['tags']['stig_id']     = @benchmarks['id']
    @item['tags']['fix_id']      = group['Rule']['fix']['id']
    cci = parse_refs(ident)
    @item['tags']['cci']         = cci if cci
    @item['tags']['nist']        = cci_nist_tag(@item['tags']['cci']) if @item['tags']['cci']        
    @item['code']                = NA_STRING
    @item['source_location'] = NA_HASH
    # results were in another location and using the top block "Benchmark" as a starting point caused odd issues. This works for now for the results.
    @item['results'] = finding(@results, i)
    controls << @item
  end

  controls = collapse_duplicates(controls)
  results = HeimdallDataFormat.new(profile_name: @benchmarks['id'],
                                    version: @benchmarks['style'],
                                    duration: NA_FLOAT,
                                    title: @benchmarks['title'],
                                    maintainer: @benchmarks['reference']['publisher'],
                                    summary: @benchmarks['description'],
                                    license: @benchmarks['notice']['id'],
                                    copyright: @benchmarks['metadata']['creator'],
                                    copyright_email: 'disa.stig_spt@mail.mil',
                                    controls: controls)
  results.to_hdf
end

Fixed by https://github.com/mitre/heimdall2/pull/2551

jkufro commented 3 years ago

Update: I was able to test the TS version of the xccdf_results_mapper and hit an error with the same test XCCDF file.

Screen Shot 2021-10-21 at 12 55 02 PM

Amndeep7 commented 2 years ago

Need to validate that this works now

Amndeep7 commented 2 years ago

Probably a blocker for https://github.com/mitre/heimdall2/issues/343

If this fails, then it should be added as another sample to test against

aaronlippold commented 2 years ago

Fixed by #2551

aaronlippold commented 2 years ago

@Amndeep7 is this resolved by #2551 ?

Amndeep7 commented 2 years ago

@aaronlippold it might have been fixed when I did that pr for xxcdf2hdf but I have not tested yet so can't promise