Control Templates for CIS vs DoD tags and layout based on input benchmark type - CIS or STIG/SRG

[aaronlippold]

At the moement our *2inspec tools tend to create control templates that do not really align with the standard data of the input source. Basically we should have templates for SITG / SRG based profiles vs CIS profiles.

The tags and sub-descriptions change depending on the source.

I will add a template example for each on this issue

[aaronlippold]

CIS Template

# encoding: UTF-8

control "C-1.1.1.1" do
  title "Ensure mounting of cramfs filesystems is disabled"
  desc  "The `cramfs` filesystem type is a compressed read-only Linux
  filesystem embedded in small footprint systems. A `cramfs` image can be 
  used without having to first decompress the image."

  desc  "rationale", "Removing support for unneeded filesystem types reduces
  the local attack surface of the server. If this filesystem type is not needed,
  disable it."

  impact 0.7
  tag severity: 'high'
  tag nist: ["CM-6"]
  tag cis_scored: true
  tag cis_version: 1.2.0
  tag cis_level: 3
  tag cis_controls: ["5.1"]
  tag cis_cdc_version: 7
  tag cis_rid: "1.1.1.1"

  desc  "check", "Run the following commands and verify the output is as 
  indicated:

   # modprobe -n -v cramfs | grep -v mtd
   install /bin/true
   # lsmod | grep cramfs"

  desc "fix", "Edit or create a file in the `/etc/modprobe.d/` directory ending in 
  .conf
  Example: `vi /etc/modprobe.d/cramfs.conf`
  and add the following line:
  install cramfs /bin/true
  Run the following command to unload the `cramfs` module:
  # rmmod cramfs"

  describe system do
    it { should rock }
  end

end

[aaronlippold]

STIG/SRG Template

# encoding: UTF-8

control 'V-63319' do
  title "Domain-joined systems must use Windows 10 Enterprise Edition 64-bit
        version."
  desc  "Features such as Credential Guard use virtualization based security to
        protect information that could be used in credential theft attacks if
        compromised. There are a number of system requirements that must be met in
        order for Credential Guard to be configured and enabled properly.
        Virtualization based security and Credential Guard are only available with
        Windows 10 Enterprise 64-bit version."

  impact 0.5
  tag severity: 'medium'
  tag gtitle: 'WN10-00-000005'
  tag gid: 'V-63319'
  tag rid: 'SV-77809r3_rule'
  tag stig_id: 'WN10-00-000005'
  tag fix_id: 'F-69237r2_fix'
  tag cci: ['CCI-000366']
  tag nist: ['CM-6 b']
  tag false_negatives: nil
  tag false_positives: nil
  tag documentable: false
  tag mitigations: nil
  tag severity_override_guidance: false
  tag potential_impacts: nil
  tag third_party_tools: nil
  tag mitigation_controls: nil
  tag responsibility: nil
  tag ia_controls: nil

  desc "check", "Verify domain-joined systems are using Windows 10 Enterprise
        Edition 64-bit version.

        For standalone systems, this is NA.

        Open \"Settings\".

        Select \"System\", then \"About\".

        If \"Edition\" is not \"Windows 10 Enterprise\", this is a finding.

        If \"System type\" is not \"64-bit operating system…\", this is a finding."

  desc "fix", 'Use Windows 10 Enterprise 64-bit version for domain-joined systems.'

  describe os.arch do
    it { should eq 'x86_64' }
  end

  describe os.name do
    it { should eq 'windows_10_enterprise' }
  end
end

[rbclark]

I'm not 100% sure I follow what is being asked here. Looking at the code right now, it seems we just look for all the fields in both documents all the time. Are there output examples for how the outputs need to differ? I'd prefer to avoid repeating the input parsing code if at all possible, I don't think it is necessary to repeat if we do it right.

[rbclark]

After analyzing the xccdf files we have in the data/ directory, there doesn't seem to be an obvious way to detect if a file is a CIS vs STIG benchmark, it would probably be more reliable to just take a flag allowing the user to specify which format they want to convert, and then having required fields which we validate that exist on export.

[Bialogs]

I think that having the user say what they want is a good way to handle it.

[rbclark]

It would be best to implement #188 before doing this so that we don't end up with a total mess of our exporters.

[camdenmoors]

This is implemented in the convert:spreadsheet2inspec with DISA/CIS mappings or within your own template file