search

mitre / inspec_tools

A command-line and ruby API of utilities, converters and tools for creating, converting and processing security baseline formats, results and data
https://inspec-tools.mitre.org/
Other
91 stars 30 forks source link

inspec2xccdf doesn't support desc 'check' or 'fix' syntax #238

Closed rlakey closed 3 years ago

rlakey commented 3 years ago

inspec2xccdf looks to only support the older tag check/fix syntax and not the newer desc 'check' or 'fix' syntax. This results in check/fix text being N/A in the resulting xccdf for these newer profiles.

csv2inspec and xccdf2inspec create profiles in this newer format.

New syntax example:

desc  'check', "
    At the command prompt, execute the following command:

    # xmllint --format /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml |
sed 's/xmlns=\".*\"//g' | xmllint --xpath
'/web-app/session-config/cookie-config/http-only' -

    Expected result:

    <http-only>true</http-only>

    If the output does not match the expected result, this is a finding.
  "

Old syntax example:

tag check: "At the command prompt, execute the following command:
# xmllint --format /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml | sed
's/xmlns=\".*\"//g' | xmllint --xpath
'/web-app/session-config/cookie-config/http-only' -
Expected result:
<http-only>true</http-only>
If the output does not match the expected result, this is a finding."

Result in STIG viewer:

image

rlakey commented 3 years ago

FYI i updated my from_inspec.rb with the new code in the pull request i linked and got it to work.

https://github.com/mitre/inspec_tools/pull/226/commits/897c315ad086ec429c2945d2dbe94897f8188ae2

        if control.key?('descriptions') # new (post-2020) inspec output places check, fix, and rationale fields in a descriptions block
          c_data[c_id]['check']          = control['descriptions']['check'] || DATA_NOT_FOUND_MESSAGE
          c_data[c_id]['fix']            = control['descriptions']['fix'] || DATA_NOT_FOUND_MESSAGE
          c_data[c_id]['rationale']      = control['descriptions']['rationale'] || DATA_NOT_FOUND_MESSAGE
          else # old inspec output places check, fix, and rationale in the tags block
          c_data[c_id]['check']          = control['tags']['check'] || DATA_NOT_FOUND_MESSAGE
          c_data[c_id]['fix']            = control['tags']['fix'] || DATA_NOT_FOUND_MESSAGE
          c_data[c_id]['rationale']      = control['tags']['rationale'] || DATA_NOT_FOUND_MESSAGE
          end
rlakey commented 3 years ago

This code also worked for me too. This was ran on windows too.

        # new (post-2020) inspec output places check, fix, and rationale fields in a descriptions block
        if control['descriptions'].is_a?(Hash) && control['descriptions'].key?('check') && control['descriptions'].key?('fix') && control['descriptions'].key?('rationale')
          c_data[c_id]['check']          = control['descriptions']['check'] || DATA_NOT_FOUND_MESSAGE
          c_data[c_id]['fix']            = control['descriptions']['fix'] || DATA_NOT_FOUND_MESSAGE
          c_data[c_id]['rationale']      = control['descriptions']['rationale'] || DATA_NOT_FOUND_MESSAGE
        else
          c_data[c_id]['check']          = control['tags']['check'] || DATA_NOT_FOUND_MESSAGE
          c_data[c_id]['fix']            = control['tags']['fix'] || DATA_NOT_FOUND_MESSAGE
          c_data[c_id]['rationale']      = control['tags']['rationale'] || DATA_NOT_FOUND_MESSAGE
        end