search

mitre / saf

The MITRE Security Automation Framework (SAF) Command Line Interface (CLI) brings together applications, techniques, libraries, and tools developed by MITRE and the security community to streamline security automation for systems and DevOps pipelines
https://saf-cli.mitre.org
Other
134 stars 37 forks source link

saf convert hdf2ckl enhance metadata option to allow resulting CKL data to match manually created CKL with STIG Viewer #1473

Open rlakey opened 1 year ago

rlakey commented 1 year ago

When creating a CKL file in STIG Viewer manually the metadata seen is different from the resulting CKL from SAF CLI even with providing metadata.

For a basic CKL based on a single STIG the "title" text at the top of each control that references the "STIGRef" VULN_ATTRIBUTE for each control is not updated when applying metadata.

Also the "Class" VULN_ATTRIBUTE is not part of the metadata but is part of a manually created CKL.

For example, from a SAF CLI generated CKL.

image 
<STIG_DATA>
    <VULN_ATTRIBUTE>Class</VULN_ATTRIBUTE>
    <ATTRIBUTE_DATA></ATTRIBUTE_DATA>
</STIG_DATA>
<STIG_DATA>
    <VULN_ATTRIBUTE>STIGRef</VULN_ATTRIBUTE>
    <ATTRIBUTE_DATA>VMware vSphere 8.0 ESXi STIG Readiness Guide </ATTRIBUTE_DATA>
</STIG_DATA>

From a STIG Viewer generated CKL

image 
<STIG_DATA>
    <VULN_ATTRIBUTE>Class</VULN_ATTRIBUTE>
    <ATTRIBUTE_DATA>Unclass</ATTRIBUTE_DATA>
</STIG_DATA>
<STIG_DATA>
    <VULN_ATTRIBUTE>STIGRef</VULN_ATTRIBUTE>
    <ATTRIBUTE_DATA>VMware vSphere 8 ESXi STIG Readiness Guide :: Version 1, Release: 1 Benchmark Date: 11 Apr 2023</ATTRIBUTE_DATA>
</STIG_DATA>
<STIG_DATA>

Also this enhancement should also support results from InSpec profiles with dependent profiles that will contain results from multiple STIGs.

It would also be helpful to add more documentation around generating the metadata and what all of the fields are for because some are not clear from the description like "STIGID".

buckmaster60 commented 1 year ago

Ryan Lakey opened this on our behalf. Any movement? So close to being an awesome project but with bad header info in the ckl's it really is not usable. No govy auditor would accept these ckl's.

Please advise

buckmaster60 commented 1 year ago

How do we raise awareness of this issue? CKL's using SAF convert are not useful as auditors will never accept a CKL without proper header information. Big Red Flag

georgedias commented 7 months ago

Update the SAF CLI convert hdf2ckl to match updates implemented in the Heimdall Export as Checklist process