search

squinky86 / STIGQter

Open Source STIG Viewer Reimplementation
https://www.stigqter.com/
GNU General Public License v3.0
22 stars 5 forks source link

Adding "NA" STIG Based Test Results Option #119

Closed TheCleverEpithet closed 1 year ago

TheCleverEpithet commented 1 year ago

Request that the "eMASS Test Results" report have an option (checkbox/toggle somewhere maybe to accommodate those who may not want this?) to include eMASS test results for "NA STIG Checks" where there are not otherwise Passed or Failed STIG Checks for a given CCI.

If there are any Passed/Compliant or Failed/Non-Compliant STIG checks mapped to a CCI then the mapping would continue as it works now - Failed Checks take priority and the test result entry is based on the NC/Failed checks. If there are no Failed checks, but there are Passed checks then it is Compliant and the test result entry is based on the passed check(s).

This would be an additional condition to check for STIG checks that were marked Not Applicable in the STIG checklist. For that mapped CCI, if there are no other mapped Failed STIG checks and there are no other mapped Passed STIG checks, but there is a mapped NA STIG check, then a Not Applicable test result would be created for that CCI that only has NA mapped STIG checks. (Again, Passed or Failed STIG checks still take priority just like it works now).

The test result could say something along the lines of "All associated technical STIG/SRG settings were determined to be Not Applicable. See [SV-999999], [SV-999999], etc."

squinky86 commented 1 year ago

The logic is being set up as follows: If a previous test result was imported, the test result is set to the previous one and the routine continues. If non-compliant checks are found, the CCI is set to Non-Compliant and the routine ends. If compliant checks are found, the CCI is set to Compliant and the routine ends. If not-applicable checks are found, the CCI is set to Not Applicable and the routine ends. All other conditions are ignored for the Test Results import.

Working on testing it out now and will commit in a bit. I'd like for you to test it out for a bit too before the next release.

My biggest question: should the previous test results take precedence over a not applicable determination, or should not applicable results take precedence over the previous results?

TheCleverEpithet commented 1 year ago

Based on the specific need I am working toward for our organization, I think the mapped NA STIG checks should take priority over previous test results in the TRE/eMASS Sheet that is imported. But I'm sure there are probably use cases where the opposite could be true in other organizations.