STIG Rule/Group ID Format Update (eMASS TRE Report)

[TheCleverEpithet]

DISA is releasing "TEST" STIGs with new Group and Rule ID formats that will affect STIGQter

Ran a test case and found a problem:

TEST CASE:

Downloaded Latest Windows Server 2019 and RHEL 7 STIGs Imported into STIG Viewer Created 2 separate checklists Marked everything Open and saved Opened STIGQter and started a new DB/CCIs Imported the above STIGs into STIGQter Imported the above STIG Ckls into STIGQter Generated the Emass TRE Report from reports menu

Repeated all of the above steps exactly with the new “TEST” STIGs published by DISA.

RESULTS (1)

In the TRE Report from STIGQter using the new “TEST” STIGs, it appears that this still runs (no crashes), however there is a problem with the output that is generated for each CCI:

Original/Correct: CCI-000016 “The following checks are open: WINDOWS-HOST-ORIGINAL-STIG: SV-103063r1_rule - CAT II - ORIGINAL-STIG”

TEST STIG/Incorrect CCI-000016 “The following checks are open: WINDOWS-HOST-TEST-STIG: SV-205624r241927_rule - CAT II – TEST”

The issue appears to be more than just the SV number string as well, no part of the numbers match the original mapping and they appear to just increment (the last three digital before the 'r' - 204398r, 204399r, etc.) in the report as shown in another example:

CCI-000057 “The following checks are open: LINUX-HOST: SV-204398r241939_rule - CAT II - TEST LINUX-HOST: SV-204399r241939_rule - CAT II - TEST LINUX-HOST: SV-204400r241939_rule - CAT II - TEST LINUX-HOST: SV-204401r241939_rule - CAT II - TEST LINUX-HOST: SV-204402r241939_rule - CAT II - TEST LINUX-HOST: SV-204403r241939_rule - CAT II - TEST LINUX-HOST: SV-204404r241939_rule - CAT II - TEST"

RESULTS (2)

The same CCIs got included in the both reports above using the original and TEST STIGs - except one CCI-002080 and SV-103657r1_rule - CAT II. In the original/correct STIG test case this CCI had a test result for this STIG Check, but in the new “TEST” STIG test case, this CCI did not have any test result generated at all.

Let me know if you would like me to send you any of the files I used for these scenarios or if I can do anything else to assist.

[TheCleverEpithet]

In reference to:

STIG Update - DISA Posts Files to Test New STIG Group and Rule IDs

---

As noted in a recent news announcement, to provide increased flexibility for the future, DISA is updating the systems that produce Security Technical Implementation Guides (STIGs) and Security Requirements Guides (SRGs). The initial modification will be to change Group and Rule IDs (Vul and Subvul IDs). The previous Group and Rule IDs will be retained through the update as “legacy” IDs, presented as XCCDF ident elements. See the example below:

… RHEL-07-010010 … … SV-86473 V-71849 CCI-001494 CCI-001496 CCI-002165 CCI-002235 These updates will necessitate a new version number for every STIG as it is converted to the new format. For example, if the old version/release of a STIG is V2R6, the updated version/release will be V3R1. DISA has posted two manual STIGs (Windows Server 2019 and Red Hat Enterprise Linux 7) on DoD Cyber Exchange in the new format for review and testing, along with associated automated benchmarks. A new XSL stylesheet is included in the STIGs to handle the "legacy" identifiers. The next release of STIG Viewer will also be able to handle the "legacy" identifiers. The STIG files each include a spreadsheet that maps the legacy Group ID, legacy Rule ID, and STIG ID to the new Rule ID. * Microsoft Windows Server 2019 TEST STIG - Ver 2, Rel 0.3 * Red Hat Enterprise Linux 7 TEST STIG - Ver 3, Rel 0.3 https://public.cyber.mil/stigs/downloads/. If you have any comments after reviewing these samples, please email them to disa.stig_spt@mail.mil and note in the subject line "STIG Testing Comments."

[squinky86]

Closing as duplicate of #69.