Closed potatoqualitee closed 2 years ago
@potatoqualitee
The inspec profiles apart of this repo are not "generated" they are developed using the resources managed by Chef excluding of course the InSpec PowerCLI opensource resource (think of them as ansible modules or a library) that allows for the compliance as code checks. You see in this project. The way the VMWare folks have layed out each control (i.e. each .rb file) is simply a C&P of the DISA STIG data (or in this case what will be released in the next DISA version of vmware stigs)
I dont mean to speak for the vmware folks, but InSpec is an opensource tools and the resources including the opensource ones such as the one used by this project, are not behind any sort of paywall so nothing is stopping you from branching off this project and making changes or simply new checks.
check out https://docs.chef.io/inspec/resources to learn more. (i am not a ruby developer and can without issue leverage these resources to complete all sorts of compliance as code checks for other DoD/DISA stigs.
Again dont mean to speak for the VMWare folks but figured id answer to help you get rolling faster.
Thank you, @HerbBoy. I was indeed intending to submit PRs with new checks and am surprised that this is such a manual process. inspec_tools
does some pretty cool things, so I figured that perhaps it was used in some way against newer versions of the SRG.
My initial contribution will hopefully be a linter, but perhaps after that, I can create something in PowerShell to autogen using at least parts of https://github.com/potatoqualitee/stigtools. I realize that's a pretty lofty goal, we'll see!
The metadata for the control files was generated using a tool to read in data from a csv or xccdf file. I definitely wasn't going to copy and paste and format all of that data by hand!
We were using: https://github.com/mitre/inspec_tools but it has been deprecated in favor of: https://github.com/mitre/saf
The tests themselves were written of course after the profile was generated with the tools above and added to the control files.
Great to know, thank you @rlakey.
I tried it with saf but ran into an issue. I extracted the VMware_vSphere_7.0_STIG_Readiness_Guide-V1R2.zip
file included in this repo and attempted to run it but ran into a
[1s] C:/github❯ saf generate:xccdf2inspec_stub --input="C:\Archive\Downloads\vmware-cloud-foundation-42-stig-readiness-guide-20210930\VMware_vSphere_7.0_STIG_Readiness_Guide-V1R2\VMware_vSphere_7.0_ESXI_STIG_Readiness_Guide-xccdf.xml" --output=C:\temp\stub
TypeError: Cannot read properties of undefined (reading '@_id')
## Didn't work so I thought perhaps it was a path issue
[689ms] C:/github❯ cd C:\Archive\Downloads\vmware-cloud-foundation-42-stig-readiness-guide-20210930\VMware_vSphere_7.0_STIG_Readiness_Guide-V1R2
[638ms] C:/Archive/Downloads/vmware-cloud-foundation-42-stig-readiness-guide-20210930/VMware_vSphere_7.0_STIG_Readiness_Guide-V1R2❯ saf generate:xccdf2inspec_stub --input="VMware_vSphere_7.0_ESXI_STIG_Readiness_Guide-xccdf.xml" --output=C:\temp\newstub
TypeError: Cannot read properties of undefined (reading '@_id')
(whoops, that was another xccdf but i did use the one in the repo too after noticing my error and it still gave the same problem)
Any idea on what's going on? Either way, going to try inspec_tools
as I know they work in my environment with ease.
I would guess it's because I didn't have vul ids or rule ids defined in some of the earlier XCCDFs documents we created and that's what the tool is looking for to key off of instead of STIG ID.
I'm encountering a similar issue with inspec_tools
-- would you be able to share any metadata files you have or how you were able to get it to work? Here's the command I tried, along with its results
inspec_tools xccdf2inspec -x "C:\Archive\Downloads\vmware-cloud-foundation-42-stig-readiness-guide-20210930\VMware_vSphere_7.0_STIG_Readiness_Guide-V1R2\VMware_vSphere_7.0_ESXI_STIG_Readiness_Guide-xccdf.xml" -o yes --replace-tags 'ESX FQDN'
Traceback (most recent call last):
12: from C:/opscode/inspec/embedded/bin/inspec_tools:32:in `<main>'
11: from C:/opscode/inspec/embedded/bin/inspec_tools:32:in `load'
10: from C:/opscode/inspec/embedded/lib/ruby/gems/2.7.0/gems/inspec_tools-3.1.0/exe/inspec_tools:14:in `<top (required)>'
9: from C:/opscode/inspec/embedded/lib/ruby/gems/2.7.0/gems/inspec-core-4.52.9/lib/inspec/base_cli.rb:35:in `start'
8: from C:/opscode/inspec/embedded/lib/ruby/gems/2.7.0/gems/thor-1.1.0/lib/thor/base.rb:485:in `start'
7: from C:/opscode/inspec/embedded/lib/ruby/gems/2.7.0/gems/thor-1.1.0/lib/thor.rb:392:in `dispatch'
6: from C:/opscode/inspec/embedded/lib/ruby/gems/2.7.0/gems/thor-1.1.0/lib/thor/invocation.rb:127:in `invoke_command'
5: from C:/opscode/inspec/embedded/lib/ruby/gems/2.7.0/gems/thor-1.1.0/lib/thor/command.rb:27:in `run'
4: from C:/opscode/inspec/embedded/lib/ruby/gems/2.7.0/gems/inspec_tools-3.1.0/lib/inspec_tools/plugin_cli.rb:41:in `xccdf2inspec'
3: from C:/opscode/inspec/embedded/lib/ruby/gems/2.7.0/gems/inspec_tools-3.1.0/lib/inspec_tools/xccdf.rb:32:in `to_inspec'
2: from C:/opscode/inspec/embedded/lib/ruby/gems/2.7.0/gems/inspec_tools-3.1.0/lib/inspec_tools/xccdf.rb:126:in `insert_controls'
1: from C:/opscode/inspec/embedded/lib/ruby/gems/2.7.0/gems/inspec_tools-3.1.0/lib/inspec_tools/xccdf.rb:126:in `each'
C:/opscode/inspec/embedded/lib/ruby/gems/2.7.0/gems/inspec_tools-3.1.0/lib/inspec_tools/xccdf.rb:139:in `block in insert_controls': undefined method `id' for nil:NilClass (NoMethodError)
@rlakey are you looking for any help here? i still haven't been able to move forward
This isn't a conversion I normally make because I have the source spreadsheets so that's what I generate the InSpec profiles off of and not xccdf.
I looked at the new replacement for inspec_tools which is saf cli and looks like this error is probably because we have no fix id for our rules.
https://github.com/mitre/saf/blob/main/src/commands/generate/xccdf2inspec_stub.ts#L135
ahh! makes sense. what is the reason you decided against using the xccdf? I haven't yet got it to work so haven't seen the pros/cons. I imagine it comes with a lot of extra info.
I'll file an issue with saf and ask them to handle XCCDFs without fixids
The xccdf artifact is created later in the process after InSpec for myself. I also wasn't originally creating an xccdf file.
Is your feature request related to a problem? Please describe.
I'm interested in creating new inspec checks, but hooh, that's a lot of escaped text! Were the inspec checks created by using a tool? If so, how can I reproduce the process?
Thank you all so very much for this, btw. After some initial hurdles with using it on Windows, the inspec checks saved me weeks of work.
Describe the solution you'd like
Instructions on how to add new checks
Describe alternatives you've considered
N/A, I don't know much about Ruby at all.
Additional context
No response