# 10. From STIG to Profile
# 10.1 Download STIG Requirements Here
Download the latest STIG Viewer located here STIG Viewer (opens new window)
Download the Red Hat Enterprise Linux 8 STIG - Ver 1, Rel 5 located here RHEL8 STIG Download (opens new window)
# 10.2 Convert the STIG XCCDF Benchmark to an InSpec Starter Profile
Timesaver Ahead!
We already converted the XCCDF STIG Benchmark into a starter profile using the saf generate xccdf2inspec_stub command using the correct flags, mapping file and other options.
The SAF CLI has the generate xccdf2inspec_stub sub-command which can help you quickly convert an XCCDF Benchmark document into the start of an InSpec Profile.
XCCDF to InSpec Stub
generate xccdf2inspec_stub Generate an InSpec profile stub from a DISA STIG XCCDF XML file
USAGE
$ saf generate xccdf2inspec_stub -i, --input=XML -o, --output=FOLDER
OPTIONS
-S, --useStigID Use STIG IDs (<Group/Rule/Version>) instead of Group IDs (ex. 'V-XXXXX') for InSpec Control IDs
-i, --input=input (required) Path to the DISA STIG XCCDF file
-l, --lineLength=lineLength [default: 80] Characters between lines within InSpec controls
-e, --encodingHeader Add the "# encoding: UTF-8" comment at the top of each control
-m, --metadata=metadata Path to a JSON file with additional metadata for the inspec.yml file
-o, --output=output (required) [default: profile]
-r, --useVulnerabilityId Use Vulnerability IDs (ex. 'SV-XXXXX') instead of Group IDs (ex. 'V-XXXXX') for InSpec control IDs
-s, --singleFile Output the resulting controls as a single file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
2
3
4
5
6
7
8
9
10
11
12
13
14
15
To learn how you can use the saf generate xccdf2stub, go to the saf-cli homepage which has all the options and capabilities as well as all the other utilities provided by the saf-cli, at https://saf-cli.mitre.org/#generate (opens new window).
# 10.3 Example 'Stub' Control SV-230502
Let's take a look at what one of the stubs created by the saf-cli generate xccdf2stub command:
control 'SV-230502' do
title 'The RHEL 8 file system automounter must be disabled unless required.'
desc "Automatically mounting file systems permits easy introduction of
unknown devices, thereby facilitating malicious activity."
desc 'rationale', ''
desc 'check', "
Verify the operating system disables the ability to automount devices.
Check to see if automounter service is active with the following command:
Note: If the autofs service is not installed, this requirement is not
applicable.
$ sudo systemctl status autofs
autofs.service - Automounts filesystems on demand
Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)
Active: inactive (dead)
If the \"autofs\" status is set to \"active\" and is not documented with
the Information System Security Officer (ISSO) as an operational requirement,
this is a finding.
"
desc 'fix', "
Configure the operating system to disable the ability to automount devices.
Turn off the automount service with the following commands:
$ sudo systemctl stop autofs
$ sudo systemctl disable autofs
If \"autofs\" is required for Network File System (NFS), it must be
documented with the ISSO.
"
impact 0.5
tag severity: 'medium'
tag gtitle: 'SRG-OS-000114-GPOS-00059'
tag gid: 'V-230502'
tag rid: 'SV-230502r627750_rule'
tag stig_id: 'RHEL-08-040070'
tag fix_id: 'F-33146r568253_fix'
tag cci: ['CCI-000778']
tag nist: ['IA-3']
# ...add your describe blocks here ... #
end
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# 10.4 The completed SV-230502 Control
Let's take a look at how we would write the InSpec control for SV-230502:
control 'SV-230502' do
title 'The RHEL 8 file system automounter must be disabled unless required.'
desc "Automatically mounting file systems permits easy introduction of
unknown devices, thereby facilitating malicious activity."
desc 'rationale', ''
desc 'check', "
Verify the operating system disables the ability to automount devices.
Check to see if automounter service is active with the following command:
Note: If the autofs service is not installed, this requirement is not
applicable.
$ sudo systemctl status autofs
autofs.service - Automounts filesystems on demand
Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)
Active: inactive (dead)
If the \"autofs\" status is set to \"active\" and is not documented with
the Information System Security Officer (ISSO) as an operational requirement,
this is a finding.
"
desc 'fix', "
Configure the operating system to disable the ability to automount devices.
Turn off the automount service with the following commands:
$ sudo systemctl stop autofs
$ sudo systemctl disable autofs
If \"autofs\" is required for Network File System (NFS), it must be
documented with the ISSO.
"
impact 0.5
tag severity: 'medium'
tag gtitle: 'SRG-OS-000114-GPOS-00059'
tag gid: 'V-230502'
tag rid: 'SV-230502r627750_rule'
tag stig_id: 'RHEL-08-040070'
tag fix_id: 'F-33146r568253_fix'
tag cci: ['CCI-000778']
tag nist: ['IA-3']
if virtualization.system.eql?('docker')
impact 0.0
describe "Control not applicable within a container" do
skip "Control not applicable within a container"
end
else
if package('autofs').installed?
describe systemd_service('autofs.service') do
it { should_not be_running }
it { should_not be_enabled }
it { should_not be_installed }
end
else
impact 0.0
describe 'The autofs service is not installed' do
skip 'The autofs service is not installed, this control is Not Applicable.'
end
end
end
end
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# 10.5 Getting Started on the RHEL8 baseline
# Controls we will demonstrate
- SV-230324 <---login_defs resource
- SV-230250 <---directory resource
- SV-230243 <---directory looping & file resource
- SV-230505 <---non applicable use case & package resource
# Suggested Controls to start on (Level 1)
- SV-230383 <---login_defs resource
- SV-230249 <---directory resource
- SV-230242 <---directory looping & file resource
- SV-230241 <---non applicable use case & package resource
# Suggested Controls to start on (Level 2)
- SV-230281 <---parse config file
- SV-230365 <---login_defs resource
- SV-230264 <---file content
# Suggested InSpec Resources to use
- command (opens new window)
- file (opens new window)
- directory (opens new window)
- parse_config_file (opens new window)
- package (opens new window)
- login_defs (opens new window)
# 10.6 Completed RHEL8 Profile for Reference
Below is the url to the completed RHEL8 Inspec Profile for reference, and a few things to take note of.
Key Elements in this Profile
- The use of
impact 0for NA & Container Aware Controls - How we make the controls
container aware, and - The
fail fastapproach to testing execution.