Skip to main content

11. From STIG to Profile

Aaron LippoldAbout 11 min

From STIG to Profile

You have seen in some of our examples in this class that a robust profile's controls will include a large number of metadata tags:

InSpec control with many STIG-related tags

Taken from the SAF RHEL7 profileopen in new window:

control 'SV-204392' do
  title 'The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership,
    and group membership of system files and commands match the vendor values.'
  desc 'Discretionary access control is weakened if a user or group has access permissions to system files and
    directories greater than the default.'
  desc 'check', ...
  desc 'fix', ...
  impact 0.7
  tag legacy: ['V-71849', 'SV-86473']
  tag severity: 'high'
  tag gtitle: 'SRG-OS-000257-GPOS-00098'
  tag satisfies: ['SRG-OS-000257-GPOS-00098', 'SRG-OS-000278-GPOS-00108']
  tag gid: 'V-204392'
  tag rid: 'SV-204392r880752_rule'
  tag stig_id: 'RHEL-07-010010'
  tag fix_id: 'F-36302r880751_fix'
  tag cci: ['CCI-001494', 'CCI-001496', 'CCI-002165', 'CCI-002235']
  tag nist: ['AU-9', 'AU-9 (3)', 'AC-3 (4)', 'AC-6 (10)']
  tag subsystems: ['permissions', 'package', 'rpm']
  tag 'host'
  tag 'container'

  describe the_actual_test do # the actual describe block appears on line 54 of this control!
    ...
  end
end

We really do not want to stuck with labeling all of these controls by hand. Let's cheat and use the SAF CLIopen in new window benchmark generator.

Download STIG Requirements

First, let's discuss where all of that metadata comes from in the first place -- the baseline security guidance that we are automating using InSpec. We'll crack open a STIG XCCDF XML file to show you where the control metadata is sourced from.

Download the latest STIG Viewer located here STIG Vieweropen in new window.

Downloading STIG Viewer
Downloading STIG Viewer

Download the Red Hat Enterprise Linux 8 STIG located here RHEL8 STIG Downloadopen in new window

(The RHEL8 STIG is at version 1, release 5 at time of writing, but may have been updated by the time you downloaded. This will not affect how we use the STIG in this class.)

Downloading STIGs
Downloading STIGs

Convert the STIG XCCDF Benchmark To an InSpec Stubs Profile

Timesaver Ahead!

We already converted the XCCDF STIG Benchmark into a starter profile using the saf generate xccdf_benchmark2inspec_stub command using the correct flags, mapping file and other options. In a moment we will show you how to grab our pre-made profile that we generated with the SAF CLI.

The SAF CLI has the generate xccdf_benchmark2inspec_stub sub-command which can help you quickly convert an XCCDF Benchmark document into the start of an InSpec Profile.

To learn how you can use the saf generate xccdf_benchmark2inspec_stub or any other saf cli command, go to the saf-cli homepageopen in new window or use the help commands. An example help command to generate the stubs of the InSpec profile is below.

Command
saf generate xccdf_benchmark2inspec_stub --help

How to Get the Pre-made Profile

We have a pre-made profile generated with the saf generate xccdf_benchmark2inspec_stub command sitting on the Resourcesopen in new window page for these classes. For the purposes of this class, you'll need to download it into your Codespaces library. You can do this with the wget shell command.

Fetching the pre-made profile with wget
wget https://github.com/mitre/inspec-profile-developer-course-lab-environment/raw/main/resources/rhel8-baseline-stubs.tar.gz

Once you've used wget to grab the compressed profile, we need to uncompress it so that we can work with the control files inside.

Uncompressing the profile
tar zxvfp ./rhel8-baseline-stubs.tar.gz

Example 'Stub' Control SV-230502

Let's take a look at one of the stub InSpec controls created by the saf generate xccdf_benchmark2inspec_stub command and the completed InSpec control.

Stub Generated InSpec Control
control 'SV-230502' do
  title 'The RHEL 8 file system automounter must be disabled unless required.'
  desc  "Automatically mounting file systems permits easy introduction of
unknown devices, thereby facilitating malicious activity."
  desc  'rationale', ''
  desc  'check', "
    Verify the operating system disables the ability to automount devices.

    Check to see if automounter service is active with the following command:

    Note: If the autofs service is not installed, this requirement is not
applicable.

    $ sudo systemctl status autofs

    autofs.service - Automounts filesystems on demand
    Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)
    Active: inactive (dead)

    If the \"autofs\" status is set to \"active\" and is not documented with
the Information System Security Officer (ISSO) as an operational requirement,
this is a finding.
  "
  desc 'fix', "
    Configure the operating system to disable the ability to automount devices.

    Turn off the automount service with the following commands:

    $ sudo systemctl stop autofs
    $ sudo systemctl disable autofs

    If \"autofs\" is required for Network File System (NFS), it must be
documented with the ISSO.
  "
  impact 0.5
  tag severity: 'medium'
  tag gtitle: 'SRG-OS-000114-GPOS-00059'
  tag gid: 'V-230502'
  tag rid: 'SV-230502r627750_rule'
  tag stig_id: 'RHEL-08-040070'
  tag fix_id: 'F-33146r568253_fix'
  tag cci: ['CCI-000778']
  tag nist: ['IA-3']

  # ...add your describe blocks here ... #

end

Where did the metadata tags come from?

From the structured data inside the published STIG document's XCCDF XML file. The saf generate tool simply reformats it into an InSpec control.

Where did the describe block come from?

From the real MITRE SAF RHEL8 InSpec profileopen in new window. Note that the control accounts for a few more edge cases than what we've done in this class, but it's still recognizably just a bunch of entities and expectations wrapped in describe blocks.

You may note that these InSpec controls feature a set of metadata tags -- impact, severity, and alignment back to requirements such as a NIST control family. All of that metadata was taken from the original XCCDF document that we used to create this profile; the SAF CLI automatically added it to the profile controls. These tags are the reason that tools like Heimdall can sort and display data in high fidelity. This is the benefit of using the SAF CLI to generate profiles straight off of the original benchmark documentation where possible -- tagging the controls with the requirement that they are testing means that reading a control will tell you not only what you are testing, but why!

STIGs

For more background on STIGs, see the SAF Guidance content.