11. From STIG to Profile
From STIG to Profile
You have seen in some of our examples in this class that a robust profile's controls will include a large number of metadata tags:
InSpec control with many STIG-related tags
Taken from the SAF RHEL7 profile:
control 'SV-204392' do
title 'The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership,
and group membership of system files and commands match the vendor values.'
desc 'Discretionary access control is weakened if a user or group has access permissions to system files and
directories greater than the default.'
desc 'check', ...
desc 'fix', ...
impact 0.7
tag legacy: ['V-71849', 'SV-86473']
tag severity: 'high'
tag gtitle: 'SRG-OS-000257-GPOS-00098'
tag satisfies: ['SRG-OS-000257-GPOS-00098', 'SRG-OS-000278-GPOS-00108']
tag gid: 'V-204392'
tag rid: 'SV-204392r880752_rule'
tag stig_id: 'RHEL-07-010010'
tag fix_id: 'F-36302r880751_fix'
tag cci: ['CCI-001494', 'CCI-001496', 'CCI-002165', 'CCI-002235']
tag nist: ['AU-9', 'AU-9 (3)', 'AC-3 (4)', 'AC-6 (10)']
tag subsystems: ['permissions', 'package', 'rpm']
tag 'host'
tag 'container'
describe the_actual_test do # the actual describe block appears on line 54 of this control!
...
end
end
We really do not want to stuck with labeling all of these controls by hand. Let's cheat and use the SAF CLI benchmark generator.
Download STIG Requirements
First, let's discuss where all of that metadata comes from in the first place -- the baseline security guidance that we are automating using InSpec. We'll crack open a STIG XCCDF XML file to show you where the control metadata is sourced from.
Download the latest STIG Viewer located here STIG Viewer.
Download the Red Hat Enterprise Linux 8 STIG
located here RHEL8 STIG Download
(The RHEL8 STIG is at version 1, release 5 at time of writing, but may have been updated by the time you downloaded. This will not affect how we use the STIG in this class.)
Convert the STIG XCCDF Benchmark To an InSpec Stubs Profile
Timesaver Ahead!
We already converted the XCCDF STIG Benchmark into a starter profile using the saf generate xccdf_benchmark2inspec_stub
command using the correct flags, mapping file and other options. In a moment we will show you how to grab our pre-made profile that we generated with the SAF CLI.
The SAF CLI has the generate xccdf_benchmark2inspec_stub
sub-command which can help you quickly convert an XCCDF Benchmark document into the start of an InSpec Profile.
To learn how you can use the saf generate xccdf_benchmark2inspec_stub
or any other saf
cli command, go to the saf-cli homepage or use the help commands. An example help command to generate the stubs of the InSpec profile is below.
saf generate xccdf_benchmark2inspec_stub --help
Translate an XCCDF benchmark file to a skeleton for an InSpec profile
USAGE
$ saf saf generate xccdf_benchmark2inspec_stub -i <stig-xccdf-xml> [-o <output-folder>] [-h] [-m <metadata-json>] [-T
(rule|group|cis|version)] [-s] [-L (info|warn|debug|verbose)]
FLAGS
-L, --logLevel=<option> [default: info]
<options: info|warn|debug|verbose>
-O, --ovalDefinitions=<value> Path to an OVAL definitions file to populate profile elements that reference OVAL definitions
-T, --idType=<option> [default: rule] Control ID Types: 'rule' - Vulnerability IDs (ex. 'SV-XXXXX'), 'group' - Group IDs (ex.
'V-XXXXX'), 'cis' - CIS Rule IDs (ex. C-1.1.1.1), 'version' - Version IDs (ex. RHEL-07-010020 - also
known as STIG IDs)
<options: rule|group|cis|version>
-h, --help Show CLI help.
-i, --input=<value> (required) Path to the XCCDF benchmark file
-m, --metadata=<value> Path to a JSON file with additional metadata for the inspec.yml file
-o, --output=<value> [default: profile] The output folder to write the generated InSpec content
-s, --singleFile Output the resulting controls as a single file
DESCRIPTION
Translate an XCCDF benchmark file to a skeleton for an InSpec profile
EXAMPLES
$ saf generate xccdf_benchmark2inspec_stub -i ./U_RHEL_6_STIG_V2R2_Manual-xccdf.xml -T group --logLevel debug -r rhel-6-update-report.md
$ saf generate xccdf_benchmark2inspec_stub -i ./CIS_Ubuntu_Linux_18.04_LTS_Benchmark_v1.1.0-xccdf.xml -O ./CIS_Ubuntu_Linux_18.04_LTS_Benchmark_v1.1.0-oval.xml --logLevel debug
How to Get the Pre-made Profile
We have a pre-made profile generated with the saf generate xccdf_benchmark2inspec_stub
command sitting on the Resources page for these classes. For the purposes of this class, you'll need to download it into your Codespaces library. You can do this with the wget
shell command.
wget
wget https://github.com/mitre/inspec-profile-developer-course-lab-environment/raw/main/resources/rhel8-baseline-stubs.tar.gz
/workspaces/saf-training-lab-environment/rhel8-baseline-stubs (main) $ wget https://github.com/mitre/inspec-profile-developer-course-lab-environment/raw/main/resources/rhel8-baseline-stubs.tar.gz
--2023-02-09 14:51:56-- https://github.com/mitre/inspec-profile-developer-course-lab-environment/raw/main/resources/rhel8-baseline-stubs.tar.gz
Resolving github.com (github.com)... 140.82.112.4
Connecting to github.com (github.com)|140.82.112.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/mitre/inspec-profile-developer-course-lab-environment/main/resources/rhel8-baseline-stubs.tar.gz [following]
--2023-02-09 14:51:57-- https://raw.githubusercontent.com/mitre/inspec-profile-developer-course-lab-environment/main/resources/rhel8-baseline-stubs.tar.gz
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 197531 (193K) [application/octet-stream]
Saving to: ‘rhel8-baseline-stubs.tar.gz’
rhel8-baseline-stubs.tar.gz 100%[=================================================================================================>] 192.90K --.-KB/s in 0.004s
2023-02-09 14:51:57 (47.0 MB/s) - ‘rhel8-baseline-stubs.tar.gz’ saved [197531/197531]
Once you've used wget
to grab the compressed profile, we need to uncompress it so that we can work with the control files inside.
tar zxvfp ./rhel8-baseline-stubs.tar.gz
rhel8-baseline-stubs/
rhel8-baseline-stubs/libraries/
rhel8-baseline-stubs/README.md
rhel8-baseline-stubs/controls/
rhel8-baseline-stubs/inspec.yml
rhel8-baseline-stubs/controls/SV-230281.rb
rhel8-baseline-stubs/controls/SV-230390.rb
rhel8-baseline-stubs/controls/SV-230363.rb
rhel8-baseline-stubs/controls/SV-230223.rb
rhel8-baseline-stubs/controls/SV-230332.rb
rhel8-baseline-stubs/controls/SV-230272.rb
rhel8-baseline-stubs/controls/SV-245540.rb
rhel8-baseline-stubs/controls/SV-230246.rb
rhel8-baseline-stubs/controls/SV-230306.rb
rhel8-baseline-stubs/controls/SV-230357.rb
rhel8-baseline-stubs/controls/SV-230559.rb
rhel8-baseline-stubs/controls/SV-230419.rb
rhel8-baseline-stubs/controls/SV-230508.rb
rhel8-baseline-stubs/controls/SV-230448.rb
rhel8-baseline-stubs/controls/SV-230518.rb
rhel8-baseline-stubs/controls/SV-230409.rb
rhel8-baseline-stubs/controls/SV-230549.rb
rhel8-baseline-stubs/controls/SV-230347.rb
rhel8-baseline-stubs/controls/SV-230316.rb
rhel8-baseline-stubs/controls/SV-230256.rb
rhel8-baseline-stubs/controls/SV-230262.rb
rhel8-baseline-stubs/controls/SV-230322.rb
rhel8-baseline-stubs/controls/SV-230233.rb
rhel8-baseline-stubs/controls/SV-230373.rb
rhel8-baseline-stubs/controls/SV-230380.rb
rhel8-baseline-stubs/controls/SV-230291.rb
rhel8-baseline-stubs/controls/SV-230353.rb
rhel8-baseline-stubs/controls/SV-230302.rb
rhel8-baseline-stubs/controls/SV-230394.rb
rhel8-baseline-stubs/controls/SV-230285.rb
rhel8-baseline-stubs/controls/SV-230336.rb
rhel8-baseline-stubs/controls/SV-230276.rb
rhel8-baseline-stubs/controls/SV-230367.rb
rhel8-baseline-stubs/controls/SV-230227.rb
rhel8-baseline-stubs/controls/SV-230429.rb
rhel8-baseline-stubs/controls/SV-230478.rb
rhel8-baseline-stubs/controls/SV-230538.rb
rhel8-baseline-stubs/controls/SV-230468.rb
rhel8-baseline-stubs/controls/SV-230439.rb
rhel8-baseline-stubs/controls/SV-230237.rb
rhel8-baseline-stubs/controls/SV-230377.rb
rhel8-baseline-stubs/controls/SV-230266.rb
rhel8-baseline-stubs/controls/SV-230326.rb
rhel8-baseline-stubs/controls/SV-230295.rb
rhel8-baseline-stubs/controls/SV-230384.rb
rhel8-baseline-stubs/controls/SV-230312.rb
rhel8-baseline-stubs/controls/SV-230252.rb
rhel8-baseline-stubs/controls/SV-230343.rb
rhel8-baseline-stubs/controls/SV-237641.rb
rhel8-baseline-stubs/controls/SV-230352.rb
rhel8-baseline-stubs/controls/SV-230243.rb
rhel8-baseline-stubs/controls/SV-230303.rb
rhel8-baseline-stubs/controls/SV-230395.rb
rhel8-baseline-stubs/controls/SV-230284.rb
rhel8-baseline-stubs/controls/SV-230337.rb
rhel8-baseline-stubs/controls/SV-230277.rb
rhel8-baseline-stubs/controls/SV-230366.rb
rhel8-baseline-stubs/controls/SV-230226.rb
rhel8-baseline-stubs/controls/SV-230428.rb
rhel8-baseline-stubs/controls/SV-230479.rb
rhel8-baseline-stubs/controls/SV-230539.rb
rhel8-baseline-stubs/controls/SV-230529.rb
rhel8-baseline-stubs/controls/SV-230469.rb
rhel8-baseline-stubs/controls/SV-230438.rb
rhel8-baseline-stubs/controls/SV-230236.rb
rhel8-baseline-stubs/controls/SV-230376.rb
rhel8-baseline-stubs/controls/SV-230267.rb
rhel8-baseline-stubs/controls/SV-230327.rb
rhel8-baseline-stubs/controls/SV-230294.rb
rhel8-baseline-stubs/controls/SV-230385.rb
rhel8-baseline-stubs/controls/SV-230313.rb
rhel8-baseline-stubs/controls/SV-230253.rb
rhel8-baseline-stubs/controls/SV-230342.rb
rhel8-baseline-stubs/controls/SV-237640.rb
rhel8-baseline-stubs/controls/SV-230280.rb
rhel8-baseline-stubs/controls/SV-230362.rb
rhel8-baseline-stubs/controls/SV-230222.rb
rhel8-baseline-stubs/controls/SV-230333.rb
rhel8-baseline-stubs/controls/SV-230273.rb
rhel8-baseline-stubs/controls/SV-230247.rb
rhel8-baseline-stubs/controls/SV-230307.rb
rhel8-baseline-stubs/controls/SV-230356.rb
rhel8-baseline-stubs/controls/SV-230558.rb
rhel8-baseline-stubs/controls/SV-230418.rb
rhel8-baseline-stubs/controls/SV-230509.rb
rhel8-baseline-stubs/controls/SV-230449.rb
rhel8-baseline-stubs/controls/SV-230519.rb
rhel8-baseline-stubs/controls/SV-230408.rb
rhel8-baseline-stubs/controls/SV-230548.rb
rhel8-baseline-stubs/controls/SV-230346.rb
rhel8-baseline-stubs/controls/SV-230317.rb
rhel8-baseline-stubs/controls/SV-230257.rb
rhel8-baseline-stubs/controls/SV-230263.rb
rhel8-baseline-stubs/controls/SV-230323.rb
rhel8-baseline-stubs/controls/SV-230232.rb
rhel8-baseline-stubs/controls/SV-230372.rb
rhel8-baseline-stubs/controls/SV-230381.rb
rhel8-baseline-stubs/controls/SV-230290.rb
rhel8-baseline-stubs/controls/SV-230553.rb
rhel8-baseline-stubs/controls/SV-230413.rb
rhel8-baseline-stubs/controls/SV-230502.rb
rhel8-baseline-stubs/controls/SV-230485.rb
rhel8-baseline-stubs/controls/SV-230476.rb
rhel8-baseline-stubs/controls/SV-230536.rb
rhel8-baseline-stubs/controls/SV-230427.rb
rhel8-baseline-stubs/controls/SV-230369.rb
rhel8-baseline-stubs/controls/SV-244521.rb
rhel8-baseline-stubs/controls/SV-230229.rb
rhel8-baseline-stubs/controls/SV-230338.rb
rhel8-baseline-stubs/controls/SV-230278.rb
rhel8-baseline-stubs/controls/SV-244544.rb
rhel8-baseline-stubs/controls/SV-244554.rb
rhel8-baseline-stubs/controls/SV-230268.rb
rhel8-baseline-stubs/controls/SV-230328.rb
rhel8-baseline-stubs/controls/SV-244531.rb
rhel8-baseline-stubs/controls/SV-230239.rb
rhel8-baseline-stubs/controls/SV-230379.rb
rhel8-baseline-stubs/controls/SV-230437.rb
rhel8-baseline-stubs/controls/SV-230526.rb
rhel8-baseline-stubs/controls/SV-230466.rb
rhel8-baseline-stubs/controls/SV-230495.rb
rhel8-baseline-stubs/controls/SV-230512.rb
rhel8-baseline-stubs/controls/SV-230403.rb
rhel8-baseline-stubs/controls/SV-230543.rb
rhel8-baseline-stubs/controls/SV-251714.rb
rhel8-baseline-stubs/controls/SV-230481.rb
rhel8-baseline-stubs/controls/SV-230423.rb
rhel8-baseline-stubs/controls/SV-230472.rb
rhel8-baseline-stubs/controls/SV-230532.rb
rhel8-baseline-stubs/controls/SV-230506.rb
rhel8-baseline-stubs/controls/SV-230446.rb
rhel8-baseline-stubs/controls/SV-230557.rb
rhel8-baseline-stubs/controls/SV-230359.rb
rhel8-baseline-stubs/controls/SV-230248.rb
rhel8-baseline-stubs/controls/SV-244540.rb
rhel8-baseline-stubs/controls/SV-230308.rb
rhel8-baseline-stubs/controls/SV-244525.rb
rhel8-baseline-stubs/controls/SV-250316.rb
rhel8-baseline-stubs/controls/SV-244535.rb
rhel8-baseline-stubs/controls/SV-230318.rb
rhel8-baseline-stubs/controls/SV-230258.rb
rhel8-baseline-stubs/controls/SV-244550.rb
rhel8-baseline-stubs/controls/SV-230349.rb
rhel8-baseline-stubs/controls/SV-230407.rb
rhel8-baseline-stubs/controls/SV-230547.rb
rhel8-baseline-stubs/controls/SV-230456.rb
rhel8-baseline-stubs/controls/SV-230516.rb
rhel8-baseline-stubs/controls/SV-251710.rb
rhel8-baseline-stubs/controls/SV-230522.rb
rhel8-baseline-stubs/controls/SV-230462.rb
rhel8-baseline-stubs/controls/SV-230433.rb
rhel8-baseline-stubs/controls/SV-230491.rb
rhel8-baseline-stubs/controls/SV-230480.rb
rhel8-baseline-stubs/controls/SV-230422.rb
rhel8-baseline-stubs/controls/SV-230473.rb
rhel8-baseline-stubs/controls/SV-230533.rb
rhel8-baseline-stubs/controls/SV-230507.rb
rhel8-baseline-stubs/controls/SV-230447.rb
rhel8-baseline-stubs/controls/SV-230556.rb
rhel8-baseline-stubs/controls/SV-230358.rb
rhel8-baseline-stubs/controls/SV-244541.rb
rhel8-baseline-stubs/controls/SV-230249.rb
rhel8-baseline-stubs/controls/SV-230309.rb
rhel8-baseline-stubs/controls/SV-244524.rb
rhel8-baseline-stubs/controls/SV-250317.rb
rhel8-baseline-stubs/controls/SV-244534.rb
rhel8-baseline-stubs/controls/SV-230319.rb
rhel8-baseline-stubs/controls/SV-244551.rb
rhel8-baseline-stubs/controls/SV-230259.rb
rhel8-baseline-stubs/controls/SV-230348.rb
rhel8-baseline-stubs/controls/SV-230406.rb
rhel8-baseline-stubs/controls/SV-230546.rb
rhel8-baseline-stubs/controls/SV-230517.rb
rhel8-baseline-stubs/controls/SV-251711.rb
rhel8-baseline-stubs/controls/SV-230523.rb
rhel8-baseline-stubs/controls/SV-230463.rb
rhel8-baseline-stubs/controls/SV-230432.rb
rhel8-baseline-stubs/controls/SV-230552.rb
rhel8-baseline-stubs/controls/SV-230412.rb
rhel8-baseline-stubs/controls/SV-230503.rb
rhel8-baseline-stubs/controls/SV-230484.rb
rhel8-baseline-stubs/controls/SV-230477.rb
rhel8-baseline-stubs/controls/SV-230537.rb
rhel8-baseline-stubs/controls/SV-230426.rb
rhel8-baseline-stubs/controls/SV-230368.rb
rhel8-baseline-stubs/controls/SV-230228.rb
rhel8-baseline-stubs/controls/SV-230339.rb
rhel8-baseline-stubs/controls/SV-230279.rb
rhel8-baseline-stubs/controls/SV-244545.rb
rhel8-baseline-stubs/controls/SV-230269.rb
rhel8-baseline-stubs/controls/SV-230329.rb
rhel8-baseline-stubs/controls/SV-230238.rb
rhel8-baseline-stubs/controls/SV-244530.rb
rhel8-baseline-stubs/controls/SV-230378.rb
rhel8-baseline-stubs/controls/SV-230436.rb
rhel8-baseline-stubs/controls/SV-230527.rb
rhel8-baseline-stubs/controls/SV-230467.rb
rhel8-baseline-stubs/controls/SV-230494.rb
rhel8-baseline-stubs/controls/SV-230513.rb
rhel8-baseline-stubs/controls/SV-230402.rb
rhel8-baseline-stubs/controls/SV-230542.rb
rhel8-baseline-stubs/controls/SV-251715.rb
rhel8-baseline-stubs/controls/SV-230470.rb
rhel8-baseline-stubs/controls/SV-230530.rb
rhel8-baseline-stubs/controls/SV-230421.rb
rhel8-baseline-stubs/controls/SV-230561.rb
rhel8-baseline-stubs/controls/SV-230483.rb
rhel8-baseline-stubs/controls/SV-230555.rb
rhel8-baseline-stubs/controls/SV-230504.rb
rhel8-baseline-stubs/controls/SV-230444.rb
rhel8-baseline-stubs/controls/SV-244542.rb
rhel8-baseline-stubs/controls/SV-244527.rb
rhel8-baseline-stubs/controls/SV-244537.rb
rhel8-baseline-stubs/controls/SV-244552.rb
rhel8-baseline-stubs/controls/SV-251712.rb
rhel8-baseline-stubs/controls/SV-230514.rb
rhel8-baseline-stubs/controls/SV-230405.rb
rhel8-baseline-stubs/controls/SV-230545.rb
rhel8-baseline-stubs/controls/SV-230493.rb
rhel8-baseline-stubs/controls/SV-230431.rb
rhel8-baseline-stubs/controls/SV-230520.rb
rhel8-baseline-stubs/controls/SV-230500.rb
rhel8-baseline-stubs/controls/SV-230551.rb
rhel8-baseline-stubs/controls/SV-230411.rb
rhel8-baseline-stubs/controls/SV-251706.rb
rhel8-baseline-stubs/controls/SV-230425.rb
rhel8-baseline-stubs/controls/SV-230474.rb
rhel8-baseline-stubs/controls/SV-230534.rb
rhel8-baseline-stubs/controls/SV-230487.rb
rhel8-baseline-stubs/controls/SV-230398.rb
rhel8-baseline-stubs/controls/SV-230289.rb
rhel8-baseline-stubs/controls/SV-244523.rb
rhel8-baseline-stubs/controls/SV-244546.rb
rhel8-baseline-stubs/controls/SV-244533.rb
rhel8-baseline-stubs/controls/SV-230299.rb
rhel8-baseline-stubs/controls/SV-230388.rb
rhel8-baseline-stubs/controls/SV-230497.rb
rhel8-baseline-stubs/controls/SV-230524.rb
rhel8-baseline-stubs/controls/SV-230464.rb
rhel8-baseline-stubs/controls/SV-230435.rb
rhel8-baseline-stubs/controls/SV-251716.rb
rhel8-baseline-stubs/controls/SV-230401.rb
rhel8-baseline-stubs/controls/SV-230541.rb
rhel8-baseline-stubs/controls/SV-230510.rb
rhel8-baseline-stubs/controls/SV-230550.rb
rhel8-baseline-stubs/controls/SV-230410.rb
rhel8-baseline-stubs/controls/SV-251707.rb
rhel8-baseline-stubs/controls/SV-230424.rb
rhel8-baseline-stubs/controls/SV-230475.rb
rhel8-baseline-stubs/controls/SV-230535.rb
rhel8-baseline-stubs/controls/SV-230486.rb
rhel8-baseline-stubs/controls/SV-230399.rb
rhel8-baseline-stubs/controls/SV-230288.rb
rhel8-baseline-stubs/controls/SV-244522.rb
rhel8-baseline-stubs/controls/SV-244547.rb
rhel8-baseline-stubs/controls/SV-244532.rb
rhel8-baseline-stubs/controls/SV-230298.rb
rhel8-baseline-stubs/controls/SV-230389.rb
rhel8-baseline-stubs/controls/SV-230496.rb
rhel8-baseline-stubs/controls/SV-230525.rb
rhel8-baseline-stubs/controls/SV-230465.rb
rhel8-baseline-stubs/controls/SV-230434.rb
rhel8-baseline-stubs/controls/SV-251717.rb
rhel8-baseline-stubs/controls/SV-230400.rb
rhel8-baseline-stubs/controls/SV-230540.rb
rhel8-baseline-stubs/controls/SV-230511.rb
rhel8-baseline-stubs/controls/SV-230471.rb
rhel8-baseline-stubs/controls/SV-230531.rb
rhel8-baseline-stubs/controls/SV-230560.rb
rhel8-baseline-stubs/controls/SV-230482.rb
rhel8-baseline-stubs/controls/SV-230554.rb
rhel8-baseline-stubs/controls/SV-230505.rb
rhel8-baseline-stubs/controls/SV-244543.rb
rhel8-baseline-stubs/controls/SV-250315.rb
rhel8-baseline-stubs/controls/SV-244526.rb
rhel8-baseline-stubs/controls/SV-244536.rb
rhel8-baseline-stubs/controls/SV-244553.rb
rhel8-baseline-stubs/controls/SV-251713.rb
rhel8-baseline-stubs/controls/SV-230455.rb
rhel8-baseline-stubs/controls/SV-230515.rb
rhel8-baseline-stubs/controls/SV-230404.rb
rhel8-baseline-stubs/controls/SV-230544.rb
rhel8-baseline-stubs/controls/SV-230492.rb
rhel8-baseline-stubs/controls/SV-230430.rb
rhel8-baseline-stubs/controls/SV-230521.rb
rhel8-baseline-stubs/controls/SV-244548.rb
rhel8-baseline-stubs/controls/SV-230240.rb
rhel8-baseline-stubs/controls/SV-230300.rb
rhel8-baseline-stubs/controls/SV-244519.rb
rhel8-baseline-stubs/controls/SV-230351.rb
rhel8-baseline-stubs/controls/SV-230365.rb
rhel8-baseline-stubs/controls/SV-230225.rb
rhel8-baseline-stubs/controls/SV-230334.rb
rhel8-baseline-stubs/controls/SV-230274.rb
rhel8-baseline-stubs/controls/SV-230287.rb
rhel8-baseline-stubs/controls/SV-230396.rb
rhel8-baseline-stubs/controls/SV-230489.rb
rhel8-baseline-stubs/controls/SV-251708.rb
rhel8-baseline-stubs/controls/SV-251718.rb
rhel8-baseline-stubs/controls/SV-230499.rb
rhel8-baseline-stubs/controls/SV-230386.rb
rhel8-baseline-stubs/controls/SV-230264.rb
rhel8-baseline-stubs/controls/SV-230324.rb
rhel8-baseline-stubs/controls/SV-230235.rb
rhel8-baseline-stubs/controls/SV-230375.rb
rhel8-baseline-stubs/controls/SV-237643.rb
rhel8-baseline-stubs/controls/SV-230341.rb
rhel8-baseline-stubs/controls/SV-230310.rb
rhel8-baseline-stubs/controls/SV-230250.rb
rhel8-baseline-stubs/controls/SV-230330.rb
rhel8-baseline-stubs/controls/SV-230270.rb
rhel8-baseline-stubs/controls/SV-230361.rb
rhel8-baseline-stubs/controls/SV-230221.rb
rhel8-baseline-stubs/controls/SV-244529.rb
rhel8-baseline-stubs/controls/SV-230392.rb
rhel8-baseline-stubs/controls/SV-230283.rb
rhel8-baseline-stubs/controls/SV-230355.rb
rhel8-baseline-stubs/controls/SV-230244.rb
rhel8-baseline-stubs/controls/SV-230304.rb
rhel8-baseline-stubs/controls/SV-230314.rb
rhel8-baseline-stubs/controls/SV-230254.rb
rhel8-baseline-stubs/controls/SV-230345.rb
rhel8-baseline-stubs/controls/SV-230293.rb
rhel8-baseline-stubs/controls/SV-230382.rb
rhel8-baseline-stubs/controls/SV-230231.rb
rhel8-baseline-stubs/controls/SV-244539.rb
rhel8-baseline-stubs/controls/SV-230371.rb
rhel8-baseline-stubs/controls/SV-230260.rb
rhel8-baseline-stubs/controls/SV-230320.rb
rhel8-baseline-stubs/controls/SV-230331.rb
rhel8-baseline-stubs/controls/SV-230271.rb
rhel8-baseline-stubs/controls/SV-230360.rb
rhel8-baseline-stubs/controls/SV-244528.rb
rhel8-baseline-stubs/controls/SV-230393.rb
rhel8-baseline-stubs/controls/SV-230282.rb
rhel8-baseline-stubs/controls/SV-230354.rb
rhel8-baseline-stubs/controls/SV-230245.rb
rhel8-baseline-stubs/controls/SV-230305.rb
rhel8-baseline-stubs/controls/SV-230315.rb
rhel8-baseline-stubs/controls/SV-230255.rb
rhel8-baseline-stubs/controls/SV-230344.rb
rhel8-baseline-stubs/controls/SV-230292.rb
rhel8-baseline-stubs/controls/SV-230383.rb
rhel8-baseline-stubs/controls/SV-244538.rb
rhel8-baseline-stubs/controls/SV-230230.rb
rhel8-baseline-stubs/controls/SV-230370.rb
rhel8-baseline-stubs/controls/SV-230261.rb
rhel8-baseline-stubs/controls/SV-230321.rb
rhel8-baseline-stubs/controls/SV-230241.rb
rhel8-baseline-stubs/controls/SV-244549.rb
rhel8-baseline-stubs/controls/SV-230301.rb
rhel8-baseline-stubs/controls/SV-230350.rb
rhel8-baseline-stubs/controls/SV-230364.rb
rhel8-baseline-stubs/controls/SV-230224.rb
rhel8-baseline-stubs/controls/SV-230335.rb
rhel8-baseline-stubs/controls/SV-230275.rb
rhel8-baseline-stubs/controls/SV-230286.rb
rhel8-baseline-stubs/controls/SV-230397.rb
rhel8-baseline-stubs/controls/SV-230488.rb
rhel8-baseline-stubs/controls/SV-251709.rb
rhel8-baseline-stubs/controls/SV-230498.rb
rhel8-baseline-stubs/controls/SV-230387.rb
rhel8-baseline-stubs/controls/SV-230296.rb
rhel8-baseline-stubs/controls/SV-230265.rb
rhel8-baseline-stubs/controls/SV-230325.rb
rhel8-baseline-stubs/controls/SV-230234.rb
rhel8-baseline-stubs/controls/SV-230374.rb
rhel8-baseline-stubs/controls/SV-237642.rb
rhel8-baseline-stubs/controls/SV-230340.rb
rhel8-baseline-stubs/controls/SV-230311.rb
rhel8-baseline-stubs/controls/SV-230251.rb
Example 'Stub' Control SV-230502
Let's take a look at one of the stub InSpec controls created by the saf generate xccdf_benchmark2inspec_stub
command and the completed InSpec control.
control 'SV-230502' do
title 'The RHEL 8 file system automounter must be disabled unless required.'
desc "Automatically mounting file systems permits easy introduction of
unknown devices, thereby facilitating malicious activity."
desc 'rationale', ''
desc 'check', "
Verify the operating system disables the ability to automount devices.
Check to see if automounter service is active with the following command:
Note: If the autofs service is not installed, this requirement is not
applicable.
$ sudo systemctl status autofs
autofs.service - Automounts filesystems on demand
Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)
Active: inactive (dead)
If the \"autofs\" status is set to \"active\" and is not documented with
the Information System Security Officer (ISSO) as an operational requirement,
this is a finding.
"
desc 'fix', "
Configure the operating system to disable the ability to automount devices.
Turn off the automount service with the following commands:
$ sudo systemctl stop autofs
$ sudo systemctl disable autofs
If \"autofs\" is required for Network File System (NFS), it must be
documented with the ISSO.
"
impact 0.5
tag severity: 'medium'
tag gtitle: 'SRG-OS-000114-GPOS-00059'
tag gid: 'V-230502'
tag rid: 'SV-230502r627750_rule'
tag stig_id: 'RHEL-08-040070'
tag fix_id: 'F-33146r568253_fix'
tag cci: ['CCI-000778']
tag nist: ['IA-3']
# ...add your describe blocks here ... #
end
control 'SV-230502' do
title 'The RHEL 8 file system automounter must be disabled unless required.'
desc "Automatically mounting file systems permits easy introduction of
unknown devices, thereby facilitating malicious activity."
desc 'rationale', ''
desc 'check', "
Verify the operating system disables the ability to automount devices.
Check to see if automounter service is active with the following command:
Note: If the autofs service is not installed, this requirement is not
applicable.
$ sudo systemctl status autofs
autofs.service - Automounts filesystems on demand
Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)
Active: inactive (dead)
If the \"autofs\" status is set to \"active\" and is not documented with
the Information System Security Officer (ISSO) as an operational requirement,
this is a finding.
"
desc 'fix', "
Configure the operating system to disable the ability to automount devices.
Turn off the automount service with the following commands:
$ sudo systemctl stop autofs
$ sudo systemctl disable autofs
If \"autofs\" is required for Network File System (NFS), it must be
documented with the ISSO.
"
impact 0.5
tag severity: 'medium'
tag gtitle: 'SRG-OS-000114-GPOS-00059'
tag gid: 'V-230502'
tag rid: 'SV-230502r627750_rule'
tag stig_id: 'RHEL-08-040070'
tag fix_id: 'F-33146r568253_fix'
tag cci: ['CCI-000778']
tag nist: ['IA-3']
if virtualization.system.eql?('docker')
impact 0.0
describe "Control not applicable within a container" do
skip "Control not applicable within a container"
end
else
if package('autofs').installed?
describe systemd_service('autofs.service') do
it { should_not be_running }
it { should_not be_enabled }
it { should_not be_installed }
end
else
impact 0.0
describe 'The autofs service is not installed' do
skip 'The autofs service is not installed, this control is Not Applicable.'
end
end
end
end
Where did the metadata tags come from?
From the structured data inside the published STIG document's XCCDF XML file. The saf generate
tool simply reformats it into an InSpec control.
Where did the describe block come from?
From the real MITRE SAF RHEL8 InSpec profile. Note that the control accounts for a few more edge cases than what we've done in this class, but it's still recognizably just a bunch of entities and expectations wrapped in describe
blocks.
You may note that these InSpec controls feature a set of metadata tags -- impact, severity, and alignment back to requirements such as a NIST control family. All of that metadata was taken from the original XCCDF document that we used to create this profile; the SAF CLI automatically added it to the profile controls. These tags are the reason that tools like Heimdall can sort and display data in high fidelity. This is the benefit of using the SAF CLI to generate profiles straight off of the original benchmark documentation where possible -- tagging the controls with the requirement that they are testing means that reading a control will tell you not only what you are testing, but why!
STIGs
For more background on STIGs, see the SAF Guidance content.