Skip to main content

12. Manual Attestations

Emily RodriguezAbout 4 min

12. Manual Attestations

What about controls that cannot be automated and require manual review? You may have noticed that Heimdall displays controls in 4 statuses: Passed, Failed, Not Applicable, and Not Reviewed.

Controls may be Not Reviewed for multiple reasons. One major reason is that the control requires manual review. You can explore the details of the Not Reviewed controls to find out more.

12.1 Explore the Not Reviewed Controls

Look at the hardened results again in Heimdall. Go back to the menu in the top left to toggle off "Comparison View" and select on the hardened results.

Filtering by Not Reviewed
Filtering by Not Reviewed

Scroll down to see the details and learn why the controls were not reviewed.

"Not Reviewed" Controls
"Not Reviewed" Controls

You can see that for various reasons, many of these controls require manual review. If someone does that manual review, how can we show that in the data?

12.2 Manual Attestations Using SAF CLI

You have already seen the InSpec profiles and the Heimdall application that the SAF provides. Another feature of the SAF is the SAF CLI. This is a command line utility tool that helps with various steps in the security automation process. You can see all of the SAF CLI's capability hereopen in new window, but we will look more at how we can use it to add manual attestation data to our overall results.

12.3 Get Familiar with SAF CLI

SAF CLI has been downloaded into your Codespaces lab environmnet, so it is available for you to use on the command line. Try out a few commands to see what you can do!

Command
saf --version

The help command will give you the information on how to use the SAF CLI:

Command
saf help

You can use the -h flag to get more information on the different topics and commands.

Command
saf attest -h

12.4 Create Manual Attestation Data

After someone on your team completes the manual check that is required for your security control, record that information with the help of the SAF CLI.

First, look at the flags for the saf attest create command.

Command
saf attest create -h

Here is an example of an attested control that we can create based on

  1. The results we saw in Heimdall
  2. Our (hypothetical) completed manual check (Let's pretend that we did check this!)
saf attest create -o ./results/manual_attestation_results.json
Enter a control ID or enter 'q' to exit: V-40792
Attestation explanation: Verified that the server-side session management is configured correctly.
Frequency (1d/3d/1wk/2wk/1m/3m/6m/1y/1.5y/custom): 3m
Enter status ((p)assed/(f)ailed): p
Updated By: Emily Rodriguez
Enter a control ID or enter 'q' to exit: 

Now, go through and add more attestations of the Not Reviewed results. You can decide if they should pass or fail as if you hypothetically did check these controls manually. Type q when you are done.

12.5 Apply the Manual Attestation Data

Use the -h flag to learn about applying attestations.

Command
saf attest apply -h

Apply the attestation like this:

saf attest apply -i ./results/nginx_hardened_results.json ./results/manual_attestation_results.json -o ./results/nginx_hardened_with_manual_attestations.json

12.6 Visualize the Results - Heimdall

As we have done before,

  1. Download the nginx_hardened_with_manual_attestations.json file.
  2. Upload this file to Heimdall.
  3. Click on the top left menu and toggle on the Comparison View
  4. Compare the results.

In the example, a few manual attestations were completed, some of which were recorded as passing and some as failing. You may have chosen to do your manual attestations differently and have different metrics.

Visualizing Attestations
Visualizing Attestations

You can look at the details to find the attestation information captured. Expand the details for each control to view this data.

Details on Attestations
Details on Attestations