Skip to main content

3. Delta Process CLI Tools

Daniel Medina, George DiasDecember 2, 2024About 2 min

The SAF CLI is a collection of libraries, tools developed by MITRE and the security community
to streamline security automation for systems and DevOps pipelines. The delta process is one
of the libraries provided by the SAF CLI.

3.1 CLI Tools

The delta process consists of either or both of the following commands:

  1. Updates Controls for Delta
  2. Delta

About InSpec Profiles

When referring to InSpec Profiles, there are distinctions:
InSpec profile repository: contains the controls, code, etc.
InSpec profile file: JSON formatted file containing profile summary, used as input for the delta process.

3.2 Update Controls for Delta

The update_controls4delta process is used to prepare profile controls from one SRG or STIG/CIS benchmark baseline to another. The controls are updated based on guidance provided by the appropriate Extendible Configuration Checklist Description Format (XCCDF).

The update_controls4delta process may be the only command needed as it specifically updates existing controls from one baseline to another, refer to use cases for running delta.

The process of preparing controls from one baseline to another (baseline X to Y) consists of:

  1. The directory where baseline X controls are located is provided.
  2. An InSpec json formatted file containing all baseline X controls is provided or generated.
    a - The json file is generated using the [inspec or cinc-auditor] json CLI command
  3. A XCCDF file containing the new baseline Y guidance is provided. The file is obtained from the appropriate site.
    a - The baseline Y XCCDF lists all controls appropriate for the provided baseline. It also includes (most often) a field (legacy) where it indicates the control's previous name(s). The process uses this field to map old control names to the new controls.
    b - If there is no mapping found, then the delta process must be invoked to convert the baselines (see use cases)

You can invoke the command as such:

saf generate update_controls4delta \
-X ./baseline_Y_xccdf_guidance_file.xml \
-J baseline_X_summary.json \
-c baseline_X_controls_directory

Additional capabilities can be obtained using the -h or --help flag on the update_controls4delta command as such:

saf generate update_controls4delta --help

Renaming of controls can be done either by guidance rules (rule ID, default) or using the group ID. When using rule ID legacy fields contained within the XCCDF are used for identifying the proper mapping for the controls.

If there is no way to trace controls in baseline X to its corresponding controls in baseline Y, then update_controls4delta will not update any controls (no mapping).

3.3 Delta

The delta process extends the capabilities of the update_controls4delta process by providing the following functionalities:

  1. Creates new controls found in updated guidances
  2. Fuzzy matching capability (optional)
    a - Maps controls based on similarity and not control IDs
    b - For controls which a match is found, the describe block (code) within the old control is mapped over to the new control
  3. Detailed logging
    a - report file (.md), mapping statistics (CliProcessOutput.log)

You can invoke the command as such:

saf generate delta \
-X ./baseline_Y_xccdf_guidance_file.xml \
-J baseline_X_summary.json \
-o new_baseline_Y_controls_directory \
-M -c baseline_X_controls_directory

Optional Fuzzy Matching Flags

The -M and -c flags can be removed if not using fuzzy matching feature.

Additional capabilities can be obtained using the -h or --help flag on the delta command as such:

saf generate delta --help

For more information on these commands, refer to the following documentation:

Delta Process Limitations

The Delta process has been tested using DISA XCCDF STIG Benchmark Guidances only.

Apache-2.0 | Copyright © 2022 - The MITRE Corporation
Copyright © 2024 Daniel Medina, George Dias