Background & Definitions
Background and Definitions
Background
Evolution of STIGs and Security Benchmarks
The Department of Defense (DOD) has continually updated its databases that track rules and Security Technical Implementation Guides (STIGs) that house those rules.
Initially, the system was known as the Vulnerability Management System (VMS).
In the STIGs, you might come across data elements that are remnants from these iterations. These include Group Title
(gid or gtitle), Vulnerability ID
(VulnID), Rule ID
(rule_id), STIG ID
(stig_id), and others.
A significant change was the shift from using STIG ID
to Rule ID
in many security scanning tools. This change occurred because the Vulnerability Management System used the STIG_ID as the primary index for the requirements in each Benchmark in VMS.
However, when DISA updated the Vendor STIG Processes and replaced the VMS, they decided to migrate the primary ID from the STIG ID to the Rule ID, tracking changes in the Rules as described above.
Examples of tools that still use either fully or in part the 'STIG ID' vs the 'Rule ID' as a primary index are: the DISA STIG Viewer, Nessus Audit Scans, and Open SCAP client.
While these elements might seem confusing, understanding their historical context is essential.
In our modern profiles, some data from the XCCDF Benchmarks still exist in the document but are not used or rendered in the modern InSpec Profiles. However, in some of the older profiles, you may see many of these data elements as tags
in the profile. The intention was to ensure easy and lossless conversion between XCCDF Benchmark and HDF Profile.
It was later realized that since the structure of these data elements was 'static', they could be easily reintroduced when converting back to an XCCDF Benchmark. Therefore, rendering them in the profile was deemed unnecessary.