SAF InSpec Profile Developer

From STIG to Profile

May 22, 2022About 3 min

From STIG to Profile

Download STIG Requirements

Download the latest STIG Viewer located here STIG Vieweropen in new window

Alt text

Download the Red Hat Enterprise Linux 8 STIG - Ver 1, Rel 5 located here RHEL8 STIG Downloadopen in new window

Alt text

Convert the STIG XCCDF Benchmark To an InSpec Stubs Profile

Timesaver Ahead!

We already converted the XCCDF STIG Benchmark into a starter profile using the saf generate xccdf2inspec_stub command using the correct flags, mapping file and other options.

The SAF CLI has the generate xccdf2inspec_stub sub-command which can help you quickly convert an XCCDF Benchmark document into the start of an InSpec Profile.

XCCDF to InSpec Stub
generate xccdf2inspec_stub              Generate an InSpec profile stub from a DISA STIG XCCDF XML file

  USAGE
    $ saf generate xccdf2inspec_stub -i, --input=XML -o, --output=FOLDER

  OPTIONS
    -S, --useStigID              Use STIG IDs (<Group/Rule/Version>) instead of Group IDs (ex. 'V-XXXXX') for InSpec Control IDs
    -i, --input=input            (required) Path to the DISA STIG XCCDF file
    -l, --lineLength=lineLength  [default: 80] Characters between lines within InSpec controls
    -e, --encodingHeader         Add the "# encoding: UTF-8" comment at the top of each control
    -m, --metadata=metadata      Path to a JSON file with additional metadata for the inspec.yml file
    -o, --output=output          (required) [default: profile]
    -r, --useVulnerabilityId     Use Vulnerability IDs (ex. 'SV-XXXXX') instead of Group IDs (ex. 'V-XXXXX') for InSpec control IDs
    -s, --singleFile             Output the resulting controls as a single file

To learn how you can use the saf generate xccdf2stub, go to the saf-cli homepage which has all the options and capabilities as well as all the other utilities provided by the saf-cli, at https://saf-cli.mitre.org/#generateopen in new window.

Example 'Stub' Control SV-230502

Let's take a look at what one of the stubs created by the saf-cli generate xccdf2stub command:

control 'SV-230502' do
  title 'The RHEL 8 file system automounter must be disabled unless required.'
  desc  "Automatically mounting file systems permits easy introduction of
unknown devices, thereby facilitating malicious activity."
  desc  'rationale', ''
  desc  'check', "
    Verify the operating system disables the ability to automount devices.

    Check to see if automounter service is active with the following command:

    Note: If the autofs service is not installed, this requirement is not
applicable.

    $ sudo systemctl status autofs

    autofs.service - Automounts filesystems on demand
    Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)
    Active: inactive (dead)

    If the \"autofs\" status is set to \"active\" and is not documented with
the Information System Security Officer (ISSO) as an operational requirement,
this is a finding.
  "
  desc 'fix', "
    Configure the operating system to disable the ability to automount devices.

    Turn off the automount service with the following commands:

    $ sudo systemctl stop autofs
    $ sudo systemctl disable autofs

    If \"autofs\" is required for Network File System (NFS), it must be
documented with the ISSO.
  "
  impact 0.5
  tag severity: 'medium'
  tag gtitle: 'SRG-OS-000114-GPOS-00059'
  tag gid: 'V-230502'
  tag rid: 'SV-230502r627750_rule'
  tag stig_id: 'RHEL-08-040070'
  tag fix_id: 'F-33146r568253_fix'
  tag cci: ['CCI-000778']
  tag nist: ['IA-3']

  # ...add your describe blocks here ... #

end

Completed SV-230502 Control

Let's take a look at how we would write the InSpec control for SV-230502:

control 'SV-230502' do
  title 'The RHEL 8 file system automounter must be disabled unless required.'
  desc  "Automatically mounting file systems permits easy introduction of
unknown devices, thereby facilitating malicious activity."
  desc  'rationale', ''
  desc  'check', "
    Verify the operating system disables the ability to automount devices.

    Check to see if automounter service is active with the following command:

    Note: If the autofs service is not installed, this requirement is not
applicable.

    $ sudo systemctl status autofs

    autofs.service - Automounts filesystems on demand
    Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)
    Active: inactive (dead)

    If the \"autofs\" status is set to \"active\" and is not documented with
the Information System Security Officer (ISSO) as an operational requirement,
this is a finding.
  "
  desc 'fix', "
    Configure the operating system to disable the ability to automount devices.

    Turn off the automount service with the following commands:

    $ sudo systemctl stop autofs
    $ sudo systemctl disable autofs

    If \"autofs\" is required for Network File System (NFS), it must be
documented with the ISSO.
  "
  impact 0.5
  tag severity: 'medium'
  tag gtitle: 'SRG-OS-000114-GPOS-00059'
  tag gid: 'V-230502'
  tag rid: 'SV-230502r627750_rule'
  tag stig_id: 'RHEL-08-040070'
  tag fix_id: 'F-33146r568253_fix'
  tag cci: ['CCI-000778']
  tag nist: ['IA-3']

  if virtualization.system.eql?('docker')
    impact 0.0
    describe "Control not applicable within a container" do
      skip "Control not applicable within a container"
    end
  else
    if package('autofs').installed?
      describe systemd_service('autofs.service') do
        it { should_not be_running }
        it { should_not be_enabled }
        it { should_not be_installed }
      end
    else
      impact 0.0
      describe 'The autofs service is not installed' do
        skip 'The autofs service is not installed, this control is Not Applicable.'
      end
    end
  end
end

Getting Started on the RHEL8 Baseline

Controls We Will Demonstrate

  • SV-230324 <---login_defs resource
  • SV-230250 <---directory resource
  • SV-230243 <---directory looping & file resource
  • SV-230505 <---non applicable use case & package resource

Suggested Level 1 Controls

  • SV-230383 <---login_defs resource
  • SV-230249 <---directory resource
  • SV-230242 <---directory looping & file resource
  • SV-230241 <---non applicable use case & package resource

Suggested Level 2 Controls

  • SV-230281 <---parse config file
  • SV-230365 <---login_defs resource
  • SV-230264 <---file content

Suggested InSpec Resources to Review

Completed RHEL8 Profile for Reference

Below is the url to the completed RHEL8 Inspec Profile for reference, and a few things to take note of.

  1. redhat-enterprise-linux-8-stig-baselineopen in new window

Key Elements in this Profile

  • The use of impact 0 for NA & Container Aware Controls
  • How we make the controls container aware, and
  • The fail fast approach to testing execution.
Apache-2.0 | Copyright © 2022 - The MITRE Corporation
Copyright © 2022 Aaron Lippold