PowerStig icon indicating copy to clipboard operation
PowerStig copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Checklist is generated with no status changes

Open sgtwtf opened this issue 2 years ago • 1 comments

Describe the bug Ran Start-DSCEAscan -moffile (moffile.xlm) -computername localhost -outputfile c:\folder\ and it generates a results...xml file Tried to import that into DISA STIG viewer but it error about the file so I generated a checklist. "New-StigCheckList -ReferenceConfiguration $ReferenceConfiguration -XccdfPath $XccdfPath -OutputPath $outputPath" this generated a checklist file checklist.ckl but all of the status are set to not reviewed for results that the XML file show as False under "DesiredState"

To Reproduce

  1. Run Start-DSCEAscan -moffile (moffile.xlm) -computername localhost -outputfile c:\folder\ and it generates a results...xml as expected
  2. New-StigCheckList -ReferenceConfiguration $ReferenceConfiguration -XccdfPath $XccdfPath -OutputPath $outputPath the checklist has all the <STATUS> set to "not reviewed" despite the findings in the xml file.

Expected behavior I would expect the checklist to get updated from the XML results file to reflect the scan results.

Screenshots no errors

Additional context none

sgtwtf avatar Jan 06 '22 21:01 sgtwtf

At the very least, you are using the wrong call for New-StigCheckList. Using the -ReferenceConfiguration parameter causes the command to create an entirely unreviewed checklist based on the MOF. This is basically the same as creating a checklist in STIG Viewer and assigning the various STIGs you included in your DSC profile.

Instead, you want to use the -DscResult parameter group.

First capture the results of your DSCEAscan back into a PowerShell object. $auditResults = Import-CliXml "C:\folder\results...xml" Then create the checklist based on the results, not based on the reference document New-StigCheckList -DscResult $auditResults -XccdfPath $XccdfPath -OutputPath $outPath

That is how you're supposed to create a checklist file based upon the DCS scan results.

Note that as I write this I'm searching the board for issues with setting the STATUS element in the checklist file created by using the -DcsResults parameter group -- On my test PC the status for each STIG is still showing "not reviewed" instead of "open" or "no finding." So you may still have issue (I haven't seen if this is systemic or just my one test PC), but at least this is the proper way to attempt it.

ImperatorRuscal avatar Oct 27 '23 18:10 ImperatorRuscal