saf icon indicating copy to clipboard operation
saf copied to clipboard

Published 20 hours ago verified publisher icon mitre

saf generate delta - support for parameterized baseline content

Open ejaronne opened this issue 1 year ago • 3 comments

To make overlays easier, baselines are being updated to be more flexible. Not only are inputs used in describe blocks, but also within title, description default, check, fix text, etc.

https://github.com/CMSgov/redhat-enterprise-linux-8-stig-baseline/blob/7b3a7b16c53ac14a0528b1ccb5be5b6e1ff4aba7/controls/SV-230336.rb#L2

ejaronne avatar Oct 20 '22 16:10 ejaronne

Delta works using the JSON of the InSpec profile that we are updating (inspec json <profile> > profile.json). inspec json is evaluating the strings in the profile's .rb files before adding them to the JSON. A control with #{some_input} in the description will be recorded as some_input's value in the JSON.

So if the baseline control file has variables in the text for things like the org name, those variables will be evaluated and replaced with the input before the comparison happens. So a control like this:

control 'SV-230336' do
  title "RHEL 8 must automatically lock an account #{input('lockout_time') == 0? 'until the locked account is released by an administrator' : "for #{input('lockout_time')/60} minutes"} when #{input('unsuccessful_attempts')} unsuccessful logon attempts occur during a #{input('fail_interval')/60}-minute time period."
end

{
  "id": "SV-230336",
  "title": "RHEL 8 must automatically lock an account until the locked account is\nreleased by an administrator when three unsuccessful logon attempts occur\nduring a 15-minute time period.",
}

However an InSpec JSON also includes the raw code of the control file, so we can see the #{input()} syntax in that field.

So we can compare between a profile with variables in the descriptions and an XCCDF just fine as long as we always use the default STIG values as the default inputs. But if there is any other change in the description, delta will replace it with the raw STIG text and lose the variable.

wdower avatar Oct 20 '22 20:10 wdower

But if there is any other change in the description, delta will replace it with the raw STIG text and lose the variable.<

Hence the reason for the issue. Ultimately we shouldn't have to re-do all of those variables after delta runs. This infers that delta needs to gain insight from what it sees in the profile json controls.code section.

ejaronne avatar Oct 20 '22 20:10 ejaronne