saf
saf copied to clipboard
inspec2xccdf does not generate benchmark metadata that matches DISA's
When generating xccdf with inspec_tools and importing it into STIG Viewer it does not display the same metadata at the top of a control as a DISA generated xccdf.
inspec_tools example:
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="VMW_Photon_OS_3.0_STIG_Readiness_Guide">
<status date="20 Jul 2021">draft</status>
<title>VMware Photon OS 3.0 STIG Readiness Guide</title>
<reference href="https://github.com/vmware/dod-compliance-and-automation/tree/master/photon/3.0">
<dc:publisher>VMware</dc:publisher>
<dc:source>https://github.com/vmware/dod-compliance-and-automation</dc:source>
</reference>
<version>1, Release: 2</version>
Updated to match DISA:
<?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?>
<Benchmark
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cpe="http://cpe.mitre.org/language/2.0"
xmlns:xhtml="http://www.w3.org/1999/xhtml"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="VMW_Photon_OS_3.0_STIG_Readiness_Guide" xml:lang="en"
xmlns="http://checklists.nist.gov/xccdf/1.1">
<status date="2021-07-20">draft</status>
<title>VMware Photon OS 3.0 STIG Readiness Guide</title>
<description>This project represents VMware's effort to document our compliance against the SRG requirements and nothing more. A published STIG is our eventual goal, in most cases, but this content should not be viewed to be "as good as a STIG". A DISA published STIG includes technical validation, review of requirement fulfillment, accuracy and style, risk acceptance and is digitally signed by the RME and posted on a .mil. This SRG content is intended to provided value to our partners while the STIGs are in process. Except for products that have published STIGs already, there is no explicit or implied DISA approval of the provided content.</description>
<notice id="terms-of-use" xml:lang="en"></notice>
<front-matter xml:lang="en"></front-matter>
<rear-matter xml:lang="en"></rear-matter>
<reference href="https://github.com/vmware/dod-compliance-and-automation">
<dc:publisher>VMware</dc:publisher>
<dc:source>https://github.com/vmware/dod-compliance-and-automation</dc:source>
</reference>
<plain-text id="release-info">Release: 2 Benchmark Date: 20 Jul 2021</plain-text>
<plain-text id="generator">3.2.2.36079</plain-text>
<plain-text id="conventionsVersion">1.10.0</plain-text>
<version>1</version>
related https://github.com/mitre/inspec_tools/issues/212
@rlakey is this behavior present when you are using a a metadata.json
to provide this information?
Is this closed by mitre/inspec_tools#246
I don't think so because this is discussing inspec2xccdf not inspec2ckl.
@rlakey is this behavior present when you are using a a
metadata.json
to provide this information?
I haven't tried that since I was assuming this would come from the attributes yaml.
Sorry about asking a beginner's (Inspec/Ruby) question here because I don't where to pose it - how do I set up Inspec_Tools on a Windows machine (running inspec-4.50.3.1-x64 and rubyinstaller-3.0.3-1-x64.exe)? I have recently started to use a Powershell script, but can't seem to get the call to inspec_tools command to work.
$cklCommand = {inspec_tools inspec2ckl -j $reportFile -o $cklFile}
Invoke-Command -ScriptBlock $cklCommand