saf icon indicating copy to clipboard operation
saf copied to clipboard

Published 20 hours ago verified publisher icon mitre

Dedupe NIST tags for 2inspec tools

Open rlakey opened this issue 2 years ago • 5 comments

STIG controls with multiple SRG IDs and therefore multiple CCIs often reference the same NIST control family. When running for example xccdf2inspec and this scenario occurs there will be multiple NIST tags that are the same.

For example:

  tag severity: 'medium'
  tag gtitle: 'SRG-OS-000004-GPOS-00004'
  tag satisfies: ['SRG-OS-000004-GPOS-00004', 'SRG-OS-000239-GPOS-00089',
'SRG-OS-000240-GPOS-00090', 'SRG-OS-000241-GPOS-00091',
'SRG-OS-000303-GPOS-00120', 'SRG-OS-000476-GPOS-00221']
  tag gid: 'V-205625'
  tag rid: 'SV-205625r569188_rule'
  tag stig_id: 'WN19-AU-000100'
  tag fix_id: 'F-5890r354794_fix'
  tag cci: ['CCI-000018', 'CCI-001403', 'CCI-001405', 'CCI-001404',
'CCI-002130', 'CCI-000172']
  tag legacy: ['SV-103067', 'V-92979']
  tag nist: ['AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)', 'AC-2 (4)', "AU-12
c"]

rlakey avatar Oct 08 '21 14:10 rlakey

@ejaronne Do you have any input on this? I believe I mentioned this to you at one point and you suggested leaving the duplicates for conversion back to xccdf but I could be misremembering the conversation.

rbclark avatar Nov 23 '21 23:11 rbclark

This is intended to emulate exactly the related controls from the DISA STIG itself. It is not a duplication. In this case, multiple CCI's support different aspects of AC-2(4), as shown in the DISA STIG Viewer: image

ejaronne avatar Nov 23 '21 23:11 ejaronne

However, the other thing I would not hear is that since we don’t actually keep the relationship intact There really isn’t any need to have multiple data elements in the array. We ever needed to find the association we could look at the XML and the CCI to find out which 853 control it belongs to

On Tue, Nov 23, 2021 at 6:41 PM Eugene Aronne @.***> wrote:

This is intended to emulate exactly the related controls from the DISA STIG itself. It is not a duplication. In this case, multiple CCI's support different aspects of AC-2(4), as shown in the DISA STIG Viewer: [image: image] https://user-images.githubusercontent.com/34140975/143145961-8bfdbe59-6305-493d-8a4f-1488db0b9246.png

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <mitre/saf#93>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALK42FSQDYJXWM4HAP5IX3UNQRCZANCNFSM5FTYIMZA .

--

Aaron Lippold

@.***

260-255-4779

twitter/aim/yahoo,etc. 'aaronlippold'

aaronlippold avatar Nov 24 '21 00:11 aaronlippold

Just wanted to bring this back up. I believe it still is a duplication of data. STIG Viewer displays this data differently as it shows each CCI and it's corresponding NIST control family where as in InSpec these are separate lists with no relation of CCI to NIST and should be deduped.

The NIST data isn't even in the XCCDF so converting back and forth should not be a concern. STIG Viewer is adding that data based on CCI and so are all of the MITRE tools.

rlakey avatar Mar 14 '23 14:03 rlakey

Yes, I think we can and a uniq to the cci and nist tag generator

aaronlippold avatar Mar 15 '23 15:03 aaronlippold