I don't think the issue with STIG Viewer not taking the xccdf results is because of oscap, but because the SSG content doesn't have the necessary reference IDs.
I just tried using the RHEL 7 SSG content with the SPAWAR SCC tool and tried importing the xccdf file into a RHEL 7 STIG checklist and it wasn't able to match any results. My guess is that STIG Viewer uses the "Rule ID" to match instead of the "STIG ID". The STIG IDs are in the xccdf results file from the SSG content, but the Rule IDs are nowhere to be found. The Rule ID is probably used because that is updated with each revision of the STIG whereas the STIG ID is static.
v/r, Brian Reese
-----Original Message----- From: Shawn Wells [mailto:shawn@redhat.com] Sent: Friday, August 18, 2017 4:36 PM To: scap-security-guide@lists.fedorahosted.org Subject: Re: [Non-DoD Source] scap-security-guide Digest, Vol 71, Issue 12
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
----
On 8/18/17 3:43 PM, Mackanick, Jason W CIV DISA RE (US) wrote:
While I am verifying with our end. Which file format is Trevor and David trying to use? Also, please ensure you have the latest version from: Caution-http://iasecontent.disa.mil/stigs/zip/U_STIGViewer-2.5.4.zip I am checking with my counterparts to confirm, but we believe this has been updated for 1.2.
Hey Jason,
Here are some XCCDF and ARF result files for you to test with, in case you don't have easy access to RHEL7 + OpenSCAP: Caution-http://people.redhat.com/swells/oscap-results-for-disa/disa-arf-results.xml Caution-http://people.redhat.com/swells/oscap-results-for-disa/disa-xccdf-results.xm...
Also uploaded SCAP 1.2 and 1.3 formatted XCCDF checklists: Caution-http://people.redhat.com/swells/oscap-results-for-disa/ssg-rhel7-xccdf-1.2.x... Caution-http://people.redhat.com/swells/oscap-results-for-disa/ssg-rhel7-xccdf-1.3.x...
I've been using STIGViewer-2.5.3.jar. No change with 2.5.4.
Thanks so much for engaging on this!
Shawn _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org
Hi All,
I did some digging around with the materials that Shawn provided and the latest STIGViewer from the website and I discovered that both the Group ID and the Rule ID must match for the result to be applied.
I randomly changed a few items to just make *something* show up and, indeed, when both identifiers were changed to match the version from the published DISA STIG, they showed properly in the checklist file.
From a quick glance, it looks like the relevant material is actually in the SSG so it may be possible to construct an XSLT that will allow an automatic translation between the two formats.
That said, this is pretty much as far as I'm going down this rabbit hole. Hopefully it helps.
Trevor
On Fri, Aug 18, 2017 at 5:01 PM, Reese, Brian J CTR (US) < brian.j.reese.ctr@mail.mil> wrote:
I don't think the issue with STIG Viewer not taking the xccdf results is because of oscap, but because the SSG content doesn't have the necessary reference IDs.
I just tried using the RHEL 7 SSG content with the SPAWAR SCC tool and tried importing the xccdf file into a RHEL 7 STIG checklist and it wasn't able to match any results. My guess is that STIG Viewer uses the "Rule ID" to match instead of the "STIG ID". The STIG IDs are in the xccdf results file from the SSG content, but the Rule IDs are nowhere to be found. The Rule ID is probably used because that is updated with each revision of the STIG whereas the STIG ID is static.
v/r, Brian Reese
-----Original Message----- From: Shawn Wells [mailto:shawn@redhat.com] Sent: Friday, August 18, 2017 4:36 PM To: scap-security-guide@lists.fedorahosted.org Subject: Re: [Non-DoD Source] scap-security-guide Digest, Vol 71, Issue 12
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
On 8/18/17 3:43 PM, Mackanick, Jason W CIV DISA RE (US) wrote:
While I am verifying with our end. Which file format is Trevor and
David trying to use? Also, please ensure you have the latest version from: Caution-http://iasecontent.disa.mil/stigs/zip/U_ STIGViewer-2.5.4.zip I am checking with my counterparts to confirm, but we believe this has been updated for 1.2.
Hey Jason,
Here are some XCCDF and ARF result files for you to test with, incase you don't have easy access to RHEL7 + OpenSCAP: Caution-http://people.redhat.com/swells/oscap-results-for- disa/disa-arf-results.xml Caution-http://people.redhat.com/swells/oscap-results-for- disa/disa-xccdf-results.xml
Also uploaded SCAP 1.2 and 1.3 formatted XCCDF checklists:Caution-http://people.redhat.com/swells/oscap-results-for- disa/ssg-rhel7-xccdf-1.2.xml Caution-http://people.redhat.com/swells/oscap-results-for- disa/ssg-rhel7-xccdf-1.3.xml
I've been using STIGViewer-2.5.3.jar. No change with 2.5.4. Thanks so much for engaging on this!Shawn _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org
scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org
Trevor, nice work, i doubt a simple script wouldn't do what's needed though.
Matthew Conley 912-398-6704
On Aug 18, 2017 10:15 PM, "Trevor Vaughan" tvaughan@onyxpoint.com wrote:
Hi All,
I did some digging around with the materials that Shawn provided and the latest STIGViewer from the website and I discovered that both the Group ID and the Rule ID must match for the result to be applied.
I randomly changed a few items to just make *something* show up and, indeed, when both identifiers were changed to match the version from the published DISA STIG, they showed properly in the checklist file.
From a quick glance, it looks like the relevant material is actually in the SSG so it may be possible to construct an XSLT that will allow an automatic translation between the two formats.
That said, this is pretty much as far as I'm going down this rabbit hole. Hopefully it helps.
Trevor
On Fri, Aug 18, 2017 at 5:01 PM, Reese, Brian J CTR (US) < brian.j.reese.ctr@mail.mil> wrote:
I don't think the issue with STIG Viewer not taking the xccdf results is because of oscap, but because the SSG content doesn't have the necessary reference IDs.
I just tried using the RHEL 7 SSG content with the SPAWAR SCC tool and tried importing the xccdf file into a RHEL 7 STIG checklist and it wasn't able to match any results. My guess is that STIG Viewer uses the "Rule ID" to match instead of the "STIG ID". The STIG IDs are in the xccdf results file from the SSG content, but the Rule IDs are nowhere to be found. The Rule ID is probably used because that is updated with each revision of the STIG whereas the STIG ID is static.
v/r, Brian Reese
-----Original Message----- From: Shawn Wells [mailto:shawn@redhat.com] Sent: Friday, August 18, 2017 4:36 PM To: scap-security-guide@lists.fedorahosted.org Subject: Re: [Non-DoD Source] scap-security-guide Digest, Vol 71, Issue 12
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
On 8/18/17 3:43 PM, Mackanick, Jason W CIV DISA RE (US) wrote:
While I am verifying with our end. Which file format is Trevor and
David trying to use? Also, please ensure you have the latest version from: Caution-http://iasecontent.disa.mil/stigs/zip/U_STIGViewer- 2.5.4.zip I am checking with my counterparts to confirm, but we believe this has been updated for 1.2.
Hey Jason,
Here are some XCCDF and ARF result files for you to test with, incase you don't have easy access to RHEL7 + OpenSCAP: Caution-http://people.redhat.com/swells/oscap-results-for-di sa/disa-arf-results.xml Caution-http://people.redhat.com/swells/oscap-results-for-di sa/disa-xccdf-results.xml
Also uploaded SCAP 1.2 and 1.3 formatted XCCDF checklists:Caution-http://people.redhat.com/swells/oscap-results-for-di sa/ssg-rhel7-xccdf-1.2.xml Caution-http://people.redhat.com/swells/oscap-results-for-di sa/ssg-rhel7-xccdf-1.3.xml
I've been using STIGViewer-2.5.3.jar. No change with 2.5.4. Thanks so much for engaging on this!Shawn _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedo rahosted.org To unsubscribe send an email to scap-security-guide-leave@list s.fedorahosted.org
scap-security-guide mailing list -- scap-security-guide@lists.fedo rahosted.org To unsubscribe send an email to scap-security-guide-leave@list s.fedorahosted.org
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 <(410)%20541-6699>
-- This account not approved for unencrypted proprietary information --
scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org
Oh, I never said the script would be simple, I only said that all of the relevant information was present....
On Fri, Aug 18, 2017 at 10:55 PM, Matthew simontek@gmail.com wrote:
Trevor, nice work, i doubt a simple script wouldn't do what's needed though.
Matthew Conley 912-398-6704 <(912)%20398-6704>
On Aug 18, 2017 10:15 PM, "Trevor Vaughan" tvaughan@onyxpoint.com wrote:
Hi All,
I did some digging around with the materials that Shawn provided and the latest STIGViewer from the website and I discovered that both the Group ID and the Rule ID must match for the result to be applied.
I randomly changed a few items to just make *something* show up and, indeed, when both identifiers were changed to match the version from the published DISA STIG, they showed properly in the checklist file.
From a quick glance, it looks like the relevant material is actually in the SSG so it may be possible to construct an XSLT that will allow an automatic translation between the two formats.
That said, this is pretty much as far as I'm going down this rabbit hole. Hopefully it helps.
Trevor
On Fri, Aug 18, 2017 at 5:01 PM, Reese, Brian J CTR (US) < brian.j.reese.ctr@mail.mil> wrote:
I don't think the issue with STIG Viewer not taking the xccdf results is because of oscap, but because the SSG content doesn't have the necessary reference IDs.
I just tried using the RHEL 7 SSG content with the SPAWAR SCC tool and tried importing the xccdf file into a RHEL 7 STIG checklist and it wasn't able to match any results. My guess is that STIG Viewer uses the "Rule ID" to match instead of the "STIG ID". The STIG IDs are in the xccdf results file from the SSG content, but the Rule IDs are nowhere to be found. The Rule ID is probably used because that is updated with each revision of the STIG whereas the STIG ID is static.
v/r, Brian Reese
-----Original Message----- From: Shawn Wells [mailto:shawn@redhat.com] Sent: Friday, August 18, 2017 4:36 PM To: scap-security-guide@lists.fedorahosted.org Subject: Re: [Non-DoD Source] scap-security-guide Digest, Vol 71, Issue 12
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
On 8/18/17 3:43 PM, Mackanick, Jason W CIV DISA RE (US) wrote:
While I am verifying with our end. Which file format is Trevor and
David trying to use? Also, please ensure you have the latest version from: Caution-http://iasecontent.disa.mil/stigs/zip/U_STIGViewer-2 .5.4.zip I am checking with my counterparts to confirm, but we believe this has been updated for 1.2.
Hey Jason,
Here are some XCCDF and ARF result files for you to test with, incase you don't have easy access to RHEL7 + OpenSCAP: Caution-http://people.redhat.com/swells/oscap-results-for-di sa/disa-arf-results.xml Caution-http://people.redhat.com/swells/oscap-results-for-di sa/disa-xccdf-results.xml
Also uploaded SCAP 1.2 and 1.3 formatted XCCDF checklists:Caution-http://people.redhat.com/swells/oscap-results-for-di sa/ssg-rhel7-xccdf-1.2.xml Caution-http://people.redhat.com/swells/oscap-results-for-di sa/ssg-rhel7-xccdf-1.3.xml
I've been using STIGViewer-2.5.3.jar. No change with 2.5.4. Thanks so much for engaging on this!Shawn _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedo rahosted.org To unsubscribe send an email to scap-security-guide-leave@list s.fedorahosted.org
scap-security-guide mailing list -- scap-security-guide@lists.fedo rahosted.org To unsubscribe send an email to scap-security-guide-leave@list s.fedorahosted.org
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 <(410)%20541-6699>
-- This account not approved for unencrypted proprietary information --
scap-security-guide mailing list -- scap-security-guide@lists.fedo rahosted.org To unsubscribe send an email to scap-security-guide-leave@list s.fedorahosted.org
scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org
Ok, I couldn't let it go for various reasons.
The following is the minimal viable test results XML file that makes the STIGViewer do something useful.
I have a use for this in particular and hopefully it helps in the search for sanity.
The fact that the STIGViewer checklist export doesn't have an associated schema is not thrilling.
## BEGIN XML ##
<?xml version="1.0" encoding="UTF-8"?> <TestResult id="I Love Testing" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xml:lang="en-US" style="SCAP_1.2" start-time="1970-01-01T00:00:00" end-time="1970-01-01T00:00:01"
<benchmark>RHEL_7_STIG</benchmark>
<!-- Useful but not required --> <remark>Minimal Valid Test Results</remark> <organization>Friday Night Party!</organization> <target>localhost.localdomain</target> <score>100.0</score> <!-- End: useful but not required -->
<target-address>127.0.0.1</target-address> <target-facts> <!-- These fill out the fields in the 'Target Data' part of the viewer --> <fact name="urn:xccdf:asset:identifier:mac" type="string">00:00:00:00:00:00</fact> <fact name="urn:xccdf:asset:identifier:host_name" type="string">localhost</fact> <fact name="urn:xccdf:asset:identifier:fqdn" type="string">localhost.localdomain</fact> </target-facts>
<rule-result idref="SV-86687r4_rule"> <result>pass</result> </rule-result>
</TestResult>
## END XML ##
Thanks,
Trevor
On Fri, Aug 18, 2017 at 10:14 PM, Trevor Vaughan tvaughan@onyxpoint.com wrote:
Hi All,
I did some digging around with the materials that Shawn provided and the latest STIGViewer from the website and I discovered that both the Group ID and the Rule ID must match for the result to be applied.
I randomly changed a few items to just make *something* show up and, indeed, when both identifiers were changed to match the version from the published DISA STIG, they showed properly in the checklist file.
From a quick glance, it looks like the relevant material is actually in the SSG so it may be possible to construct an XSLT that will allow an automatic translation between the two formats.
That said, this is pretty much as far as I'm going down this rabbit hole. Hopefully it helps.
Trevor
On Fri, Aug 18, 2017 at 5:01 PM, Reese, Brian J CTR (US) < brian.j.reese.ctr@mail.mil> wrote:
I don't think the issue with STIG Viewer not taking the xccdf results is because of oscap, but because the SSG content doesn't have the necessary reference IDs.
I just tried using the RHEL 7 SSG content with the SPAWAR SCC tool and tried importing the xccdf file into a RHEL 7 STIG checklist and it wasn't able to match any results. My guess is that STIG Viewer uses the "Rule ID" to match instead of the "STIG ID". The STIG IDs are in the xccdf results file from the SSG content, but the Rule IDs are nowhere to be found. The Rule ID is probably used because that is updated with each revision of the STIG whereas the STIG ID is static.
v/r, Brian Reese
-----Original Message----- From: Shawn Wells [mailto:shawn@redhat.com] Sent: Friday, August 18, 2017 4:36 PM To: scap-security-guide@lists.fedorahosted.org Subject: Re: [Non-DoD Source] scap-security-guide Digest, Vol 71, Issue 12
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
On 8/18/17 3:43 PM, Mackanick, Jason W CIV DISA RE (US) wrote:
While I am verifying with our end. Which file format is Trevor and
David trying to use? Also, please ensure you have the latest version from: Caution-http://iasecontent.disa.mil/stigs/zip/U_STIGViewer- 2.5.4.zip I am checking with my counterparts to confirm, but we believe this has been updated for 1.2.
Hey Jason,
Here are some XCCDF and ARF result files for you to test with, incase you don't have easy access to RHEL7 + OpenSCAP: Caution-http://people.redhat.com/swells/oscap-results-for-di sa/disa-arf-results.xml Caution-http://people.redhat.com/swells/oscap-results-for-di sa/disa-xccdf-results.xml
Also uploaded SCAP 1.2 and 1.3 formatted XCCDF checklists:Caution-http://people.redhat.com/swells/oscap-results-for-di sa/ssg-rhel7-xccdf-1.2.xml Caution-http://people.redhat.com/swells/oscap-results-for-di sa/ssg-rhel7-xccdf-1.3.xml
I've been using STIGViewer-2.5.3.jar. No change with 2.5.4. Thanks so much for engaging on this!Shawn _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedo rahosted.org To unsubscribe send an email to scap-security-guide-leave@list s.fedorahosted.org
scap-security-guide mailing list -- scap-security-guide@lists.fedo rahosted.org To unsubscribe send an email to scap-security-guide-leave@list s.fedorahosted.org
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 <(410)%20541-6699>
-- This account not approved for unencrypted proprietary information --
On 8/18/17 11:45 PM, Trevor Vaughan wrote:
Ok, I couldn't let it go for various reasons.
The following is the minimal viable test results XML file that makes the STIGViewer do something useful.
I have a use for this in particular and hopefully it helps in the search for sanity.
The fact that the STIGViewer checklist export doesn't have an associated schema is not thrilling.
## BEGIN XML ##
<?xml version="1.0" encoding="UTF-8"?>
<TestResult id="I Love Testing" xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xml:lang="en-US" style="SCAP_1.2" start-time="1970-01-01T00:00:00" end-time="1970-01-01T00:00:01"
<benchmark>RHEL_7_STIG</benchmark>
<!-- Useful but not required --> <remark>Minimal Valid Test Results</remark> <organization>Friday Night Party!</organization> <target>localhost.localdomain</target> <score>100.0</score> <!-- End: useful but not required -->
<target-address>127.0.0.1</target-address> <target-facts> <!-- These fill out the fields in the 'Target Data' part of the viewer --> <fact name="urn:xccdf:asset:identifier:mac" type="string">00:00:00:00:00:00</fact> <fact name="urn:xccdf:asset:identifier:host_name" type="string">localhost</fact> <fact name="urn:xccdf:asset:identifier:fqdn" type="string">localhost.localdomain</fact> </target-facts>
<rule-result idref="SV-86687r4_rule"> <result>pass</result> </rule-result>
</TestResult>
## END XML ##
Josh Springer, a consultant at Red Hat, generated this STIG Viewer checklist: https://raw.githubusercontent.com/josh-springer/ansible-role-rhel7-stig/mast...
Still going through it myself.... but should be easy enough to transform SCAP content into DISA's schema.
scap-security-guide@lists.fedorahosted.org
-
Matthew -
Reese, Brian J CTR (US) -
Shawn Wells -
Trevor Vaughan