Skip to content
George M. Dias edited this page Nov 6, 2024 · 3 revisions

Profile prep - Before running delta

For instruction on how to developed an InSpec Profile visit the How to generate an InSpec profile from a STIG

To minimize the changes to only the meaningful changes based on the guidance update, it is beneficial to first format the profile to reflect the same format in which delta will write the profile. To accomplish this, perform the following action on the repository you're implementing the delta process:

1. Run cookstyle
  • Install the cookstyle gem on your development environment

    a. To install the gem use: gem install cookstyle

    b. To verify that the gem is install use: gem list cookstyle

  • Create a .rubocop.yml file with the contents listed below. Alternatively you could modify this setting via the command line.

Style/WordArray:
  Description: 'Use %w or %W for an array of words. (https://rubystyle.guide#percent-w)'
  Enabled : false

Style/RedundantPercentQ:
  Enabled: true

Style/NestedParenthesizedCalls:
  Enabled: false

Style/TrailingCommaInHashLiteral:
  Description: 'https://docs.rubocop.org/rubocop/cops_style.html#styletrailingcommainhashliteral'
  Enabled: true
  EnforcedStyleForMultiline: no_comma

Style/TrailingCommaInArrayLiteral:
  Enabled: true
  EnforcedStyleForMultiline: no_comma

Style/BlockDelimiters:
  Enabled: false
  • Run cookstyle -a ./controls to lint (modify) the controls into cookstyle format
  • Run any tests that you may have for your profile
2. Run the SAF CLI command `saf generate update_controls4delta`

Prior of running the delta process run the saf cli update_controls4delta to check and update the controls Id and metadata with the provided XCCDF guidance's. The process checks if the new guidance's change the control numbers, if they have changed, it updates the controls to the new value. This minimizes the delta output content and makes for better and easier visualization of the modification provided by the Delta process.

Multiple options are available when invoking the update_controls4delta us the help command (saf generate update_controls4delta -h) for additional detailed information

Prepare your environment

  • Download new guidance from DISA for the appropriate profile. This will typically download a zip file on your machine. Unzip the downloaded folder and identify the <name>xccdf.xml file.

  • Create the InSpec Profile JSON file.

    • Clone or download the InSpec profile locally.

    • Run the inspec json command to create the InSpec Profile JSON file to be used in the saf generate delta command. The full command is:

      inspec json <path to your InSpec profile> > <path to the file to generate profile.json>

      For example, from the InSpec profile directory, the command could be inspec json . > profile.json.

To use delta, make sure you have:

  • The newest saf-cli (current version is listed on the repo)
  • The InSpec Profile JSON file
  • The updated guidance file Then, run
  • saf generate delta [arguments]
Update Controls Diagram

update_controls drawio

Previous Delta Notes

What delta will change:

  • for the control ID, title, default text, check text, and fix text - delta replaces the single quotes with double quotes
  • for each tag at the bottom, the name loses its single quotes, and the values for each tag are now in double quotes
  • ref gets added in (between impact and tags)

(ex: 'name' --> name ~ stuff like that^)

What delta will NOT change:

Other notable things:

  • this was the original delta branch: https://github.com/mitre/saf/pull/485 (has been pushed into this repo)
  • delta takes lines that are not labeled with 'desc' and sticks them in at the bottom (between tags and Inspec code)
  • formatting should be adjusted, maybe having 2 runs - 1 for formatting the files in a way that delta likes, and then the 2nd run being delta?
  • if the controls are formatted to be 80 lines, or not formatted, delta spits out the same behavior with the extra text
  • parameterizing stuff